whatisgithub

What is lolbas?

lolbas-project/lolbas — explained in plain English

Analysis updated 2026-06-24

8,550XSLTAudience · ops devopsComplexity · 1/5Setup · easy

In one sentence

A community catalog of built-in Windows binaries and scripts that attackers can misuse for tasks like downloading files or running code, used by security teams to build detection rules and understand living-off-the-land techniques.

Mindmap

mindmap
  root((LOLBAS))
    What It Is
      Windows binary catalog
      Abuse documentation
      YAML data files
    Capabilities Covered
      File downloads
      Code execution
      Log evasion
    Users
      Red teams
      Blue teams
      Detection engineers
    Website
      Searchable catalog
      Community contributions
      lolbas-project.github.io
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Look up a Windows binary to see what unexpected capabilities it has that an attacker might exploit during a red team engagement.

USE CASE 2

Build SIEM detection rules that alert when common Windows utilities are used in unusual ways consistent with LOLBAS techniques.

USE CASE 3

Reference the catalog during a penetration test to find living-off-the-land techniques that avoid dropping external executables.

USE CASE 4

Contribute a newly discovered Windows binary or script that meets the signed-by-Microsoft criteria.

What is it built with?

YAMLXSLT

How do you get it running?

Difficulty · easy Time to first run · 5min
No license information was mentioned.

So what is it?

LOLBAS stands for Living Off The Land Binaries and Scripts. The project catalogs Windows tools and files that come pre-installed with the operating system or are signed by Microsoft, but can be used in unexpected ways by attackers or security testers. The term "living off the land" refers to the technique of using tools that are already on a target system, rather than bringing in external malware. The core idea is that many legitimate Windows programs have hidden capabilities beyond their stated purpose. For example, a file transfer utility might also be able to execute arbitrary code, or a diagnostic tool might be able to extract password information. By documenting these behaviors, security teams can better understand what an attacker might do using only built-in tools, and defenders can watch for unusual usage patterns of common programs. Each entry in the project covers a specific binary, script, or library and lists what unexpected things it can do, such as downloading files, running other programs, compiling code, bypassing user account controls, or evading logs. To be included, a file must be signed by Microsoft and must have functionality that goes beyond its intended design in ways that would be relevant to an attacker or red team tester. The YAML files in this repository are the data source behind a public searchable website at lolbas-project.github.io, where you can browse and search the catalog. The repository itself stores the structured data files and accepts contributions when someone discovers a new entry that meets the criteria. The project is used by both offensive security professionals (red teams testing defenses) and defensive security professionals (blue teams setting up detection rules). It is maintained by a group of security researchers as a community reference.

Copy-paste prompts

Prompt 1
I'm writing Sigma detection rules for a SIEM. Using the LOLBAS catalog, list the top Windows binaries most commonly abused for file downloads and provide example command lines I should alert on.
Prompt 2
I'm doing a Windows red team engagement without dropping executables. Based on LOLBAS entries, which built-in tools can execute arbitrary code from a remote URL?
Prompt 3
Help me write a PowerShell script that checks whether any running processes on a Windows machine match known LOLBAS binary names.
Prompt 4
I want to add a new entry to the LOLBAS project. Show me what a correctly formatted YAML entry looks like based on the project's schema.

Frequently asked questions

What is lolbas?

A community catalog of built-in Windows binaries and scripts that attackers can misuse for tasks like downloading files or running code, used by security teams to build detection rules and understand living-off-the-land techniques.

What language is lolbas written in?

Mainly XSLT. The stack also includes YAML, XSLT.

What license does lolbas use?

No license information was mentioned.

How hard is lolbas to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is lolbas for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.