LOLAPI
Living Off The Land APIs
Structured catalog of legitimate system APIs weaponized for attack. Detection strategies, abuse scenarios, and mitigation guidance.
High-Impact APIs
Categories
Abuse Scenarios
Open Source
Coverage by Category
Windows .NET
Windows COM
Native APIs
Browser Ext
Cloud Services
Script Engines
Miscellaneous
Why LOLAPI?
Structured Catalog
YAML-based entries with schema validation for consistency
Abuse Scenarios
Real code examples with full attack context and execution flow
Detection Strategies
Behavioral, forensic, and log-based detection signals
Risk Scoring
Quantified severity × prevalence × ease of abuse
MITRE ATT&CK
Mapped to tactics, techniques, and real-world campaigns
Community-Driven
Open for contributions and improvements from the community
The Problem
After organizations deploy WDAC (Windows Defender Application Control) to block LOLBASline binaries, attackers simply shift tactics to abuse legitimate system APIs:
- ✓ .NET Reflection-based code execution
- ✓ COM/WMI automation (legitimate admin tools)
- ✓ Windows API direct abuse (kernel32, ntdll)
- ✓ Browser extension APIs for persistence
- ✓ Cloud metadata services for privilege escalation
The Solution
LOLAPI fills the gap with a structured, comprehensive catalog:
- ✓ Catalog of 29+ high-impact weaponized APIs
- ✓ Real abuse scenarios with code examples
- ✓ Detection strategies (behavioral, forensic, logs)
- ✓ Risk scoring and prevalence data
- ✓ MITRE ATT&CK mapping and campaign attribution
Trust & Transparency
Security First
Responsible disclosure policy and security guidelines in place.
View Security Policy →Open & Transparent
All data in YAML format, fully documented, and peer-reviewed.
Contributing Guide →Community Driven
Built for the security community, with contributions from researchers.
Join Community →