LOLBAS-Project

LOLBAS-Project/LOLBAS

XSLT GPL-3.0 Security

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

8.7k stars
1.1k forks
recent
GitHub

8.7k

Stars

1.1k

Forks

25

Open issues

30

Contributors

AI Analysis

LOLBAS is a curated database documenting Microsoft-signed binaries, scripts, and libraries that can be exploited for living-off-the-land attack techniques. It serves red teams, penetration testers, and DFIR analysts who need to identify unexpected misuse capabilities of legitimate Windows system utilities. This project is highly specialized for offensive security and defensive research professionals—not applicable to general software development.

Security Security Tool Discovery value: 3/10
Documentation 8/10
Activity 9/10
Community 9/10
Code quality 7/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

security-research attack-surface windows-binaries red-team lolbins
Actively maintained Well documented Niche/specialized use case Popular Community favorite Production ready
Deep Analysis · Based on README and public signals
14h ago

LOLBAS: The definitive community catalog of Windows binaries abusable for living-off-the-land attacks

LOLBAS documents every Microsoft-signed binary, script, and library that can be weaponized beyond its intended purpose — for code execution, file operations, persistence, credential theft, and more. Its primary audience is red teamers, penetration testers, threat hunters, and blue team defenders building detection rules. With 8,674 stars and a companion website (lolbas-project.github.io), it has become a standard reference in offensive security workflows and defensive detection engineering. It matters because attackers actively use these techniques to evade application whitelisting and EDR tools.

Origin

Originated from the 'living off the land' concept coined at DerbyCon 3 (2013). The LOLBAS repository was formalized in June 2018 by Oddvar Moe and collaborators, consolidating community-sourced LOLBin discoveries into a structured, queryable YAML dataset.

Growth

Growth was driven by rising attacker adoption of LOLBin techniques in APT campaigns and ransomware, making the catalog essential for both offensive operators and defenders writing SIEM/EDR detections. The companion GTFOBins (Linux equivalent) validated the model. Conference talks, Twitter/X community engagement, and integration into security tooling sustained long-term awareness. Star growth has plateaued recently, likely reflecting market saturation among its target audience rather than declining relevance.

In production

Widely referenced in commercial security tooling documentation, threat intelligence reports, and detection engineering playbooks. Sigma rule sets and EDR vendor blogs frequently cite LOLBAS entries. Security certifications (e.g., OSCP, red team courses) include it as a reference resource. These are indirect but credible indicators of sustained real-world usage.

Code analysis
Architecture

Appears to be a data repository rather than a software project: individual LOLBin entries are stored as structured YAML files, with an XSLT layer likely used for transformation or site generation. The frontend (lolbas-project.github.io) is a separate static site. CI/CD via GitHub Actions performs YAML linting to enforce schema consistency.

Tests

CI pipeline includes YAML linting (visible from README badge), which validates schema correctness of contributed entries. No unit or integration test suite is documented in the README beyond schema validation.

Maintenance

Last push was 2026-06-30, approximately 10 days before the evaluation date — indicating active maintenance. The project has multiple named maintainers and a defined contribution workflow, which reduces single-point-of-failure risk. Slow but steady addition of new entries is consistent with its nature as a living reference document.

Honest verdict

ADOPT IF: you are a red teamer, penetration tester, threat hunter, or detection engineer working on Windows environments who needs a structured, community-vetted reference for LOLBin techniques. AVOID IF: you expect a software library or executable tool — this is a data repository and reference catalog, not deployable code. MONITOR IF: you are building automated detection pipelines and want to track newly documented entries as they are added.

Independent dimensions

Mainstream potential

4/10

Technical importance

8/10

Adoption evidence

8/10

Risks
  • Entries may lag behind newly discovered or publicly disclosed LOLBin techniques, creating a gap between attacker knowledge and documented catalog entries.
  • YAML schema validation catches formatting errors but cannot verify that documented commands are accurate or still functional across all Windows versions — factual drift is possible over time.
  • Dependency on a small group of volunteer maintainers; contributor burnout or maintainer departure could slow intake of new entries, though the multi-maintainer structure mitigates this somewhat.
  • As Microsoft patches or restricts certain binaries, entries may become stale without clear deprecation signals in the dataset.
  • The project's high visibility means defenders and attackers alike monitor it, potentially accelerating detection of techniques shortly after they are documented.
Prediction

LOLBAS is likely to remain the authoritative Windows LOLBin reference for the foreseeable future, growing incrementally as new techniques are discovered. It will probably be increasingly consumed programmatically by detection-as-code pipelines rather than browsed manually.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

XSLT
100%

Information

Language
XSLT
License
GPL-3.0
Last updated
2w ago
Created
98mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Recent releases

No releases published yet.

Similar repos

LukeSmithxyz

LukeSmithxyz/LARBS

LARBS is an automated installation and configuration script that transforms a...

2.1k Shell DevOps
BlackSnufkin

BlackSnufkin/LitterBox

LitterBox is a self-hosted sandbox designed for red teams to test malware...

1.5k YARA Security
meta-llama

meta-llama/PurpleLlama

Purple Llama is Meta's umbrella project for tools and evaluations to assess and...

4.3k Python Security
malwaredllc

malwaredllc/byob

BYOB is an open-source post-exploitation framework designed for authorized...

9.5k Python Security
vs. alternatives
GTFOBins

The direct Linux/Unix equivalent — same model, different OS scope. The two projects are complementary and cross-reference each other; they do not compete.

MITRE ATT&CK (T1218 and related)

ATT&CK documents techniques at a higher abstraction level with broader coverage. LOLBAS is more granular and binary-specific, making it more actionable for operators and detection writers. Many ATT&CK entries reference LOLBAS.

HijackLibs

A related project (also by some LOLBAS maintainers) focused specifically on DLL hijacking opportunities. Narrower scope, complementary to LOLBAS rather than competitive.

Atomic Red Team

Provides executable test cases for ATT&CK techniques; some tests use LOLBins documented in LOLBAS. Red Canary's project is broader and focuses on test execution rather than binary documentation.

WADComs / WTFBINS

Smaller, less mature catalogs covering similar or adjacent territory. LOLBAS has significantly higher adoption, more contributors, and a more established schema.