Hacker News new | past | comments | ask | show | jobs | submit login
LOLBAS: Living Off the Land Binaries, Scripts and Libraries (lolbas-project.github.io)
136 points by thunderbong 7 months ago | hide | past | favorite | 29 comments

Just to summarise what's going on here, because it took me a little bit of clicking to get the gist of it:

> The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

> The phrase "Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation) at DerbyCon 3.

> The term LOLBins came from a Twitter discussion on what to call binaries that can be used by an attacker to perform actions beyond their original purpose.

So it seems like a catalogue of (possible?) exploits in commonly-available executables, libraries and scripts that may already be present on a target machine.

> So it seems like a catalogue of (possible?) exploits in commonly-available executables, libraries and scripts that may already be present on a target machine

That is pretty correct, but it is not necessarily an exploit or vulnerability in the binary. More often than not, it is a quirk or a way to use the binary which is unknown/uncommon, but might not appear on a defenders' radar.

We generally try to (ab)use functionality in pre-existing software to avoid security mechanisms (like AppLocker) and detections (like AV/EDR, or rules created by a SOC when analysing execution logs in a SIEM). Often we discover that a target computer has been hardened in some form or fashion, and we have to get "creative" when trying to download, execute or exfiltrate data during security assessments.

Yep, and to make it even more clear as an author of one of these LOLBins (Squirrel.exe), I have to underscore this point again - this list doesn't apply to normal Windows installations, it is only meaningful in the context of Blue teams trying to create their own hardened security boundaries via AV/EDR/AppLocker, and Red teams trying to evade said tools

(inb4 the comments, Squirrel itself attempts to strike a balance between usability and security, running only as the current user without admin limits its potential to be exploited, since any "I can hack Squirrel to run my code" trick is "Rather Involved Being On The Same Side Of The Airtight Hatch", as Raymond Chen would say)

Apologies I didn't mean to imply there was some nefarious purpose behind this!

well, no, it's 100% nefarious purpose, just sometimes used to find the holes instead of exploiting it.

It will absolutely be used more often to exploit than to secure

It’s dual use, like Metasploit. It’s hard to predict whether black hats or white hats will use it more often or not. I think your conclusion is more intuitive, but let me play devil’s advocate.

LotL is too advanced for script kiddies to pull off. You’re already dealing with an adversary with some sophistication, who likely have the time, skill, and resources to create their own LOLbins (or buy them on darknet forums). Infosec is an asymmetric conflict: the adversary has a much easier job IMO. It’s always easier to break something than to build it.

Blue/purple teams have little incentive to build their own LOLbins. There is another asymmetry here: blue teams are developing these to target only their networks. Red teams are developing them to target every network. Open source is the way to resolve that asymmetry.

With these becoming public, blue teams can simulate a LotL attack, develop indicators of attack, and write rules to trigger alerts.

In general, adversaries prefer their tricks to remain trade secrets. Once they’re known, documented, and commodified, they become far less useful.

I'm not saying that it is bad those are out, I'm saying by volume they'd be used more by "slightly advanced script kiddies", and as part of bigger tools.

Sure it might make it easier for red teams to help secure system, but for organizations bad at security they will be hit by that low hanging fruit methods, even if it might make more aware organizations more secure. Just because it lowers the point of entry.

Or sometimes a person shows up at a new IT job and the old admin didn't leave behind any notes and the only way to do the job at all short of rebuilding everything from the ground up is to pwn the network.

They're for penetration testing and red vs blue teams.

Red is typically 'mischief' and Blue is typically 'mischief prevention.'

Wow, I had no idea what any of that meant. I thought these were scripts helpful for... the tiny fraction of people that work in tech, but live off the grid?

I didn’t know these compiled lists like this existed and I’m like old…

I’ve been manually going to find this kind of documentation since forever. This is great and so helpful

Don’t forget the Linux version! https://gtfobins.github.io/

Discussed yesterday:

https://news.ycombinator.com/item?id=36628976 (79 comments)

Who is still using restricted shared hosts? I used to use a Dreamhost account like that, but it was years ago. I thought everybody had moved to virtualization for which these hacks don’t help. Am I wrong? Or are new shades/restricted Linux systems still being deployed?

Also check out: https://www.loldrivers.io/

Check this out too: https://lots-project.com/

These days, lolbas binaries get you caught by security tools unless you're very creative.

Excellent list, thank you!

What does "C&C" mean in this context? I couldn't find an explanation on the site.

20+ years ago I worked at a small dev shop. The IT folks and we devs had a contentious relationship, and it was hard to get any changes done on the servers. All I had was sudo access to something like `vi /etc/apache.conf`. I don't remember if I ever exploited it "for real", but it was nice to know that whatever I needed was really just a `:!foo` away. <g>

The macOS version of LOLBAS is called LOOBins (Living off the Orchard).

Find it here: loobins.io

“Download” here seems to mean anything from actually downloading a file from a remote http server to copying a file from an accessible/open smb share (makecab example).

Also layout is confusing, capabilities don’t appear after the executable name, rather the executable name iis vertically centered against the list of features.

For those joining this thread and don't understand what Living off the land is in technical terms:

Use only what's available to cause mischief or prevent mischief. The rules don't allow use of your own scripts, tools, etc. Typically red teams are mischief makers and blue teams are the prevention.

Link to some random web site with a bunch of downloadable files. Sure, let me just run one...

What is this? Please update the link to point to what this actually is. If it's interesting to someone, they'll find the files.

This site does not have any downloadable files. This is a demonstration of how you can use preinstalled binaries on a Windows system as a vector to download new files or execute your own scripts/programs ("living off the land"). It's for hackers.

”Download” does not mean what you think it does here, it’s a tag that means the file mentioned, which I’m not sure is available here at all, has download capacities. Click the logo for more info. But sure, that could be the url here.

Unless you consider opening .html files “downloadable” I’m not sure you looked through it

This is actually really great package documentation IMO


The associated github is much more informative about what the project does. Basically they document "undocumented" capabilities of signed microsoft binaries that can be used for red team work.

It's for redteamers/pentesters and a very popular website.

Is it possible for people to stop polluting perfectly valid namespaces? I understand that the metaphors and analogies make snese but every time this occurs, whether it's software, films, or whatever, it furthers destroys the integrity of already crumbling search engines.

Edit: Because apparently this isn't clear enough:

1. Real world phenomena and technical projects are two distinctive categories, each encompassing a wealth of unique information.

2. Namespaces serve as unique identifiers, used to prevent naming conflicts in various domains.

3. When these namespaces are used within both real-world phenomena and technical projects, they overlap.

4. Overlapping namespaces, by their nature, blur the boundaries between distinctive categories.

5. Search engines operate by categorizing and associating information based on identifiers, specifically namespaces.

6. When these identifiers are blurred, the precision of search engines is compromised.

7. As search engine precision diminishes, the efficacy of search results for users decreases.

8. The reduction in search results efficacy translates to increased search times and decreased productivity, or an inability to find anything about the topic whatsoever due to results pruning.

9. A decrease in productivity is an indirect impact of namespace pollution, disrupting both those living in the real-world and those looking for technical information.

10. We already have to deal with SEO. We shouldn't need to deal with this as well.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact