Living off the land binaries" is a term used to describe malware or hacking techniques that take advantage of legitimate
tools and processes that are already present on a computer or network, rather than introducing new malware or malicious
code. The goal is to blend in with normal activity and avoid detection. Examples of this include using built-in Windows
commands to move laterally through a network, or using scripting languages that are commonly installed on a system to
execute malicious code. LOLBAS project is documenting binaries, scripts, and libraries that can be used for Living Off
The Land techniques.
LOLBAS Feed
- Details
- Content
- Dependencies
- Version History
"Living off the land binaries" is a term used to describe malware or hacking techniques that take advantage of legitimate tools.
Living off the land binaries" is a term used to describe malware or hacking techniques that take advantage of legitimate
tools and processes that are already present on a computer or network, rather than introducing new malware or malicious
code. The goal is to blend in with normal activity and avoid detection. Examples of this include using built-in Windows
commands to move laterally through a network, or using scripting languages that are commonly installed on a system to
execute malicious code. LOLBAS project is documenting binaries, scripts, and libraries that can be used for Living Off
The Land techniques.
Integrations
| Name | Description |
|---|---|
| LOLBAS Feed | "Living off the land binaries" is a term used to describe malware or hacking techniques that take advantage of legitimate tools and processes that are already present on a computer or network, rather than introducing new malware or malicious code. The goal is to blend in with normal activity and avoid detection. Examples of this include using built-in Windows commands to move laterally through a network, or using scripting languages that are commonly installed on a system to execute malicious code. LOLBAS project is documenting binaries, scripts, and libraries that can be used for Living Off The Land techniques. |
Playbooks
| Name | Description |
|---|---|
| Search LOLBAS Tools By Name | This playbook searches for LOLBAS tools by their name, and returns the tool command from LOLBAS. |
| Compare Process Execution Arguments To LOLBAS Patterns | This playbook takes a process name and determines its presence in the LOLBAS repository. It then proceeds to compare the incident command line against known patterns of malicious commands listed in TIM by using LOLBAS feed integration. The playbook outputs results when the similarity between the analyzed command line and the malicious patterns is greater than or equal to the preconfigured StringSimilarity threshold. The playbook offers the flexibility to adjust this threshold through the use of the dedicated playbook input, 'StringSimilarityThreshold'. |
Integrations
| Name | Description |
|---|---|
| LOLBAS Feed | "Living off the land binaries" is a term used to describe malware or hacking techniques that take advantage of legitimate tools and processes that are already present on a computer or network, rather than introducing new malware or malicious code. The goal is to blend in with normal activity and avoid detection. Examples of this include using built-in Windows commands to move laterally through a network, or using scripting languages that are commonly installed on a system to execute malicious code. LOLBAS project is documenting binaries, scripts, and libraries that can be used for Living Off The Land techniques. |
Playbooks
| Name | Description |
|---|---|
| Compare Process Execution Arguments To LOLBAS Patterns | This playbook takes a process name and determines its presence in the LOLBAS repository. It then proceeds to compare the alert command line against known patterns of malicious commands listed in TIM by using LOLBAS feed integration. The playbook outputs results when the similarity between the analyzed command line and the malicious patterns is greater than or equal to the preconfigured StringSimilarity threshold. The playbook offers the flexibility to adjust this threshold through the use of the dedicated playbook input, 'StringSimilarityThreshold'. |
| Search LOLBAS Tools By Name | This playbook searches for LOLBAS tools by their name, and returns the tool command from LOLBAS. |
Required Content Packs (3)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Filters And Transformers | By: Cortex XSOAR |
Optional Content Packs (0)
| Pack Name | Pack By |
|---|
All level dependencies (4)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Filters And Transformers | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | May 28, 2023 | |
| Last Release | January 22, 2025 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
