Inventory which LOLBAS-listed Windows binaries are actually present on a target machine during an authorized pentest.
Filter results automatically to only the techniques your current privilege level can execute.
Look up the MITRE ATT&CK technique ID and example command for each discovered binary.
Use plain-text output mode when running through a reverse shell where colored output breaks.
| aaron-kidwell/golol | 79e/auto-openai-account | glockinhand/guns.lol-view-bot | |
|---|---|---|---|
| Stars | 41 | 42 | 40 |
| Language | Go | Go | Go |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 2/5 | 4/5 | 3/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires network access on each run to fetch the live LOLBAS catalog, intended only for authorized testing.
goLoL is a command-line tool for Windows that helps security testers quickly understand what built-in Windows programs are available on a target machine and what actions those programs can perform. It works by fetching the latest data from the LOLBAS project, a community-maintained catalog of Windows executables that can be misused during authorized penetration tests or that defenders should watch for. LOLBAS stands for Living Off the Land Binaries, Applications, and Scripts. These are programs that ship with Windows itself, like certutil, wscript, or mshta, and can be used for tasks beyond their original purpose, such as downloading files, executing code, or reading credentials. Because they are already present on most Windows systems, security testers and attackers sometimes use them to avoid triggering alerts that look for unknown software. goLoL gives testers a fast inventory of which of these programs actually exist on the machine in front of them. The tool checks your current permission level automatically. If you are running as a standard user, it only shows techniques available to standard users. If your account belongs to the local Administrators group, it adds administrator-level techniques. If the process is running as SYSTEM, the highest Windows privilege, it shows all tiers. This avoids listing actions you cannot actually take. Each result includes the relevant MITRE ATT&CK technique ID, a short description, and an example command. Built in Go, the scanner resolves common Windows paths at runtime and checks whether each binary is physically present on disk. It requires a network connection on each run because it pulls the LOLBAS catalog live rather than bundling a static copy, so results always reflect the current catalog. A plain-text output mode is included for situations where colored terminal output breaks, such as when running through a reverse shell. The project is MIT licensed and intended only for authorized security testing, lab environments, and educational use.
A Windows command-line tool that inventories which LOLBAS living-off-the-land binaries are present on a target machine for authorized security testing.
Mainly Go. The stack also includes Go.
MIT: use, copy, modify, and distribute freely, including commercially, as long as you keep the copyright notice.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.