Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
AI Analysis
LOLBAS is a curated database documenting Microsoft-signed binaries, scripts, and libraries that can be exploited for living-off-the-land attack techniques. It serves red teams, penetration testers, and DFIR analysts who need to identify unexpected misuse capabilities of legitimate Windows system utilities. This project is highly specialized for offensive security and defensive research professionals—not applicable to general software development.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
LOLBAS: The definitive community catalog of Windows binaries abusable for living-off-the-land attacks
LOLBAS documents every Microsoft-signed binary, script, and library that can be weaponized beyond its intended purpose — for code execution, file operations, persistence, credential theft, and more. Its primary audience is red teamers, penetration testers, threat hunters, and blue team defenders building detection rules. With 8,674 stars and a companion website (lolbas-project.github.io), it has become a standard reference in offensive security workflows and defensive detection engineering. It matters because attackers actively use these techniques to evade application whitelisting and EDR tools.
Originated from the 'living off the land' concept coined at DerbyCon 3 (2013). The LOLBAS repository was formalized in June 2018 by Oddvar Moe and collaborators, consolidating community-sourced LOLBin discoveries into a structured, queryable YAML dataset.
Growth was driven by rising attacker adoption of LOLBin techniques in APT campaigns and ransomware, making the catalog essential for both offensive operators and defenders writing SIEM/EDR detections. The companion GTFOBins (Linux equivalent) validated the model. Conference talks, Twitter/X community engagement, and integration into security tooling sustained long-term awareness. Star growth has plateaued recently, likely reflecting market saturation among its target audience rather than declining relevance.
Widely referenced in commercial security tooling documentation, threat intelligence reports, and detection engineering playbooks. Sigma rule sets and EDR vendor blogs frequently cite LOLBAS entries. Security certifications (e.g., OSCP, red team courses) include it as a reference resource. These are indirect but credible indicators of sustained real-world usage.
Appears to be a data repository rather than a software project: individual LOLBin entries are stored as structured YAML files, with an XSLT layer likely used for transformation or site generation. The frontend (lolbas-project.github.io) is a separate static site. CI/CD via GitHub Actions performs YAML linting to enforce schema consistency.
CI pipeline includes YAML linting (visible from README badge), which validates schema correctness of contributed entries. No unit or integration test suite is documented in the README beyond schema validation.
Last push was 2026-06-30, approximately 10 days before the evaluation date — indicating active maintenance. The project has multiple named maintainers and a defined contribution workflow, which reduces single-point-of-failure risk. Slow but steady addition of new entries is consistent with its nature as a living reference document.
ADOPT IF: you are a red teamer, penetration tester, threat hunter, or detection engineer working on Windows environments who needs a structured, community-vetted reference for LOLBin techniques. AVOID IF: you expect a software library or executable tool — this is a data repository and reference catalog, not deployable code. MONITOR IF: you are building automated detection pipelines and want to track newly documented entries as they are added.
Independent dimensions
Mainstream potential
4/10
Technical importance
8/10
Adoption evidence
8/10
- Entries may lag behind newly discovered or publicly disclosed LOLBin techniques, creating a gap between attacker knowledge and documented catalog entries.
- YAML schema validation catches formatting errors but cannot verify that documented commands are accurate or still functional across all Windows versions — factual drift is possible over time.
- Dependency on a small group of volunteer maintainers; contributor burnout or maintainer departure could slow intake of new entries, though the multi-maintainer structure mitigates this somewhat.
- As Microsoft patches or restricts certain binaries, entries may become stale without clear deprecation signals in the dataset.
- The project's high visibility means defenders and attackers alike monitor it, potentially accelerating detection of techniques shortly after they are documented.
LOLBAS is likely to remain the authoritative Windows LOLBin reference for the foreseeable future, growing incrementally as new techniques are discovered. It will probably be increasingly consumed programmatically by detection-as-code pipelines rather than browsed manually.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Website
- https://lolbas-project.github.io
- Language
- XSLT
- License
- GPL-3.0
- Last updated
- 2w ago
- Created
- 98mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Top contributors
Recent releases
No releases published yet.
Similar repos
meta-llama/PurpleLlama
Purple Llama is Meta's umbrella project for tools and evaluations to assess and...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
8.7k | — | XSLT | 8/10 | 2w ago |
|
|
2.1k | — | Shell | 7/10 | 1w ago |
|
|
1.5k | — | YARA | 8/10 | 2mo ago |
|
|
4.3k | — | Python | 7/10 | 1w ago |
|
|
9.5k | — | Python | 7/10 | 1mo ago |
The direct Linux/Unix equivalent — same model, different OS scope. The two projects are complementary and cross-reference each other; they do not compete.
ATT&CK documents techniques at a higher abstraction level with broader coverage. LOLBAS is more granular and binary-specific, making it more actionable for operators and detection writers. Many ATT&CK entries reference LOLBAS.
A related project (also by some LOLBAS maintainers) focused specifically on DLL hijacking opportunities. Narrower scope, complementary to LOLBAS rather than competitive.
Provides executable test cases for ATT&CK techniques; some tests use LOLBins documented in LOLBAS. Red Canary's project is broader and focuses on test execution rather than binary documentation.
Smaller, less mature catalogs covering similar or adjacent territory. LOLBAS has significantly higher adoption, more contributors, and a more established schema.