Open
Conversation
As a security researcher, LOLBINS file information is required while writing rules. I would like to contribute this information to your project in order to add missing data for LOLBIN files. This table doesn't include all LOLBINS, but it's a good start.
Contributor
|
👋 Hey! Thanks for this contribution. The file metadata looks useful for detection rules! I have some quick questions:
I'm concerned about having this as a separate table. The YAML files already have file paths, and adding the same data in two places makes maintenance harder. Also, you mentioned hashes change with OS versions, so we'd need frequent updates. Can you tell me more about your use case? That would help us find the best way to integrate this data. Thanks for contributing! |
Author
|
Hey,
Thanks for your thoughtful feedback — I'm glad to hear the metadata looks
useful!
Use Case & Detection Value:
This type of metadata can be very helpful for researchers and detection
engineers when writing detection rules.
The most detection-relevant and stable fields across OS versions are:
Internal_Name
Original_File_Name
Product_Name
FileDescription (optional but valuable for added context)
File_Hash (optional)
These fields are especially useful in scenarios such as identifying LOLBINS
binaries executing from both expected and unexpected locations, as well as
detecting abuse techniques like masquerading, DLL hijacking, and other
forms of binary tampering.
I understand your concern about maintaining this data in a separate table.
I’m open to adjust the contribution to embed the metadata directly into the
existing YAML structure.
Please let me know if you have preferred field names or formatting
guidelines — I’m happy to update the PR accordingly.
Thanks again for your time and feedback!
Best regards,
Mark
…On Sun, Jun 29, 2025 at 7:34 PM Jose Enrique Hernandez < ***@***.***> wrote:
*josehelps* left a comment (LOLBAS-Project/LOLBAS#398)
<#398 (comment)>
👋 Hey! Thanks for this contribution. The file metadata looks useful for
detection rules!
I have some quick questions:
- How do you plan to use this data?
- Are you building detection tools that need file hashes?
I'm concerned about having this as a separate table. The YAML files
already have file paths, and adding the same data in two places makes
maintenance harder. Also, you mentioned hashes change with OS versions, so
we'd need frequent updates.
What if we add this info directly to the YAML files instead? We could add
fields like Internal_Name and SHA256 to the existing Full_Path sections.
This keeps everything together and matches the project structure.
Can you tell me more about your use case? That would help us find the best
way to integrate this data.
Thanks for contributing!
—
Reply to this email directly, view it on GitHub
<#398 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BFZ3PFK3S7WGEWECHBJE7YT3GAIQZAVCNFSM6AAAAACAMLYFD2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAMJWHAZTQNRVGY>
.
You are receiving this because you were assigned.Message ID:
***@***.***>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As a security researcher, LOLBINS file information is required while writing rules. I would like to contribute this information to your project in order to add missing data for LOLBIN files. This table doesn't include all LOLBINS, but it's a good start.