Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

awesome-lol-commonly-abused

Awesome list of Living off the Land (LOL) methods, tools, and features commonly abused by attackers
https://github.com/danzek/awesome-lol-commonly-abused

Last synced: 3 days ago
JSON representation

  • Cloud & App

    • General

      • AI Agent Index - MIT's AI Agent Index is a public database to document information about currently deployed agentic AI systems.
      • RogueApps - The RogueApps project documents when Good Apps Go Rogue. RogueApps are OIDC/OAuth 2.0 applications that, while not explicitly evil, are often abused and used maliciously. This repository documents the emerging attack surface of SaaS, OIDC, and OAuth 2.0 applications that help attackers during intrusions. If the application was not specifically created for evil purposes, but has been observed during identity compromises, it's a RogueApp.

    • AWS

      • TrailDiscover - An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents, references and security implications.
      • TrailDiscover - An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents, references and security implications.

    • Azure

      • Azure IP Lookup - Find Azure service tags and region details for a given IP address or domain name. This tool leverages Microsoft's published service tag files to map IP addresses to physical data centers and cloud services. By checking the provided IP address or domain against these files, it identifies whether the IP is part of Azure, which service tag it belongs to, and the Azure region from which it originates.
      • Microsoft Graph Permissions Explorer - Reference for MS Graph permissions and the APIs that are enabled and the data objects exposed to the calling application for each.
      • Microsoft 365 Application IDs – BEC Investigation Resources - Reference for application IDs in M365.
      • Azure IP Lookup - Find Azure service tags and region details for a given IP address or domain name. This tool leverages Microsoft's published service tag files to map IP addresses to physical data centers and cloud services. By checking the provided IP address or domain against these files, it identifies whether the IP is part of Azure, which service tag it belongs to, and the Azure region from which it originates.
      • Microsoft Graph Permissions Explorer - Reference for MS Graph permissions and the APIs that are enabled and the data objects exposed to the calling application for each.
      • Microsoft 365 Application IDs – BEC Investigation Resources - Reference for application IDs in M365.

  • DevOps

    • General

      • LoLCerts - Living Off The ~~Land~~ Leaked Certificates. A repository of code signing certificates known to have been leaked or stolen, then abused by threat actors.
      • LOTP - Living Off the Pipeline. The idea of the LOTP project is to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.
      • LoLCerts - Living Off The ~~Land~~ Leaked Certificates. A repository of code signing certificates known to have been leaked or stolen, then abused by threat actors.
      • LOTP - Living Off the Pipeline. The idea of the LOTP project is to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.

  • Endpoint

    • Unix

      • ofasgard/lcdbins - An lcdbin is a lowest-common denominator binary - one which, with rare exceptions, should be present on any UNIX-based operating system. This repository is a collection of oneliners that use lcdbins to perform enumeration and post-exploitation activities that you'd normally use other tools for - such as id, netstat or python. Use them when you find yourself in a stripped-down environment where the usual tools aren't available.
      • Argument Injection Vectors - A curated list of exploitable options when dealing with argument injection bugs. These are not vulnerabilities in the associated programs but rather intended features that were proven to be useful to attackers in very specific scenarios.
      • lcdbins - An lcdbin is a lowest-common denominator binary - one which, with rare exceptions, should be present on any UNIX-based operating system. This repository is a collection of oneliners that use lcdbins to perform enumeration and post-exploitation activities that you'd normally use other tools for - such as id, netstat or python. Use them when you find yourself in a stripped-down environment where the usual tools aren't available.
      • Argument Injection Vectors - A curated list of exploitable options when dealing with argument injection bugs. These are not vulnerabilities in the associated programs but rather intended features that were proven to be useful to attackers in very specific scenarios.

    • Windows

      • BYOL - Bring Your Own Land (BYOL). Executing custom C#-based assemblies entirely within memory to reduce reliance on tools present on the target system.
      • BYOL - Bring Your Own Land (BYOL). Executing custom C#-based assemblies entirely within memory to reduce reliance on tools present on the target system.
      • LOLAD - Living Off The Land and Exploitation Active Directory. The LOLAD and Exploitation project provides a comprehensive collection of Active Directory techniques, commands, and functions that can be used natively to support offensive security operations and Red Team exercises. These techniques leverage AD’s built-in tools to conduct reconnaissance, privilege escalation, and lateral movement, among other tactics.
      • LOLAD - Living Off The Land and Exploitation Active Directory. The LOLAD and Exploitation project provides a comprehensive collection of Active Directory techniques, commands, and functions that can be used natively to support offensive security operations and Red Team exercises. These techniques leverage AD’s built-in tools to conduct reconnaissance, privilege escalation, and lateral movement, among other tactics.
      • LOLBins CTI-Driven - The LOLBins CTI-Driven (Living-Off-the-Land Binaries Cyber Threat Intelligence Driven) is a project that aims to help cyber defenders understand how LOLBin binaries are used by threat actors during an intrusion in a graphical and digestible format for the TIPs platform using the STIX format.
      • Persistence Info - Curated information about Windows persistence mechanisms to improve protection / detection efficiency.
      • LOLBins CTI-Driven - The LOLBins CTI-Driven (Living-Off-the-Land Binaries Cyber Threat Intelligence Driven) is a project that aims to help cyber defenders understand how LOLBin binaries are used by threat actors during an intrusion in a graphical and digestible format for the TIPs platform using the STIX format.
      • Persistence Info - Curated information about Windows persistence mechanisms to improve protection / detection efficiency.
      • BYOL - Bring Your Own Land (BYOL). Executing custom C#-based assemblies entirely within memory to reduce reliance on tools present on the target system.

    • General

      • Evasion Techniques - An encyclopedia of evasion and anti-debug techniques.
      • Evasion Techniques - An encyclopedia of evasion and anti-debug techniques.
      • LOLESXi - Living Off The Land ESXi eatures a comprehensive list of binaries/scripts natively available in VMware ESXi that adversaries have utilised in their operations.
      • LOLRMM - LOLRMM is a curated list of Remote Monitoring and Management (RMM) tools that could potentially be abused by threat actors.
      • Sploitify - Sploitify is an interactive cheat sheet, containing a curated list of public server-side exploits (mostly).
      • LOLRMM - LOLRMM is a curated list of Remote Monitoring and Management (RMM) tools that could potentially be abused by threat actors.
      • Sploitify - Sploitify is an interactive cheat sheet, containing a curated list of public server-side exploits (mostly).

  • Network

    • Windows

      • LOTTunnels - Living Off The Tunnels. The LOTTunnels Project is a community driven project to document digital tunnels that can be abused by threat actors as well by insiders for data exfiltration, persistence, shell access, etc.
      • LOLC2 - A collection of C2 frameworks that leverage legitimate services to evade detection.
      • LOTTunnels - Living Off The Tunnels. The LOTTunnels Project is a community driven project to document digital tunnels that can be abused by threat actors as well by insiders for data exfiltration, persistence, shell access, etc.
      • LOLC2 - A collection of C2 frameworks that leverage legitimate services to evade detection.
      • anderspitman/awesome-tunneling - List of ngrok/Cloudflare Tunnel alternatives and other tunneling software and services. Focus on self-hosting.

  • SecOps

    • Windows

      • LoFP - Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with MITRE ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic.
      • Project LOST - Living Off Security Tools. A curated list of security tools used by adversaries to bypass security controls and carry out attacks.
      • LoFP - Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with MITRE ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic.
      • Project LOST - Living Off Security Tools. A curated list of security tools used by adversaries to bypass security controls and carry out attacks.

  • References

Programming Languages
HTML 7 YARA 2
Categories
Endpoint 20 Cloud & App 10 Network 5 SecOps 4 DevOps 4 References 2
Sub Categories
Windows 20 General 13 Azure 6 Unix 4 AWS 2
Keywords
lolbins 4 living-off-the-pipeline 2 lotp 2 supply-chain-security 2 embedded-linux 2 enumeration 2 lcdbins 2 living-off-the-land 2 lolbas 2 oneliners 2 post-exploitation 2 unix 2 atomicredteam 1 detectionengineering 1 dfir 1 threat-hunting 1 threatresearch 1 ngrok 1 ngrok-alternative 1 self-hosted 1 ssh 1 tunnel-proxy 1 tunneling 1