Skip to main content
Context Awesome

awesome-lol-commonly-abused

github.com/danzek/awesome-lol-commonly-abused

Living off the Land (LOL) attack techniques, tools, and defender resources

39
GitHub Stars
47
Curated Resources
5
Categories
23 hours ago
Last Refreshed
Cloud & AppEndpointNetworkSoftware Supply ChainSecOps

Use this list with your AI agent

Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:

"Show me endpoint resources from awesome-lol-commonly-abused"

Installation instructions →

What's inside

Endpoint

  • Argument Injection Vectors

    Intended features of legitimate programs exploitable as argument injection vectors.

  • Bootloaders.io

    Known malicious bootloaders for various operating systems.

  • BYOL

    Bring Your Own Land (BYOL): Executing custom C#-based assemblies entirely within memory to reduce reliance on tools present on the target system.

  • Evasion Techniques

    Encyclopedia of evasion and anti-debug techniques.

  • Filesec.io

    File extensions being used by attackers, tagged by function and operating system.

  • GTFOArgs

    Unix binaries that can be manipulated for argument injection, possibly resulting in security vulnerabilities.

Network

  • Awesome Tunneling

    Tunneling software and services, including self-hosted alternatives to ngrok and Cloudflare Tunnel, commonly abused for C2 and exfiltration.

  • LOLC2

    C2 frameworks that leverage legitimate services to evade detection.

  • LOLEXFIL

    Data exfiltration reference covering LOLBins, RMM tools, cloud storage, tunneling protocols, and more, each with detection patterns, simulation commands, DFIR artifacts, IOCs, and ATT&CK mappings.

  • LOTS Project

    Living Off Trusted Sites: Legitimate popular domains abused for phishing, C2, exfiltration, and tool delivery to evade detection.

  • LOTTunnels

    Living Off the Tunnels: Legitimate tunneling services abused for exfiltration, persistence, and shell access.

  • LoTWH

    Living Off The Webhooks: Webhook services abused for data exfiltration and C2 communications.

Cloud & App

  • Azure App IDs

    Azure application names and IDs.

  • Azure App IDs Security and Compliance

    Azure application IDs linked to security, data handling, and compliance information.

  • Azure IP Lookup

    Maps IPs and domains to Azure service tags, regions, and data centers; useful for identifying when Azure services are abused to masquerade as legitimate Microsoft traffic.

  • Entra ID First Party Apps & Scope Browser

    First-party applications including their pre-consented permissions in Microsoft Entra ID, apps vulnerable to ConsentFix/AuthCodeFix, and those with default exceptions from conditional access policies.

  • Hacking the Cloud

    Encyclopedia of attacks/tactics/techniques for cloud exploitation.

  • LOLAPI

    Real-world abused APIs across Windows, Cloud, and Browser platforms with detection strategies, mitigation guidance, and red team POCs.

SecOps

  • LoFP

    Living off the False Positive: Autogenerated collection of false positives sourced from popular rule sets.

  • Project LOST

    Living Off Security Tools: Security tools used by adversaries to bypass security controls and carry out attacks.

Software Supply Chain

  • LoLCerts

    Living Off The Leaked Certificates: Code signing certificates known to have been leaked or stolen, then abused by threat actors.

  • LOTP

    Living Off the Pipeline: Inventories how development tools (typically CLIs) commonly used in CI/CD pipelines have lesser-known RCE-By-Design features ("foot guns").

Showing a sample of 47 resources. View the full list on GitHub →