Skip to content

nathanmcnulty/LOLBASline

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

LOLBASline 🛠️

LOLBASline is a PowerShell tool designed to assess the presence and execution capabilities of Living Off The Land Binaries and Scripts (LOLBAS) on Windows systems. It provides insights into which LOLBAS items are present on the system and tests their ability to execute specific commands.

Demo Animation

Features 🌟

  • Automated LOLBAS Repository Cloning: If no local path is provided, LOLBASline will clone the latest LOLBAS project repository to retrieve the YAML files containing binary information.
  • Presence Verification: Checks if the LOLBAS binaries exist on the system.
  • Execution Capability Test: Attempts to execute a representative command for each binary to verify execution capabilities.
  • Detailed Reporting: Outputs a comprehensive CSV report detailing the binaries checked, their presence, ability to execute commands, and additional metadata from the LOLBAS YAML definitions.

Warning ⚠️

Do not run LOLBASline on a production system. This script attempts to execute commands that can trigger security alerts, potentially disrupt system operations, and may be flagged by security solutions as malicious activity.

Prerequisites 📋

Before installing and running LOLBASline, ensure the following are installed on your Windows system:

  • PowerShell 5.1 or later
  • The powershell-yaml module
  • Git for Windows. You can download it from here.

Installation 💾

To install LOLBASline, run the following command in your PowerShell session:

Install-Module -Name LOLBASline -AllowClobber

This command will automatically download and install LOLBASline and its dependencies from the PowerShell Gallery.

PowerShell Gallery Package 📦

LOLBASline is available on the PowerShell Gallery. You can view and download the module from here.

Usage 🚀

To use LOLBASline, you can run it directly from your PowerShell session. Here are some common usage scenarios:

  • Default Usage (Auto-clone and Check):

    Invoke-LOLBASline -Verbose
  • Specifying a Path to LOLBAS YAML Files:

    Invoke-LOLBASline -Path "path\to\your\LOLBAS\yml\files"
  • Verbose Mode and Custom Output File:

    Invoke-LOLBASline -Verbose -Output "path\to\your\output.csv"

Replace "path\to\your\LOLBAS\yml\files" and "path\to\your\output.csv" with the actual paths on your system.

Example Output

An example of the output results.csv generated by LOLBASline can be found in the following gist: Example results.csv.

Command Line Options 🛠️

Here are the options you can use with the Invoke-LOLBASline command:

  • -Path [string]: Specify the path to clone the LOLBAS repository.
  • -Output [string]: Specify the output file for results. Default is 'results.csv'.
  • -Verbose: Enable verbose output to see more detailed information during execution.
  • -Help: Display help information about the command usage.

These options allow you to customize the behavior of LOLBASline according to your needs.

Contributing 🤝

We welcome contributions! If you have suggestions for improvements or encounter any issues, please feel free to open a pull request or report an issue on GitHub.

License 📄

LOLBASline is released under the Apache License 2.0. See the LICENSE file for more details.

Acknowledgements 🙏

  • Thanks to the LOLBAS Project for providing the comprehensive list of Living Off The Land Binaries and Scripts.
  • This tool was inspired by a tweet from Nathan McNulty. See the tweet here.

About

Baseline a Windows System against LOLBAS

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 100.0%