LOLBASline is a PowerShell tool designed to assess the presence and execution capabilities of Living Off The Land Binaries and Scripts (LOLBAS) on Windows systems. It provides insights into which LOLBAS items are present on the system and tests their ability to execute specific commands.
- Automated LOLBAS Repository Cloning: If no local path is provided, LOLBASline will clone the latest LOLBAS project repository to retrieve the YAML files containing binary information.
- Presence Verification: Checks if the LOLBAS binaries exist on the system.
- Execution Capability Test: Attempts to execute a representative command for each binary to verify execution capabilities.
- Detailed Reporting: Outputs a comprehensive CSV report detailing the binaries checked, their presence, ability to execute commands, and additional metadata from the LOLBAS YAML definitions.
Do not run LOLBASline on a production system. This script attempts to execute commands that can trigger security alerts, potentially disrupt system operations, and may be flagged by security solutions as malicious activity.
Before installing and running LOLBASline, ensure the following are installed on your Windows system:
- PowerShell 5.1 or later
- The
powershell-yamlmodule - Git for Windows. You can download it from here.
To install LOLBASline, run the following command in your PowerShell session:
Install-Module -Name LOLBASline -AllowClobberThis command will automatically download and install LOLBASline and its dependencies from the PowerShell Gallery.
LOLBASline is available on the PowerShell Gallery. You can view and download the module from here.
To use LOLBASline, you can run it directly from your PowerShell session. Here are some common usage scenarios:
-
Default Usage (Auto-clone and Check):
Invoke-LOLBASline -Verbose
-
Specifying a Path to LOLBAS YAML Files:
Invoke-LOLBASline -Path "path\to\your\LOLBAS\yml\files"
-
Verbose Mode and Custom Output File:
Invoke-LOLBASline -Verbose -Output "path\to\your\output.csv"
Replace "path\to\your\LOLBAS\yml\files" and "path\to\your\output.csv" with the actual paths on your system.
An example of the output results.csv generated by LOLBASline can be found in the following gist: Example results.csv.
Here are the options you can use with the Invoke-LOLBASline command:
- -Path [string]: Specify the path to clone the LOLBAS repository.
- -Output [string]: Specify the output file for results. Default is 'results.csv'.
- -Verbose: Enable verbose output to see more detailed information during execution.
- -Help: Display help information about the command usage.
These options allow you to customize the behavior of LOLBASline according to your needs.
We welcome contributions! If you have suggestions for improvements or encounter any issues, please feel free to open a pull request or report an issue on GitHub.
LOLBASline is released under the Apache License 2.0. See the LICENSE file for more details.
- Thanks to the LOLBAS Project for providing the comprehensive list of Living Off The Land Binaries and Scripts.
- This tool was inspired by a tweet from Nathan McNulty. See the tweet here.