GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → LOLBAS-Project → Lolbas

LOLBAS-Project / Lolbas

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

Programming Languages

XSLT
1337 projects

Labels

redteamdfirblueteampurpleteamlolbinslolscriptsliving-off-the-land

Projects that are alternatives of or similar to Lolbas

Lolbas
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
Stars: ✭ 1,506 (-60.47%)
Mutual labels:  dfir, redteam, blueteam, purpleteam, lolbins, lolscripts, living-off-the-land
github-watchman
Monitoring GitHub for sensitive data shared publicly
Stars: ✭ 60 (-98.43%)
Mutual labels:  blueteam, redteam, purpleteam
MurMurHash
This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.
Stars: ✭ 79 (-97.93%)
Mutual labels:  blueteam, redteam, purpleteam
Malwless
Test Blue Team detections without running any attack.
Stars: ✭ 215 (-94.36%)
Mutual labels:  dfir, redteam, blueteam
ad-privileged-audit
Provides various Windows Server Active Directory (AD) security-focused reports.
Stars: ✭ 42 (-98.9%)
Mutual labels:  dfir, blueteam, purpleteam
NIST-to-Tech
An open-source listing of cybersecurity technology mapped to the NIST Cybersecurity Framework (CSF)
Stars: ✭ 61 (-98.4%)
Mutual labels:  blueteam, redteam, purpleteam
purple-team-exercise-framework
Purple Team Exercise Framework
Stars: ✭ 284 (-92.55%)
Mutual labels:  blueteam, redteam, purpleteam
Logontracer
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Stars: ✭ 1,914 (-49.76%)
Mutual labels:  dfir, blueteam
BlueTeam.Lab
Blue Team detection lab created with Terraform and Ansible in Azure.
Stars: ✭ 82 (-97.85%)
Mutual labels:  blueteam, redteam
OSINTBookmarks
OSINT Bookmarks for Firefox / Chrome / Edge / Safari
Stars: ✭ 34 (-99.11%)
Mutual labels:  blueteam, redteam
BlueCloud
Cyber Range including Velociraptor + HELK system with a Windows VM for security testing and R&D. Azure and AWS terraform support.
Stars: ✭ 88 (-97.69%)
Mutual labels:  dfir, purpleteam
dummyDLL
Utility for hunting UAC bypasses or COM/DLL hijacks that alerts on the exported function that was consumed.
Stars: ✭ 35 (-99.08%)
Mutual labels:  blueteam, redteam
Blue-Team-Notes
You didn't think I'd go and leave the blue team out, right?
Stars: ✭ 899 (-76.4%)
Mutual labels:  dfir, blueteam
1earn
ffffffff0x 团队维护的安全知识框架,内容包括不仅限于 web安全、工控安全、取证、应急、蓝队设施部署、后渗透、Linux安全、各类靶机writup
Stars: ✭ 3,715 (-2.49%)
Mutual labels:  blueteam, redteam
gtfo
Search for Unix binaries that can be exploited to bypass system security restrictions.
Stars: ✭ 88 (-97.69%)
Mutual labels:  blueteam, redteam
Threathunt
ThreatHunt is a PowerShell repository that allows you to train your threat hunting skills.
Stars: ✭ 92 (-97.59%)
Mutual labels:  dfir, blueteam
Remote Desktop Caching
This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen. Blue Team member can reconstruct PNG files to see what an attacker did on a compromised host. It is extremely useful for a forensics team to extract timestamps after an attack on a host to collect evidences and perform further analysis.
Stars: ✭ 171 (-95.51%)
Mutual labels:  redteam, blueteam
Cypheroth
Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
Stars: ✭ 179 (-95.3%)
Mutual labels:  redteam, blueteam
Opensource-Endpoint-Monitoring
This repository contains all the config files and scripts used for our Open Source Endpoint monitoring project.
Stars: ✭ 30 (-99.21%)
Mutual labels:  dfir, blueteam
goblin
一款适用于红蓝对抗中的仿真钓鱼系统
Stars: ✭ 844 (-77.85%)
Mutual labels:  blueteam, redteam
View All Similar Projects ➔

Living Off The Land Binaries and Scripts (and now also Libraries)

All the different files can be found behind a fancy frontend here: https://lolbas-project.github.io (thanks @ConsciousHacker for this bit of eyecandy and the team over at https://gtfobins.github.io/). This repo serves as a place where we maintain the YML files that are used by the fancy frontend.

Goal

The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

Criteria

A LOLBin/Lib/Script must:

  • Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
  • Have extra "unexpected" functionality. It is not interesting to document intended use cases.
    • Exceptions are application whitelisting bypasses
  • Have functionality that would be useful to an APT or red team

Interesting functionality can include:

  • Executing code
    • Arbitrary code execution
    • Pass-through execution of other programs (unsigned) or scripts (via a LOLBin)
  • Compiling code
  • File operations
    • Downloading
    • Upload
    • Copy
  • Persistence
    • Pass-through persistence utilizing existing LOLBin
    • Persistence (e.g. hide data in ADS, execute at logon)
  • UAC bypass
  • Credential theft
  • Dumping process memory
  • Surveillance (e.g. keylogger, network trace)
  • Log evasion/modification
  • DLL side-loading/hijacking without being relocated elsewhere in the filesystem.

Contributing

If you have found a new LOLBin or LOLScript that you would like to contribute, please review the contributing guidelines located here: https://github.com/LOLBAS-Project/LOLBAS/blob/master/CONTRIBUTING.md

A template for the required format has been provided here: https://github.com/LOLBAS-Project/LOLBAS/blob/master/YML-Template.yml

The History of the LOLBin

The phrase "Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation) at DerbyCon 3.

The term LOLBins came from a Twitter discussion on what to call binaries that can be used by an attacker to perform actions beyond their original purpose. Philip Goh (@MathCasualty) proposed LOLBins. A highly scientific internet poll ensued, and after a general consensus (69%) was reached, the name was made official. Jimmy (@bohops) followed up with LOLScripts. No poll was taken.

Common hashtags for these files are:

  • #LOLBin
  • #LOLBins
  • #LOLScript
  • #LOLScripts
  • #LOLLib
  • #LOLLibs

Our primary maintainer (@oddvarmoe) of this project did a talk at DerbyCon 2018 called: #Lolbins Nothing to LOL about! - https://www.youtube.com/watch?v=NiYTdmZ8GR4 This talk goes over the history of this project.

Maintainers

The following folks help maintain the LOLBAS Project on their personal time:

Thanks

As with many open-source projects, this one is the product of a community and we would like to thank ours:

  • The domain http://lolbins.com has been registered by an unknown individual and redirected it to the old version of this project.
  • The domain http://lolbas-project.com has been registered by Jimmy (@bohops).
  • The logos for the project were created by Adam Nadrowski (@_sup_mane). We #@&!!@#! love them.

Notice

  • Please refer to NOTICE.md for license information
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].