Home Unlabelled Lolbas - Living Off The Province Binaries Too Scripts (Lolbins Too Lolscripts)

Lolbas - Living Off The Province Binaries Too Scripts (Lolbins Too Lolscripts)

By
Friday, September 20, 2019
Read
Add Comment

The destination of the LOLBAS projection is to document every binary, script, together with library that tin dismiss live on used for Living Off The Land techniques.

All the dissimilar files tin dismiss live on establish behind a fancy frontend here: https://lolbas-project.github.io (thanks @ConsciousHacker for this chip of eyecandy and the squad over at https://gtfobins.github.io/). This repo serves equally a house where nosotros keep the YML files that are used past times the fancy frontend.

Criteria
H5N1 LOLBin/Lib/Script must:
  • Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
  • Have extra "unexpected" functionality. It is non interesting to document intended utilization cases.
    • Exceptions are application whitelisting bypasses
  • Have functionality that would live on useful to an APT or cherry team
Interesting functionality tin dismiss include:
  • Executing code
    • Arbitrary code execution
    • Pass-through execution of other programs (unsigned) or scripts (via a LOLBin)
  • Compiling code
  • File operations
    • Downloading
    • Upload
    • Copy
  • Persistence
    • Pass-through persistence utilizing existing LOLBin
    • Persistence (e.g. shroud information inwards ADS, execute at logon)
  • UAC bypass
  • Credential theft
  • Dumping procedure memory
  • Surveillance (e.g. keylogger, network trace)
  • Log evasion/modification
  • DLL side-loading/hijacking without beingness relocated elsewhere inwards the filesystem.

The History of the LOLBin
The phrase "Living off the land" was coined past times Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation) at DerbyCon 3.
The term LOLBins came from a Twitter news on what to telephone holler upwardly binaries that tin dismiss live on used past times an assaulter to perform actions beyond their master copy purpose. Philip Goh (@MathCasualty) proposed LOLBins. H5N1 highly scientific network poll ensued, together with afterwards a full general consensus (69%) was reached, the cite was made official. Jimmy (@bohops) followed upwardly amongst LOLScripts. No poll was taken.
Common hashtags for these files are:
  • #LOLBin
  • #LOLBins
  • #LOLScript
  • #LOLScripts
  • #LOLLib
  • #LOLLibs


Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us