Suggestion: Generate detections as a single, machine-parsable file?

[moshekaplan]

Similar to https://github.com/magicsword-io/LOLDrivers/tree/main/detections , would it be possible to generate a list of detections for the lolbins detailed in this project?

I understand that this is a much harder ask - but I think it would also make this project significantly more valuable to system defenders.

[bohops]

I really like the idea, however, I think it would be difficult to achieve due to the categorization of the LOLBINs. It may be possible to generate content for some categories, but it would be very generic and likely, subject to false positives.

Although it is not an exact science, we do try to map detections from open-source rule repositories, which has the backing of various and sundry detection engineering efforts. PRs are always welcome :)

[bohops]

I may have missed the mark of the ask, but if you are looking for mapped detections - our API options may be the best route:

https://lolbas-project.github.io/api/

[moshekaplan]

I may have missed the mark of the ask, but if you are looking for mapped detections - our API options may be the best route:

https://lolbas-project.github.io/api/

This is very similar to what I had been hoping for - some sort of machine parseable format for all of the lolbins, so they can be processed with a SIEM, like Splunk. I think this gets us most of the way there. Thank you!

EDIT: It looks like Splunk may have beaten me to this a year ago with their free Splunk Security Essentials app:

• https://www.splunk.com/en_us/blog/security/living-off-the-land-threat-research-february-2022-release.html
• https://splunkbase.splunk.com/app/3435