└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # LOLBin PowerShell Module
  2 | 
  3 | A PowerShell module designed to interact with the [LOLBAS API](https://lolbas-project.github.io/api/lolbas.json) to learn about and explore Windows LOLBins (Living Off the Land Binaries). The module provides functions to refresh data, validate file paths, search and filter LOLBins by various criteria, and retrieve detection or usage details.
  4 | 
  5 | ## Table of Contents
  6 | - [Overview](#overview)
  7 | - [Installation](#installation)
  8 | - [Usage](#usage)
  9 |   - [Update-LOLBinData](#update-lolbindata)
 10 |   - [Test-LOLBinPaths](#test-lolbinpaths)
 11 |   - [Get-LOLBinSummary](#get-lolbinsummary)
 12 |   - [Get-LOLBinByName](#get-lolbinbyname)
 13 |   - [Get-LOLBinUsage](#get-lolbinusage)
 14 |   - [Search-LOLBin](#search-lolbin)
 15 |   - [Find-LOLBinByMitreID](#find-lolbinbymitreid)
 16 |   - [Find-LOLBinByTag](#find-lolbinbytag)
 17 |   - [Get-LOLBinCategory](#get-lolbincategory)
 18 |   - [Get-LOLBinDetection](#get-lolbindetection)
 19 | 
 20 | ## Overview
 21 | 
 22 | This module leverages the LOLBAS API to:
 23 | - Refresh and load the latest LOLBAS data.
 24 | - Validate the existence of files listed as potential LOLBins on your system.
 25 | - Provide summary information, usage details, and detection rules for each LOLBin.
 26 | - Search or filter LOLBins by name, keywords, MITRE ATT&CK IDs, tags, or categories.
 27 | 
 28 | Each function is designed with consistent output and built-in parameter validation for improved usability.
 29 | 
 30 | ## Installation
 31 | 
 32 | Install the module directly from the PowerShell Gallery and import it into your session:
 33 | 
 34 | ```powershell
 35 | Install-Module -Name lolbins -Scope CurrentUser
 36 | Import-Module lolbins
 37 | ```
 38 |     
 39 | (Optional) To ensure you’re working with the latest data, run:
 40 | 
 41 | ```powershell    
 42 | Update-LOLBinData
 43 | ```
 44 | 
 45 | ## Usage
 46 | 
 47 | ### Update-LOLBinData
 48 | 
 49 | Refreshes the local `$lolbinData` variable by downloading the latest JSON from the LOLBAS API.
 50 | 
 51 |     # Refresh LOLBAS data from the official endpoint
 52 |     Update-LOLBinData
 53 | 
 54 |     # Optional: Specify a different URL if needed
 55 |     Update-LOLBinData -Url "https://lolbas-project.github.io/api/lolbas.json"
 56 | 
 57 | ### Test-LOLBinPaths
 58 | 
 59 | Tests each LOLBin's file paths and returns only those LOLBins with valid paths on your system.
 60 | 
 61 |     # Get LOLBins with existing file paths
 62 |     Test-LOLBinPaths
 63 | 
 64 | ### Get-LOLBinSummary
 65 | 
 66 | Displays a high-level summary of LOLBins, including key fields such as Name, Description, Author, Categories, Privileges, and Operating Systems.
 67 | 
 68 |     # Get summary for a specific LOLBin
 69 |     Get-LOLBinSummary -Name "AddinUtil.exe"
 70 | 
 71 |     # Get summary for all LOLBins
 72 |     Get-LOLBinSummary
 73 | 
 74 | ### Get-LOLBinByName
 75 | 
 76 | Retrieves the full JSON object of a LOLBin by its name, including commands, detection rules, and resources.
 77 | 
 78 |     Get-LOLBinByName -Name "Certutil.exe"
 79 | 
 80 | ### Get-LOLBinUsage
 81 | 
 82 | Returns detailed usage information (commands, use cases, categories, MITRE ID, etc.) for a specified LOLBin.
 83 | 
 84 |     Get-LOLBinUsage -Name "Bitsadmin.exe"
 85 | 
 86 | ### Search-LOLBin
 87 | 
 88 | Searches LOLBins by a keyword across the Description and Command fields. Use the `-Extended` switch to include additional fields like Usecase, Category, or Tags.
 89 | 
 90 |     # Basic search by keyword
 91 |     Search-LOLBin -Keyword "proxy"
 92 | 
 93 |     # Extended search including additional fields
 94 |     Search-LOLBin -Keyword "proxy" -Extended
 95 | 
 96 | ### Find-LOLBinByMitreID
 97 | 
 98 | Finds all LOLBins associated with a specific MITRE ATT&CK ID (e.g., T1218).
 99 | 
100 |     Find-LOLBinByMitreID -MitreID "T1218"
101 | 
102 | ### Find-LOLBinByTag
103 | 
104 | Returns LOLBins that include a given tag (e.g., `Download`, `Execute`, or `AWL Bypass`) in their command definitions.
105 | 
106 |     Find-LOLBinByTag -Tag "Download"
107 | 
108 | ### Get-LOLBinCategory
109 | 
110 | Lists all distinct LOLBin categories if no parameter is provided; otherwise, returns LOLBins in a specific category.
111 | 
112 |     # List all unique categories
113 |     Get-LOLBinCategory
114 | 
115 |     # Get all LOLBins in the "Execute" category
116 |     Get-LOLBinCategory -Category "Execute"
117 | 
118 | ### Get-LOLBinDetection
119 | 
120 | Displays detection-related information such as Sigma rules, Splunk queries, Elastic rules, and IOCs for a specified LOLBin.
121 | 
122 |     Get-LOLBinDetection -Name "AddinUtil.exe"
123 | 
124 | ---
125 | 
126 | Enjoy exploring LOLBins with this module, and happy scripting!
127 | 


--------------------------------------------------------------------------------