[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80495":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":16,"compositeScore":17,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":10,"pushedAt":10,"updatedAt":29,"readmeContent":30,"aiSummary":31,"trendingCount":15,"starSnapshotCount":15,"syncStatus":14,"lastSyncTime":32,"discoverSource":33},80495,"goLoL","aaron-kidwell\u002FgoLoL","aaron-kidwell","goLoL is a Windows host scanner with dual support for LOLBAS binaries and LOLDrivers. It lists LOLBAS techniques runnable at your current privilege level (with MITRE ATT&CK mappings) and can scan local .sys files for vulnerable\u002Fmalicious LOLDrivers hash matches.","",null,"Go",57,7,2,0,1,2.71,false,"main",true,[22,23,24,25,26,27,28],"ctf-tools","cybersecurity-tools","go","golang","living-off-the-land","lolbas","penetration-testing-tools","2026-06-12 02:04:03","# goLoL\n\n**goLoL** is a Windows host scanner with dual support for **[LOLBAS](https:\u002F\u002Flolbas-project.github.io\u002F)** binaries and **[LOLDrivers](https:\u002F\u002Fwww.loldrivers.io\u002F)**. It lists LOLBAS techniques runnable at your current privilege level (with MITRE ATT&CK mappings) and can scan local `.sys` files for vulnerable\u002Fmalicious LOLDrivers hash matches.\n**Note:** This is not an OPSEC safe tool.\n**Author:** Aaron Kidwell\n\n```\n                   █████                █████      \n                  ░░███                ░░███       \n  ███████  ██████  ░███         ██████  ░███       \n ███░░███ ███░░███ ░███        ███░░███ ░███       \n░███ ░███░███ ░███ ░███       ░███ ░███ ░███       \n░███ ░███░███ ░███ ░███      █░███ ░███ ░███      █\n░░███████░░██████  ███████████░░██████  ███████████\n ░░░░░███ ░░░░░░  ░░░░░░░░░░░  ░░░░░░  ░░░░░░░░░░░ \n ███ ░███                                          \n░░██████                                           \n ░░░░░░                                            \n\n```\n\n![goLoL interactive terminal output](docs\u002Fscreenshot.png)\n\n## Features\n\n- **Live LOLBAS catalog** — pulls the latest entries from [lolbas-project.github.io](https:\u002F\u002Flolbas-project.github.io\u002Fapi\u002Flolbas.json)\n- **On-disk detection** — resolves documented paths to local `%WINDIR%`, `%ProgramFiles%`, `%USERPROFILE%`, and WindowsApps locations\n- **Privilege-aware filtering** — shows only techniques runnable at your current tier\n- **MITRE ATT&CK labels** — technique IDs mapped to readable names (e.g. `T1003.003: NTDS`)\n- **Flexible sorting** — group by binary, privilege tier, or ATT&CK technique\n- **Driver mode** — hashes local `.sys` files and matches against the live [LOLDrivers](https:\u002F\u002Fwww.loldrivers.io\u002F) JSON catalog\n- **Plain output mode** — ASCII-only output for telnet, reverse shells, and other unstable terminals\n- **Lightweight scanning** — filesystem checks via Go APIs; admin-group detection uses `net localgroup` (one child process on Windows)\n\n## Privilege tiers\n\n| Your context | What you see |\n|---|---|\n| Standard user | User-tier techniques |\n| Member of local **Administrators** | User-tier + admin-tier techniques |\n| **NT AUTHORITY\\\\SYSTEM** | User-tier + admin-tier + SYSTEM-tier techniques |\n\nAdmin-tier commands may still require an elevated shell even if your account is in the Administrators group. SYSTEM-tier entries are hidden unless the process token is SYSTEM (`S-1-5-18`).\n\n## Requirements\n\n- **Windows** (primary target; non-Windows builds stub out privilege checks)\n- **Go 1.21+** (project uses Go 1.26.2)\n- **Network access** to fetch LOLBAS\u002FLOLDrivers catalogs on each run (not cached offline)\n\n## Install\n\n**Remote install** (requires a tagged release on GitHub, e.g. `v0.1.0`):\n\n```bash\ngo install github.com\u002Faaron-kidwell\u002FgoLoL@latest\n```\n\nThe binary is placed in your `GOPATH\u002Fbin` (or `~\u002Fgo\u002Fbin`). On Windows, ensure that directory is on your `PATH`.\n\n**Clone and build:**\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Faaron-kidwell\u002FgoLoL.git\ncd goLoL\ngo build -ldflags=\"-s -w\" -trimpath -o golol.exe .\n```\n\n## Usage\n\n`goLoL` supports two scan modes:\n- **LOLBAS mode (default)** for living-off-the-land binaries and privilege-filtered techniques\n- **LOLDrivers mode** via `-driver` for vulnerable\u002Fmalicious driver hash matches\n\nRun from the module root (required for `internal\u002F` packages):\n\n```bash\ngo run .\n```\n\nBuild a binary (recommended.. strips debug info, ~30% smaller):\n\n```bash\ngo build -ldflags=\"-s -w\" -trimpath -o golol.exe .\n.\\golol.exe\n```\n\n`-s -w` removes the symbol table and DWARF debug data. A default `go build` on this project is ~9.5 MB; with those flags it drops to ~6.4 MB.\n\n### Flags\n\n| Flag | Description |\n|---|---|\n| `-h`, `-help` | Show help |\n| `-driver` | Scan local drivers and list known vulnerable\u002Fmalicious matches from LOLDrivers |\n| `-plain` | ASCII-only output — no colors, Unicode, or cursor control |\n| `-s`, `-search` | Show one binary by name (`certutil` or `certutil.exe`); reports if not on disk |\n| `-sort` | Sort results: `binary` (default), `privilege`, or `attack` |\n\nSort aliases: `b`, `priv` \u002F `p`, `mitre` \u002F `a`. Invalid values print an error and show help.\n\n### Examples\n\n```bash\n# Default — grouped by binary name (A–Z)\ngo run .\n\n# Driver mode (scan local .sys files against LOLDrivers hashes)\ngo run . -driver\n\n# Look up a single binary\ngo run . -s certutil\n.\\golol.exe -s certutil.exe\n\n# Admin tier first, then user tier (SYSTEM tier first when running as SYSTEM)\ngo run . -sort privilege\n\n# Sorted by MITRE ATT&CK ID\ngo run . -sort attack\n\n# Reverse shell \u002F telnet friendly output\ngo run . -plain\n\n# Combine flags\ngo run . -plain -sort attack\n```\n\n### Example output\n\nCounts and binaries vary by host. The screenshot at the top of this README shows interactive mode (colored terminal, grouped by binary).\n\n**Plain mode** (`-plain`):\n\n```\n[*] Checking process token...\n[*] Fetching LOLBAS catalog...\n[+] Found 147 binaries, 299 techniques\n\n==============================================================\nRole:        administrator\nSort:        binary\nBinaries:    147\nTechniques:  299\n==============================================================\n\n  [1] Esentutl.exe\n  Path:          C:\\Windows\\System32\\esentutl.exe\n  ...\n```\n\n## How it works\n\n1. Detects the current process privilege context (standard user, local admin group member, or SYSTEM).\n2. In default mode, downloads and parses the LOLBAS JSON catalog.\n3. For each LOLBAS entry, remaps documented paths to the local filesystem and checks whether the binary exists.\n4. Filters commands by privilege tier and deduplicates by resolved on-disk path.\n5. In `-driver` mode, downloads the LOLDrivers JSON catalog, hashes local `.sys` files, and reports hash matches.\n6. Prints results with paths, ATT&CK technique, use case, and example command (or driver match metadata in `-driver` mode).\n\n| Component | Location |\n|---|---|\n| LOLBAS catalog | `https:\u002F\u002Flolbas-project.github.io\u002Fapi\u002Flolbas.json` |\n| LOLDrivers catalog | `https:\u002F\u002Fwww.loldrivers.io\u002Fapi\u002Fdrivers.json` |\n| Privilege detection | `internal\u002Fprivileges` |\n| MITRE technique names | `internal\u002Fmitre` |\n| Path resolution & output | `main.go` |\n\n## Project layout\n\n```\n.\n├── docs\u002F\n│   └── screenshot.png            # README screenshot\n├── main.go\n├── internal\u002F\n│   ├── mitre\u002F\n│   │   └── names.go              # MITRE ATT&CK ID → label map\n│   └── privileges\u002F\n│       ├── privileges_windows.go # Token \u002F Administrators group checks\n│       └── privileges_stub.go    # Non-Windows stub\n├── go.mod\n└── go.sum\n```\n\n## Disclaimer\n\nFor **authorized** security testing, lab use, and education only. Only run against systems you own or have explicit permission to assess. LOLBAS entries describe techniques that may be abused by attackers — use responsibly. The author is not responsible for misuse.\n\nTechnique and metadata are sourced from the [LOLBAS Project](https:\u002F\u002Fgithub.com\u002FLOLBAS-Project\u002FLOLBAS) and [LOLDrivers](https:\u002F\u002Fgithub.com\u002Fmagicsword-io\u002FLOLDrivers). goLoL is not affiliated with or endorsed by either project.\n\n## License\n\nMIT\n","goLoL 是一个支持 LOLBAS 二进制文件和 LOLDrivers 的 Windows 主机扫描工具。它能够列出当前权限级别下可运行的 LOLBAS 技术（附带 MITRE ATT&CK 映射），并能扫描本地 `.sys` 文件以检测易受攻击或恶意的 LOLDrivers 哈希匹配。该工具使用 Go 语言编写，具备实时更新 LOLBAS 目录、磁盘路径解析、权限感知过滤、MITRE ATT&CK 标签显示等功能，并且支持灵活排序和轻量级文件系统检查。goLoL 适用于网络安全评估、渗透测试以及红队演练等场景，帮助安全研究人员发现潜在的安全风险。","2026-06-11 04:00:59","CREATED_QUERY"]