goLoL is a lightweight Windows host scanner designed for red teamers to identify Living Off The Land (LOL) binaries present on a target system. Unlike static lists, it fetches a live LOLBAS catalog via API and maps available binaries against the user's current execution context.
Key Features
- Live LOLBAS catalog integration via the lolbas-project.github.io API for up-to-date technique data.
- Privilege-aware filtering that only displays techniques runnable at your current tier (User, Admin, or SYSTEM).
- Automated on-disk detection that resolves documented paths to local filesystem locations using environment variables.
- MITRE ATT&CK labels providing technique IDs and human-readable names for every binary.
- Support for plain output mode to ensure compatibility with reverse shells and low-interaction terminals.
- Flexible sorting options by binary name, privilege requirements, or ATT&CK ID.
Use Cases
- Post-exploitation situational awareness to quickly discover available execution, persistence, and exfiltration vectors.
- Streamlining privilege escalation by identifying admin-tier binaries on a compromised host.
- Bypassing security controls by utilizing trusted, signed Windows binaries for offensive operations.
