LOLAPI

Getting Started

Learn how to explore LOLAPI and use it in your security work

Installation & Setup

Requirements: Python 3.8+, Git

1. Clone the Repository

git clone https://github.com/TheMagicClaw/LOLAPI.git
cd LOLAPI

2. Validate Entries

All API entries are stored in YAML format and validated against a JSON schema.

python3 bin/validate.py -v

3. Search & Analyze

Use the compare tool to generate reports and analyze APIs by category or risk.

# Generate risk heatmap
python3 bin/compare.py --risk-heatmap

# Analyze by category
python3 bin/compare.py --by-category

# Find critical APIs
python3 bin/compare.py --all | grep -i "critical"

Understanding YAML Entries

Each API is documented in a structured YAML file. Here's what you'll find:

id: 550e8400-e29b-41d4-a716-446655440000 name: "System.Diagnostics.Process.Start" category: "windows-dotnet-api" api: namespace: "System.Diagnostics" class: "Process" method: "Start" language: ".NET 2.0+" abuse_scenarios: - name: "Inline command execution" technique_id: "T1059.001" description: "Execute arbitrary commands..." code_snippet: "Process.Start(\"cmd.exe\", \"/c ...\");" detection: - vendor: "Microsoft Defender" capability: "Behavior-based detection" effectiveness: "medium" risk: severity: "high" prevalence: "widespread" ease_of_abuse: "easy"

Key Concepts

Risk Scoring

Risk scores are calculated as:

Risk = (Severity × Ease × Detection_Difficulty × Likelihood) / 100

Higher scores indicate higher threat. Use this to prioritize detection and mitigation efforts.

MITRE ATT&CK Mapping

All abuse scenarios are mapped to MITRE ATT&CK tactics and techniques. Use these mappings to integrate LOLAPI into your threat modeling and detection frameworks.

Abuse Scenarios

Real-world code examples showing how each API can be weaponized. These include detection difficulty assessments and notes on prevalence in actual attacks.

Detection Strategies

Practical strategies for detecting abuse, including behavioral signals, forensic indicators, and log-based detections specific to each API and platform.

Use Cases

Threat Hunting

Use LOLAPI abuse scenarios and detection strategies to hunt for attacks in your environment.

Detection Engineering

Build detections based on documented abuse scenarios and behavioral signals.

Security Awareness

Educate teams about weaponized APIs and the attack techniques they enable.

Red Teaming

Reference real abuse scenarios and understand detection evasion techniques.

Risk Assessment

Use risk scores to prioritize which APIs and techniques to focus detection/mitigation efforts on.

Next Steps

  1. Explore the API Browser to find relevant APIs for your platform
  2. Review detailed documentation for specific APIs
  3. Check out the detection rules (Sigma, Splunk, YARA)
  4. Join the community to discuss and contribute
  5. Read the detection and mitigation guides

Tip: Keep LOLAPI updated as new APIs are discovered and documented. Subscribe to GitHub releases for updates.

Related Resources

MITRE ATT&CK

Framework for tactics and techniques

LOLBAS Project

Living Off The Binaries and Scripts

LOLRMM

Living Off Living Remote Management

LOLDrivers

Vulnerable drivers exploited in attacks