LOLBAS
Featured⚖️ Dual Use · Shell
LOLBAS (Living Off The Land Binaries, Scripts and Libraries) is the Windows equivalent of GTFOBins. It documents Windows binaries, scripts, and libraries that can be used for file download, code execution, lateral movement, persistence, credential theft, and more — all using tools already present on the system. This includes certutil, mshta, rundll32, regsvr32, bitsadmin, and dozens more. Understanding LOLBAS is essential for both red teams (evasion) and blue teams (detection).
Use Cases
- Windows post-exploitation using built-in binaries
- AV/EDR evasion through legitimate executables
- File download via certutil, bitsadmin, etc.
- Code execution through mshta, rundll32, regsvr32
- Detection engineering for blue teams
Tags
Details
- Category
- ⚖️ Dual Use
- Language
- Shell
- Repository
- LOLBAS-Project/LOLBAS
Platforms
Alternatives & Comparisons
More in Dual Use
ProxyChains-ng
CForce any TCP connection through SOCKS4/5 or HTTP proxies. Chain multiple proxies for anonymity.
Socat
CMultipurpose relay tool. Bidirectional data transfer between two data channels — sockets, files, pipes, devices.
ngrok
GoExpose local servers to the internet via secure tunnels. Instant public URLs for localhost services.
Rclone
Gorsync for cloud storage. Sync, copy, and mount 70+ cloud providers. Command-line Swiss army knife for cloud data.
GTFOBins
ShellCurated list of Unix binaries that can be used to bypass security restrictions. Living off the land, documented.
Sysinternals Suite
C/C++Microsoft's advanced system utilities. PsExec, Process Monitor, Autoruns, TCPView — essential for both ops and offense.