# lolbas-project/lolbas **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/lolbas-project-lolbas).** 8,323 stars · 1,115 forks · XSLT · gpl-3.0 ## Links - GitHub: https://github.com/LOLBAS-Project/LOLBAS - Homepage: https://lolbas-project.github.io - awesome-repositories: https://awesome-repositories.com/repository/lolbas-project-lolbas.md ## Topics `blueteam` `dfir` `living-off-the-land` `lolbins` `lolscripts` `purpleteam` `redteam` ## Description LOLBAS is a curated database and knowledge base of signed Windows binaries that can be misused to bypass security restrictions and execute unauthorized code. It serves as a technical registry that maps trusted system files to their functional capabilities and the offensive tactics they enable. The project distinguishes itself by providing a capability-driven indexing system and a tactics registry that relates legitimate binary functionality to known security evasion techniques. It includes an association layer that links specific system binaries to attack patterns and tactical objectives, providing a reference for security research and threat detection engineering. The project covers a wide range of operational capabilities, including code execution via signed proxies, credential theft and exfiltration, and defense evasion through the use of alternate data streams. It also encompasses tools for file management, network communication, and the creation of detection signatures to identify abnormal execution patterns of trusted binaries. The binary data is available for export in JSON, CSV, and YAML formats to facilitate integration with external security tools. ## Tags ### Operating Systems & Systems Programming - [Signed Binary Proxying](https://awesome-repositories.com/f/operating-systems-systems-programming/signed-binary-modules/signed-binary-proxying.md) — Provides a comprehensive database of signed binaries used to bypass execution restrictions by spawning unauthorized processes. ([source](https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/)) - [Binary Capability Catalogs](https://awesome-repositories.com/f/operating-systems-systems-programming/binary-analysis-capabilities/binary-capability-catalogs.md) — Catalogs system executables mapped to their ability to execute code, download files, or exfiltrate data. - [Capability Classifications](https://awesome-repositories.com/f/operating-systems-systems-programming/binary-analysis-capabilities/capability-classifications.md) — Implements a classification system that categorizes binaries by their ability to perform tasks like file transfer or code execution. - [DLL Proxy Execution](https://awesome-repositories.com/f/operating-systems-systems-programming/signed-binary-modules/dll-proxy-execution.md) — Maps signed system binaries that can be used as proxies to load and run DLL files. ([source](https://lolbas-project.github.io/lolbas/Binaries/Extexport/)) - [Hosting](https://awesome-repositories.com/f/operating-systems-systems-programming/terminal-command-line-environments/shells-scripting/powershell/hosting.md) — Identifies signed binaries that can host PowerShell scripts to bypass security defenses. ([source](https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/)) - [Process Memory Access](https://awesome-repositories.com/f/operating-systems-systems-programming/process-memory-access.md) — Extracts the memory of running processes using the MiniDump function to retrieve credentials. ([source](https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/)) - [Security Driver Manipulation](https://awesome-repositories.com/f/operating-systems-systems-programming/security-driver-manipulation.md) — Disables drivers used by security agents by leveraging signed system binaries. ([source](https://lolbas-project.github.io/lolbas/Binaries/FltMC/)) - [Locked Data Extraction](https://awesome-repositories.com/f/operating-systems-systems-programming/system-administration-maintenance/file-system-management/file-lock-managers/locked-data-extraction.md) — Enables extraction of locked files using volume shadow copy to bypass system restrictions. ([source](https://lolbas-project.github.io/lolbas/Binaries/Esentutl/)) - [Protected Directory Access](https://awesome-repositories.com/f/operating-systems-systems-programming/system-administration-maintenance/file-system-management/file-system-integration/integrity-protection-managers/protected-directory-access.md) — Moves files into system-protected directories using signed binaries to conceal payloads. ([source](https://lolbas-project.github.io/lolbas/Binaries/Colorcpl/)) - [System File Replacement](https://awesome-repositories.com/f/operating-systems-systems-programming/system-file-replacement.md) — Swaps target system files with alternative versions to modify system behavior. ([source](https://lolbas-project.github.io/lolbas/Binaries/Replace/)) - [Volume Shadow Copy Abuse](https://awesome-repositories.com/f/operating-systems-systems-programming/volume-shadow-copy-abuse.md) — Abuses the volume shadow copy service to dump sensitive data and access protected system files. ([source](https://lolbas-project.github.io/lolbas/Binaries/Diskshadow/)) ### Security & Cryptography - [Binary Security References](https://awesome-repositories.com/f/security-cryptography/binary-security-references.md) — Provides a structured collection of signed binaries mapped to their functional capabilities and security evasion potential. - [Living Off The Land Binaries](https://awesome-repositories.com/f/security-cryptography/living-off-the-land-binaries.md) — Provides a curated collection of signed Windows binaries usable for security bypass and attack execution. - [Detection Signature Development](https://awesome-repositories.com/f/security-cryptography/detection-signature-development.md) — Provides detection signatures to recognize when binaries are used for memory dumps or unsigned code execution. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Procdump/)) - [Exploitable Binary Catalogs](https://awesome-repositories.com/f/security-cryptography/exploitable-binary-catalogs.md) — Catalogues signed binaries and libraries that can be misused to execute code or download payloads. ([source](https://lolbas-project.github.io)) - [Credential Extraction Utilities](https://awesome-repositories.com/f/security-cryptography/identity-access-management/credential-lifecycle-management/credential-security/credential-extraction-utilities.md) — Dumps registry hives to extract password hashes and sensitive security material from the system. ([source](https://lolbas-project.github.io/lolbas/Binaries/Reg/)) - [In-Memory Payload Execution](https://awesome-repositories.com/f/security-cryptography/in-memory-payload-execution.md) — Catalogues the use of signed binaries to execute libraries and scripts in memory to avoid detection. ([source](https://lolbas-project.github.io/lolbas/Binaries/Rundll32/)) - [Serialized Payload Execution](https://awesome-repositories.com/f/security-cryptography/in-memory-payload-execution/serialized-payload-execution.md) — Documents the use of signed binaries to execute malicious serialized payloads. ([source](https://lolbas-project.github.io/lolbas/Binaries/Addinutil/)) - [Proxy Execution](https://awesome-repositories.com/f/security-cryptography/proxy-execution.md) — Launches executable files through trusted diagnostic tools to bypass security restrictions. ([source](https://lolbas-project.github.io/lolbas/Binaries/Tttracer/)) - [Proxy Process Execution](https://awesome-repositories.com/f/security-cryptography/proxy-process-execution.md) — Uses trusted signed binaries as proxy processes to execute other executables and evade detection. ([source](https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/)) - [Remote Binary Execution](https://awesome-repositories.com/f/security-cryptography/remote-binary-execution.md) — Catalogues binaries capable of downloading and executing compiled .NET binaries from remote servers. ([source](https://lolbas-project.github.io/lolbas/Binaries/Ieexec/)) - [VBScript Remote Execution](https://awesome-repositories.com/f/security-cryptography/remote-binary-execution/vbscript-remote-execution.md) — Documents binaries that can execute VBScript code from remote servers or local configuration files. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/)) - [Signed Library Proxying](https://awesome-repositories.com/f/security-cryptography/remote-command-execution-tools/payload-conversion-and-execution/signed-library-proxying.md) — Identifies signed system libraries that can be used to launch DLLs or command-line instructions. ([source](https://lolbas-project.github.io/lolbas/Libraries/Ieadvpack/)) - [Local Binary and Script Execution](https://awesome-repositories.com/f/security-cryptography/remote-script-execution/local-binary-and-script-execution.md) — Runs executable files or scripts on local or remote systems to bypass security controls. ([source](https://lolbas-project.github.io/lolbas/Binaries/Wmic/)) - [Suspicious Execution Indicators](https://awesome-repositories.com/f/security-cryptography/suspicious-execution-indicators.md) — Provides indicators of compromise and rules to spot abnormal usage of signed binaries. ([source](https://lolbas-project.github.io/lolbas/Binaries/Fsutil/)) - [Threat Detection](https://awesome-repositories.com/f/security-cryptography/threat-detection.md) — Maps system binaries to attack techniques and creates signatures to identify malicious usage of trusted tools. - [Authentication Hash Capture](https://awesome-repositories.com/f/security-cryptography/authentication-hash-capture.md) — Triggers authenticated connections to force the leakage or relaying of NTLM authentication hashes. ([source](https://lolbas-project.github.io/lolbas/Binaries/Rpcping/)) - [Batch Script Execution](https://awesome-repositories.com/f/security-cryptography/batch-script-execution.md) — Provides capabilities to launch batch files to run commands and bypass application whitelisting. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/)) - [Data Exfiltration Tools](https://awesome-repositories.com/f/security-cryptography/data-exfiltration-tools.md) — Uploads files or credentials to external data feeds using signed command-line tools. ([source](https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/)) - [Deployment Proxy Execution](https://awesome-repositories.com/f/security-cryptography/deployment-proxy-execution.md) — Lists signed deployment binaries that can be leveraged with registry configurations to run arbitrary commands. ([source](https://lolbas-project.github.io/lolbas/Binaries/Conhost/)) - [Directory Database Permission Manipulations](https://awesome-repositories.com/f/security-cryptography/domain-based-access-controls/domain-scoped-permissions/directory-database-permission-manipulations.md) — Extracts sensitive directory information by manipulating permissions to facilitate volume shadow copy extraction of the NTDS.dit database. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dsdbutil/)) - [PowerShell Policy Bypasses](https://awesome-repositories.com/f/security-cryptography/execution-policies/powershell-policy-bypasses.md) — Runs PowerShell scripts by bypassing execution policies through trusted system processes. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/)) - [HTA Application Execution](https://awesome-repositories.com/f/security-cryptography/hta-application-execution.md) — Launches HTA applications via a signed system library to run code. ([source](https://lolbas-project.github.io/lolbas/Libraries/Mshtml/)) - [Library-Based Application Launching](https://awesome-repositories.com/f/security-cryptography/library-based-application-launching.md) — Launches specified executables by calling a library function to bypass standard execution restrictions. ([source](https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/)) - [Managed Assembly Execution](https://awesome-repositories.com/f/security-cryptography/managed-assembly-execution.md) — Identifies signed binaries that load and run .NET assembly DLLs to execute arbitrary code. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/)) - [MSI Payload Execution](https://awesome-repositories.com/f/security-cryptography/remote-command-execution-tools/payload-conversion-and-execution/msi-payload-execution.md) — Downloads and installs remote MSI files to the local system to run arbitrary code. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/)) - [RegisterOCX Payload Execution](https://awesome-repositories.com/f/security-cryptography/remote-command-execution-tools/payload-conversion-and-execution/registerocx-payload-execution.md) — Launches DLLs or executables by calling the RegisterOCX function. ([source](https://lolbas-project.github.io/lolbas/Libraries/Advpack/)) - [Remote Host File Extraction](https://awesome-repositories.com/f/security-cryptography/remote-host-file-extraction.md) — Extracts archived files from remote internal hosts to a local system for data exfiltration. ([source](https://lolbas-project.github.io/lolbas/Binaries/Tar/)) - [COM Scriptlet Execution](https://awesome-repositories.com/f/security-cryptography/remote-script-execution/com-scriptlet-execution.md) — Runs script code from local or remote XSL and XML files to execute commands. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/)) - [PowerShell Language Mode Bypasses](https://awesome-repositories.com/f/security-cryptography/remote-script-execution/powershell-language-mode-bypasses.md) — Runs scripts including those with non-standard extensions to bypass language mode constraints. ([source](https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/)) - [Security Detection Logic](https://awesome-repositories.com/f/security-cryptography/security-detection-logic.md) — Includes a set of signature rules designed to identify abnormal execution patterns of trusted system binaries. - [Credential Management Tools](https://awesome-repositories.com/f/security-cryptography/security/utilities/secret-and-credential-managers/credential-management-tools.md) — Manages cached usernames and passwords on a host by creating, listing, and deleting stored credentials. ([source](https://lolbas-project.github.io/lolbas/Binaries/Cmdkey/)) - [Shell Extension Exploitation](https://awesome-repositories.com/f/security-cryptography/shell-extension-exploitation.md) — Lists binaries that invoke shell extension functions to launch HTML applications or executables. ([source](https://lolbas-project.github.io/lolbas/Libraries/Url/)) - [Store-Based Installation Bypasses](https://awesome-repositories.com/f/security-cryptography/store-based-installation-bypasses.md) — Downloads and installs software from digital stores by name or ID to bypass local security policies. ([source](https://lolbas-project.github.io/lolbas/Binaries/Winget/)) - [UAC Bypasses](https://awesome-repositories.com/f/security-cryptography/uac-bypasses.md) — Executes binaries or scripts as high-integrity processes by manipulating registry values to bypass UAC. ([source](https://lolbas-project.github.io/lolbas/Binaries/ComputerDefaults/)) - [URL-Based Payload Execution](https://awesome-repositories.com/f/security-cryptography/url-based-payload-execution.md) — Provides methods to launch executable payloads by calling URL information files through system libraries. ([source](https://lolbas-project.github.io/lolbas/Libraries/Ieframe/)) - [URL Proxy Execution](https://awesome-repositories.com/f/security-cryptography/url-proxy-execution.md) — Lists signed system libraries that can be abused to launch executable payloads via URL files. ([source](https://lolbas-project.github.io/lolbas/Libraries/Shdocvw/)) - [WMI-Based Command Execution](https://awesome-repositories.com/f/security-cryptography/wmi-based-command-execution.md) — Enables running arbitrary commands by creating process instances through the Windows Management Instrumentation interface. ([source](https://lolbas-project.github.io/lolbas/Binaries/Wbemtest/)) - [XAML Application Execution](https://awesome-repositories.com/f/security-cryptography/xaml-application-execution.md) — Executes code within trusted environments by running browser-based XAML application files. ([source](https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/)) ### Software Engineering & Architecture - [Administrative Living-Off-The-Land Techniques](https://awesome-repositories.com/f/software-engineering-architecture/native-bridges/native-script-execution-environments/administrative-living-off-the-land-techniques.md) — Identifies and uses signed system binaries to execute unauthorized code or bypass security restrictions. - [Living Off The Land Tactics](https://awesome-repositories.com/f/software-engineering-architecture/native-bridges/native-script-execution-environments/living-off-the-land-tactics.md) — Maps trusted operating system files to known offensive techniques used to evade defenses. - [Registry-Driven Command Execution](https://awesome-repositories.com/f/software-engineering-architecture/registry-driven-command-execution.md) — Runs COM objects defined in the registry to trigger code execution. ([source](https://lolbas-project.github.io/lolbas/Binaries/Verclsid/)) - [Execution Redirection](https://awesome-repositories.com/f/software-engineering-architecture/registry-driven-command-execution/execution-redirection.md) — Provides a registry of binaries that can be used to force the system to launch unauthorized payloads by modifying registry paths. ([source](https://lolbas-project.github.io/lolbas/Binaries/Bash/)) - [Registry DLL Sideloading](https://awesome-repositories.com/f/software-engineering-architecture/registry-driven-command-execution/registry-dll-sideloading.md) — Loads specified libraries by modifying system registry keys to proxy execution of external code. ([source](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/)) - [Registry Path Configuration](https://awesome-repositories.com/f/software-engineering-architecture/application-lifecycle-management/configuration-management/configuration-scopes/installation-path-configurations/registry-path-configuration.md) — Details how modifying the App Paths registry key can be used to proxy the execution of specified executables. ([source](https://lolbas-project.github.io/lolbas/Binaries/write/)) ### Part of an Awesome List - [Evasion Detection Rules](https://awesome-repositories.com/f/awesome-lists/devtools/binary-analysis/evasion-detection-rules.md) — Provides detection rules to identify when signed binaries are used for security evasion. ([source](https://lolbas-project.github.io/lolbas/Binaries/FltMC/)) - [Credential Dumping](https://awesome-repositories.com/f/awesome-lists/security/credential-dumping.md) — Extracts authentication material from the Local Security Authority Subsystem Service (LSASS) memory dump. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dump64/)) - [Defense Evasion](https://awesome-repositories.com/f/awesome-lists/security/defense-evasion.md) — Uses trusted binaries and alternate data streams to hide payloads and evade defensive monitoring. - [Evasion and Bypass Tools](https://awesome-repositories.com/f/awesome-lists/security/evasion-and-bypass-tools.md) — Provides techniques to run unsigned scripts or binaries by proxying execution through trusted signed system files. ([source](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/)) - [File Transfer](https://awesome-repositories.com/f/awesome-lists/data/file-transfer.md) — Facilitates copying files from network sources to local destinations. ([source](https://lolbas-project.github.io/lolbas/Binaries/Extrac32/)) - [Data Exfiltration](https://awesome-repositories.com/f/awesome-lists/security/data-exfiltration.md) — Exfiltrates files, credentials, and sensitive data from a local system to a remote destination. ([source](https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/)) ### Content Management & Publishing - [Adversary Technique Mappings](https://awesome-repositories.com/f/content-management-publishing/metadata-tagging/framework-coverage-mapping/adversary-technique-mappings.md) — Links specific system binaries to known attack patterns and tactical objectives. ### Data & Databases - [Alternate Data Stream Persistence](https://awesome-repositories.com/f/data-databases/persistent-storage-management/application-persistence/process-reboot-persistence/alternate-data-stream-persistence.md) — Ensures persistence by hiding binary payloads within filesystem alternate data streams. ([source](https://lolbas-project.github.io/lolbas/Binaries/Sc/)) - [Registry Persistence](https://awesome-repositories.com/f/data-databases/persistent-storage-management/application-persistence/process-reboot-persistence/registry-persistence.md) — Achieves persistence by running pre-configured tasks stored within Windows registry keys. ([source](https://lolbas-project.github.io/lolbas/Binaries/Runonce/)) - [Security Research Repositories](https://awesome-repositories.com/f/data-databases/technical-knowledge-bases/security-research-repositories.md) — Serves as a technical knowledge base for identifying exploitation patterns and creating detection rules. - [Database Export Utilities](https://awesome-repositories.com/f/data-databases/database-export-utilities.md) — Extracts data or binary payloads from SQL Server databases to the local filesystem. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bcp/)) - [Binary Hiding](https://awesome-repositories.com/f/data-databases/persistent-storage-management/application-persistence/process-reboot-persistence/alternate-data-stream-persistence/binary-hiding.md) — Embeds executable files within the alternate data stream of text files to evade security detection. ([source](https://lolbas-project.github.io/lolbas/Binaries/Print/)) - [File Hiding](https://awesome-repositories.com/f/data-databases/persistent-storage-management/application-persistence/process-reboot-persistence/alternate-data-stream-persistence/file-hiding.md) — Writes files to alternate data streams of target files to conceal them from detection. ([source](https://lolbas-project.github.io/lolbas/Binaries/Findstr/)) - [Hidden Code Execution](https://awesome-repositories.com/f/data-databases/persistent-storage-management/application-persistence/process-reboot-persistence/alternate-data-stream-persistence/hidden-code-execution.md) — Runs scripts embedded within alternate data streams to conceal the source of execution. ([source](https://lolbas-project.github.io/lolbas/Binaries/Mshta/)) - [Registry Data Hiding](https://awesome-repositories.com/f/data-databases/persistent-storage-management/application-persistence/process-reboot-persistence/alternate-data-stream-persistence/registry-data-hiding.md) — Exports and imports registry keys to files stored in alternate data streams to conceal data. ([source](https://lolbas-project.github.io/lolbas/Binaries/Regedit/)) - [Registry Stream Writing](https://awesome-repositories.com/f/data-databases/persistent-storage-management/application-persistence/process-reboot-persistence/alternate-data-stream-persistence/registry-stream-writing.md) — Writes registry keys using data stored within an alternate data stream to evade detection. ([source](https://lolbas-project.github.io/lolbas/Binaries/Regini/)) ### Development Tools & Productivity - [DLL Injection Hooks](https://awesome-repositories.com/f/development-tools-productivity/application-customization-frameworks/system-hooking-frameworks/dll-injection-hooks.md) — Inserts dynamic link libraries into running processes to execute code under their context. ([source](https://lolbas-project.github.io/lolbas/Binaries/Mavinject/)) - [Remote Injection](https://awesome-repositories.com/f/development-tools-productivity/application-customization-frameworks/system-hooking-frameworks/dll-injection-hooks/remote-injection.md) — Documents binaries that allow injecting custom DLLs into services to execute arbitrary code. ([source](https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/)) - [Unsigned DLL Loading](https://awesome-repositories.com/f/development-tools-productivity/application-customization-frameworks/system-hooking-frameworks/dll-injection-hooks/unsigned-dll-loading.md) — Identifies methods to load unsigned DLLs using signed binaries as triggers. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Procdump/)) - [Bypass Execution](https://awesome-repositories.com/f/development-tools-productivity/local-binary-execution/bypass-execution.md) — Identifies signed tools that can be used to launch renamed binaries as child processes to evade security controls. ([source](https://lolbas-project.github.io/lolbas/Binaries/Control/)) - [Trusted Identity Shell Spawning](https://awesome-repositories.com/f/development-tools-productivity/shell-command-execution/trusted-identity-shell-spawning.md) — Lists binaries that spawn command shells under a trusted identity to execute unauthorized commands. ([source](https://lolbas-project.github.io/lolbas/Binaries/Msedge/)) - [DLL Loading](https://awesome-repositories.com/f/development-tools-productivity/command-execution/arbitrary/dll-loading.md) — Identifies signed binaries that load and execute specified DLLs from arbitrary paths. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/)) - [Argument Obfuscation](https://awesome-repositories.com/f/development-tools-productivity/command-line-argument-handlers/argument-obfuscation.md) — Hides command-line parameters from monitoring tools by using response files to pass options. ([source](https://lolbas-project.github.io/lolbas/Binaries/Msbuild/)) - [Script Compilation](https://awesome-repositories.com/f/development-tools-productivity/compilers-toolchains/compilers/script-compilation.md) — Documents the use of binaries to convert JScript source files into executable formats or DLLs. ([source](https://lolbas-project.github.io/lolbas/Binaries/Jsc/)) - [Source Compilation Tools](https://awesome-repositories.com/f/development-tools-productivity/compilers-toolchains/source-compilation-tools.md) — Identifies binaries that build and run source code from project files to execute logic on a target system. ([source](https://lolbas-project.github.io/lolbas/Binaries/Msbuild/)) - [Configuration File Command Execution](https://awesome-repositories.com/f/development-tools-productivity/custom-command-execution/configuration-file-command-execution.md) — Runs arbitrary commands by processing specially crafted configuration files. ([source](https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/)) - [Information File Directives](https://awesome-repositories.com/f/development-tools-productivity/custom-command-execution/configuration-file-command-execution/information-file-directives.md) — The project launches executables or scriptlets by specifying files within an information file directive. ([source](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/)) - [File Copying Utilities](https://awesome-repositories.com/f/development-tools-productivity/file-copying-utilities.md) — Moves source files to destination paths or alternate data streams using signed system binaries. ([source](https://lolbas-project.github.io/lolbas/Binaries/Expand/)) - [Local Binary Execution](https://awesome-repositories.com/f/development-tools-productivity/local-binary-execution.md) — Runs executable files already present on the system by leveraging signed system binaries. ([source](https://lolbas-project.github.io/lolbas/Binaries/Iediagcmd/)) - [Installation Payload Execution](https://awesome-repositories.com/f/development-tools-productivity/workflow-automation-tools/automation-execution-frameworks/automated-payload-execution/installation-payload-execution.md) — Launches executable files or scriptlets by specifying directives within installation information files. ([source](https://lolbas-project.github.io/lolbas/Libraries/Syssetup/)) ### DevOps & Infrastructure - [Indirect Process Execution](https://awesome-repositories.com/f/devops-infrastructure/background-job-processing/os-process-execution/indirect-process-execution.md) — Runs specified processes using a signed binary as the parent to evade defensive monitoring. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/OpenConsole/)) - [Task Schedulers](https://awesome-repositories.com/f/devops-infrastructure/automation-orchestration/task-execution-frameworks/task-job-management/task-schedulers.md) — Enables the creation of recurring or one-time tasks on local or remote systems to execute commands. ([source](https://lolbas-project.github.io/lolbas/Binaries/Schtasks/)) - [OS Process Execution](https://awesome-repositories.com/f/devops-infrastructure/background-job-processing/os-process-execution.md) — Identifies signed binaries that can run a target process under their own context to evade detection. ([source](https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/)) - [SSH-Based Remote Execution](https://awesome-repositories.com/f/devops-infrastructure/execution-environments/remote-workspace-command-execution/ssh-based-remote-execution.md) — Lists signed SSH clients that can be used to run commands or files on target machines. ([source](https://lolbas-project.github.io/lolbas/Binaries/Ssh/)) ### Programming Languages & Runtimes - [Unsigned](https://awesome-repositories.com/f/programming-languages-runtimes/managed-code-execution/unsigned.md) — Documents signed binaries that allow the local execution of unsigned C# code. ([source](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/)) - [Multi-Language Script Execution](https://awesome-repositories.com/f/programming-languages-runtimes/multi-language-script-execution.md) — Provides a database of binaries that execute JavaScript, JScript, and VBScript from local or remote sources. ([source](https://lolbas-project.github.io/lolbas/Binaries/Mshta/)) - [DLL Proxy Execution](https://awesome-repositories.com/f/programming-languages-runtimes/net-runtimes/dll-proxy-execution.md) — Documents the use of signed binaries to load and run .NET library files to bypass whitelisting. ([source](https://lolbas-project.github.io/lolbas/Binaries/Regasm/)) - [C# Project Execution](https://awesome-repositories.com/f/programming-languages-runtimes/runtime-execution-environments/runtime-environments/language-runtimes/c-environments/c-project-execution.md) — Runs C# projects from a local directory using a signed execution environment. ([source](https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/)) - [C# Compilers](https://awesome-repositories.com/f/programming-languages-runtimes/source-code-compilers/c-compilers.md) — Identifies trusted system binaries that can compile C# source files into executables. ([source](https://lolbas-project.github.io/lolbas/Binaries/Csc/)) - [Visual Basic Compilation](https://awesome-repositories.com/f/programming-languages-runtimes/source-code-compilers/visual-basic-compilation.md) — Identifies binaries capable of transforming Visual Basic source code into executable binaries. ([source](https://lolbas-project.github.io/lolbas/Binaries/Vbc/)) ### System Administration & Monitoring - [Script Execution](https://awesome-repositories.com/f/system-administration-monitoring/group-policy-management/script-execution.md) — Runs logon or startup scripts defined in group policy to execute files on the system. ([source](https://lolbas-project.github.io/lolbas/Binaries/Gpscript/)) - [Password Secret Scanning](https://awesome-repositories.com/f/system-administration-monitoring/group-policy-management/password-secret-scanning.md) — Scans group policy files to identify stored passwords within specific attributes. ([source](https://lolbas-project.github.io/lolbas/Binaries/Findstr/)) - [Task Schedulers](https://awesome-repositories.com/f/system-administration-monitoring/task-schedulers.md) — Provides capabilities to schedule tasks at specific intervals to ensure persistent process execution. ([source](https://lolbas-project.github.io/lolbas/Binaries/At/)) ### Networking & Communication - [Network Traffic Analyzers](https://awesome-repositories.com/f/networking-communication/network-traffic-analyzers.md) — Includes capabilities for sniffing network packets and storing them in logs for traffic analysis. ([source](https://lolbas-project.github.io/lolbas/Binaries/Pktmon/)) - [Remote File Downloads](https://awesome-repositories.com/f/networking-communication/remote-file-downloads.md) — Retrieves files from remote URLs and saves them to local storage via search operations. ([source](https://lolbas-project.github.io/lolbas/Binaries/Findstr/)) - [WebDAV Remote File Management](https://awesome-repositories.com/f/networking-communication/webdav-remote-file-management.md) — Retrieves files from remote WebDAV servers and saves them to the local filesystem. ([source](https://lolbas-project.github.io/lolbas/Binaries/Cmd/)) ### User Interface & Experience - [Window Hiding](https://awesome-repositories.com/f/user-interface-experience/application-window-managers/accessibility-based-window-manipulators/console-window-controllers/window-hiding.md) — Runs console applications in the background by setting the window handle to hidden. ([source](https://lolbas-project.github.io/lolbas/Binaries/DeviceCredentialDeployment/)) - [Spyware Screen Capturers](https://awesome-repositories.com/f/user-interface-experience/screen-capture-tools/spyware-screen-capturers.md) — Stealthily records the user environment and clicks to gather reconnaissance data. ([source](https://lolbas-project.github.io/lolbas/Binaries/Psr/))