CyberHunter CyberHunter

LOLBAS Checker - Match Commands to Known LOLBins

Paste a Windows command or suspicious snippet and quickly check whether known LOLBAS binaries appear. The lookup runs in your browser for fast blue-team triage.

Run a LOLBAS command check

LOLBAS (Living Off The Land Binaries and Scripts) catalogs binaries and scripts that are legitimate on Windows (often Microsoft-signed) but that attackers may abuse to run code, load a DLL, exfiltrate data, or bypass controls - without dropping an unknown executable.

LOLBin usually means the same idea (an "off the land" binary). This tool compares your payload or command line against the LOLBAS project dataset (232 embedded entries, official lolbas.json format).

Detection by file names (.exe, .dll, etc.) and Windows paths.

Catalog references are aligned with the official LOLBAS Project .

Why use a LOLBAS checker?

Adversaries often abuse legitimate Windows binaries to blend into normal system activity. A LOLBAS checker helps analysts quickly map a pasted command to known living-off-the-land binaries and tactics.

It is useful for SOC triage, detection engineering, and incident response reviews where command-line context matters.

Features of the LOLBAS checker

  • Command text matching against known LOLBAS entries
  • Fast browser-side analysis with embedded catalog data
  • Reference links and quick defensive context
  • Useful for blue-team triage workflows
  • No account required for use

How to use the LOLBAS checker?

  1. Paste a command line, script snippet, or payload string
  2. Run the check to compare against the embedded catalog
  3. Review matches and validate with your telemetry context

What can you analyze with this tool?

  • Suspicious command lines from Windows logs
  • Potential LOLBin execution patterns in scripts
  • Copy-pasted payload fragments from alerts
  • Triage notes during IR and threat hunting
  • Candidate binaries for deeper defensive review

FAQ

What is LOLBAS?

Living Off The Land Binaries and Scripts are legitimate Windows binaries that attackers may abuse. The LOLBAS Project catalogs known examples and defensive notes.

Are my commands sent to a server?

No. Matching uses embedded catalog data and runs in your browser. Nothing is uploaded for analysis by CyberHunter.

Is this a detection engine?

It helps triage whether known LOLBAS executables appear in a pasted command. It does not replace EDR or full command-line auditing.

Where do definitions come from?

From the official LOLBAS Project. Always refer to their site for the latest entries and guidance.

Related cybersecurity tools