LOLBAS-MCP

malwaredetective/LOLBAS-MCP

3.2

If you are the rightful owner of LOLBAS-MCP and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.

A Model Context Protocol (MCP) server that bridges Large Language Models (LLMs) with the LOLBAS Project API for automated queries on living-off-the-land binaries and scripts.

Tools
5
Resources
0
Prompts
0

LOLBAS-MCP

python MCP Server License: MIT

A Model Context Protocol (MCP) server that acts as a bridge between Large Language Models (LLMs) and the LOLBAS Project API, allowing automated queries for living-off-the-land binaries and scripts.

This MCP Server is configured to run locally via STDIO.

Quickstart Guide

1. Clone the Repository

git clone https://github.com/malwaredetective/LOLBAS-MCP.git
cd LOLBAS-MCP

2. Set Up a Python Virtual Environment

python3 -m venv venv

# Run this command to activate your Python Virtual Environment within Linux/macOS
source venv/bin/activate

# Run this command to activate your Python Virtual Environment within Windows
venv\Scripts\activate

3. Install Python Dependencies

pip install -r requirements.txt

4. Configure the MCP Server within your preferred MCP Client

  • Install your preferred MCP Client.
  • Depending on your MCP Client, the steps to configure the server may differ. A standard configuration is listed within this projects file.

Note: When executing the MCP server from within a Python Virtual Environment, the startup command may differ depending on your Operating System.

MCP Tools

For detailed documentation on each tool and example prompt guides to get you started, check the LOLBAS-MCP Wiki.

list_binaries

Return a list of all binaries/scripts found within the LOLBAS API.

{
  "type": "object",
  "properties": {}
}

list_categories

Return a list of all unique operational categories within the LOLBAS API, for example: Download, Execute, Tamper. These categories represent the main techniques or use cases associated with living-off-the-land binaries and scripts.

{
  "type": "object",
  "properties": {}
}

query_file

Query the LOLBAS API for the details of a specific binary/script by name.

{
  "type": "object",
  "properties": {
    "file_name": {
      "description": "The name of the file to query, for example: 'certutil.exe', 'mshta.exe', etc.",
      "type": "string"
    }
  },
  "required": [
    "file_name"
  ]
}

query_category

Query the LOLBAS API for all binaries/scripts that include at least one command in a given category, for example: Download, Execute, Copy.

{
  "type": "object",
  "properties": {
    "category": {
      "description": "The category of commands to search for, for example: 'Download', 'Execute', etc.",
      "type": "string"
    }
  },
  "required": [
    "category"
  ]
}

refresh_cache

Refresh your local cache with the latest updates from the LOLBAS API.

{
  "type": "object",
  "properties": {}
}

License

This project is licensed under the .

You are free to use, modify, and distribute this software in accordance with the MIT License terms.