Check if a binary is a known LOLBAS (Windows) or GTFOBins (Linux) living-off-the-land binary.

Provide the filename (e.g., 'certutil.exe', 'curl', 'python'). Returns risk level, abuse categories, MITRE ATT&CK technique IDs, description, and source. Searches both LOLBAS (Windows) and GTFOBins (Linux) datasets. If not found in either, returns {found: false} with a suggestion.

Check if a process parent-child relationship is expected or suspicious.

Provide parent and child process filenames (e.g., parent='winword.exe', child='cmd.exe'). Returns whether the relationship is expected, the risk if unexpected, MITRE technique, and triage notes.

List all binaries in a specific abuse category.

LOLBAS categories: Execute, Download, Upload, AWL Bypass, UAC Bypass, Compile, Credentials, Dump, Encode, Reconnaissance. GTFOBins categories: shell, reverse-shell, bind-shell, file-read, file-write, download, upload, library-load, command, inherit, privilege-escalation.

Supports pagination via limit (default 50) and offset (default 0).

List all binaries (LOLBAS + GTFOBins) mapped to a specific MITRE ATT&CK technique.

Provide a technique ID like 'T1218', 'T1059.001', 'T1105', etc. Searching a parent technique (e.g., T1218) also returns sub-techniques (T1218.011). Supports pagination via limit (default 50) and offset (default 0).

Search across all lookup files for a text match.

Searches filename, description, categories, MITRE IDs, and notes fields across LOLBAS, GTFOBins, and parent-child baselines. Returns up to limit results (default 20).

List all available lookup files and their metadata (row counts, columns).

Use this tool to discover what datasets are available before querying.