Awesome
LOLESXi is a curated list of living off the land behaviours observed via public reporting.
Please refer to NOTICE.md
for license information.
Living Off the Land ESXi
<img src="assets/logo.png" height="250">Goal
The goal of the LOLESXi project is to identify, track, and document native VMware ESXi binaries and scripts that adversaries utilise during offensive campaigns. By cataloging these tools, the project aims to raise awareness and provide information to enhance detection capabilities.
Criteria
The binary/script must contain any of the following:
- Be natively available in VMWARE ESXi.
- Have been documented via CTI or open source offensive security content.
Interesting functionality can include:
- Terminate Process
- Lists VMs
- Terminate Running VM
- System Information
- Account Enumeration
- Find Files
- Remove Evidence
- Find and Replace
- Change File Permission
- Discover storage
- Enable Service
- Disable Startup
- Inhibit Recovery
- Power off VM
- Stop Service
- Adjust Performance
- Replace File
- Timestomp
- Change Display Information
- Disable Service
- Discover Network Info
- Software Operation
Contributing
If you would like to contribute, please review the contributing guidelines located here: https://github.com/LOLESXi-Project/LOLESXi/blob/main/CONTRIBUTE.md
The History of the LOLBin
The phrase "Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation) at DerbyCon 3.
The History about this project
The inspiration to create this project is based on the session Defending and Investigating Hypervisors by Anurag Khanna and Thirumalai Natarajan at the SANS DFIR Summit 2023. Our primary maintainer is (@blueteam0ps_)
Maintainers
The following folks help maintain the LOLESXi Project on their personal time:
- Wietze Beukema (@wietze)
Thanks
As with many open-source projects, this one is the product of a community and we would like to thank ours:
- The LOLBAS team providing the theme for the project.
- The logo for project was from Flaticon and was designed by juicy_fish.
Notice
- Please refer to NOTICE.md for license information