Skip to main content
Glama
detection-forge

agentic-detection-lookups

by detection-forge
OverviewSchemaRelated ServersScoreDiscussions
Python
Local

Lookup Binary

detection_lookup_binary
Read-onlyIdempotent

Check if a binary is a known LOLBAS (Windows) or GTFOBins (Linux) living-off-the-land binary, returning risk level, abuse categories, and MITRE ATT&CK technique IDs for detection enrichment.

Instructions

Check if a binary is a known LOLBAS (Windows) or GTFOBins (Linux) living-off-the-land binary.

Provide the filename (e.g., 'certutil.exe', 'curl', 'python'). Returns risk level, abuse categories, MITRE ATT&CK technique IDs, description, and source. Searches both LOLBAS (Windows) and GTFOBins (Linux) datasets. If not found in either, returns {found: false} with a suggestion.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
filenameYes

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault

No arguments

Implementation Reference

  • mcp_server/server.py:84-139 (handler)
    The handler function for detection_lookup_binary. Accepts a filename string, strips path/whitespace, normalizes case, searches both LOLBAS (Windows) and GTFOBins (Linux) datasets, and returns found status with risk level, categories, MITRE IDs, description, and source. If not found in either, returns {found: false} with a suggestion.
    def detection_lookup_binary(filename: str) -> dict[str, Any]:
    """Check if a binary is a known LOLBAS (Windows) or GTFOBins (Linux) living-off-the-land binary.

    Provide the filename (e.g., 'certutil.exe', 'curl', 'python').
    Returns risk level, abuse categories, MITRE ATT&CK technique IDs, description, and source.
    Searches both LOLBAS (Windows) and GTFOBins (Linux) datasets.
    If not found in either, returns {found: false} with a suggestion.
    """
    filename_lower = filename.lower().strip()
    # Strip path if provided
    if "\\" in filename_lower or "/" in filename_lower:
        filename_lower = filename_lower.replace("\\", "/").split("/")[-1]

    results = []

    # Search LOLBAS (Windows)
    for row in _get_lolbas():
        if row.get("filename", "").lower() == filename_lower:
            results.append({
                "source": "lolbas",
                "binary_name": row.get("binary_name", ""),
                "primary_path": row.get("primary_path", ""),
                "categories": row.get("categories", "").split("|") if row.get("categories") else [],
                "mitre_ids": row.get("mitre_ids", "").split("|") if row.get("mitre_ids") else [],
                "risk": row.get("risk", ""),
                "description": row.get("description", ""),
            })

    # Search GTFOBins (Linux)
    for row in _get_gtfobins():
        if row.get("filename", "").lower() == filename_lower:
            results.append({
                "source": "gtfobins",
                "binary_name": row.get("binary_name", ""),
                "primary_path": row.get("primary_path", ""),
                "categories": row.get("categories", "").split("|") if row.get("categories") else [],
                "mitre_ids": row.get("mitre_ids", "").split("|") if row.get("mitre_ids") else [],
                "risk": row.get("risk", ""),
                "description": row.get("description", ""),
            })

    if not results:
        return {
            "found": False,
            "filename": filename_lower,
            "suggestion": (
                "Binary not in LOLBAS or GTFOBins datasets. "
                "Try without the file extension (e.g., 'notepad' instead of 'notepad.exe'), "
                "or use detection_search to search by keyword."
            ),
        }

    # If found in one source, return that; if both, return all matches
    if len(results) == 1:
        return {"found": True, **results[0]}
    return {"found": True, "matches": results}
  • mcp_server/server.py:75-83 (registration)
    The @mcp.tool() decorator that registers detection_lookup_binary as an MCP tool with annotations including title 'Lookup Binary', readOnlyHint=True, idempotentHint=True.
    @mcp.tool(
    annotations={
        "title": "Lookup Binary",
        "readOnlyHint": True,
        "destructiveHint": False,
        "idempotentHint": True,
        "openWorldHint": False,
    },
)
  • mcp_server/server.py:34-58 (helper)
    Helper function _load_csv loads CSV lookup files from the lookups/ directory. Used to populate the LOLBAS and GTFOBins caches that detection_lookup_binary queries.
    def _load_csv(filename: str) -> list[dict[str, str]]:
    """Load a CSV lookup file and return rows as list of dicts."""
    filepath = LOOKUPS_DIR / filename
    if not filepath.exists():
        return []
    with open(filepath, "r", encoding="utf-8") as f:
        return list(csv.DictReader(f))


def _match_filename(pattern: str, value: str) -> bool:
    """Match with glob support (e.g., 'tomcat*.exe')."""
    return fnmatch(value.lower(), pattern.lower())


# Cache loaded data in memory (small files, fast startup)
_lolbas_cache: list[dict[str, str]] | None = None
_parent_child_cache: list[dict[str, str]] | None = None
_gtfobins_cache: list[dict[str, str]] | None = None


def _get_lolbas() -> list[dict[str, str]]:
    global _lolbas_cache
    if _lolbas_cache is None:
        _lolbas_cache = _load_csv("lolbas_binaries.csv")
    return _lolbas_cache
  • mcp_server/server.py:54-72 (helper)
    Helper functions _get_lolbas() and _get_gtfobins() that load and cache the CSV data. These are called by detection_lookup_binary to search each dataset.
    def _get_lolbas() -> list[dict[str, str]]:
    global _lolbas_cache
    if _lolbas_cache is None:
        _lolbas_cache = _load_csv("lolbas_binaries.csv")
    return _lolbas_cache


def _get_parent_child() -> list[dict[str, str]]:
    global _parent_child_cache
    if _parent_child_cache is None:
        _parent_child_cache = _load_csv("parent_child_baselines.csv")
    return _parent_child_cache


def _get_gtfobins() -> list[dict[str, str]]:
    global _gtfobins_cache
    if _gtfobins_cache is None:
        _gtfobins_cache = _load_csv("gtfobins.csv")
    return _gtfobins_cache
  • mcp_server/server.py:43-45 (helper)
    Helper function _match_filename supporting glob-style matching using fnmatch. Used elsewhere but available as utility.
    def _match_filename(pattern: str, value: str) -> bool:
    """Match with glob support (e.g., 'tomcat*.exe')."""
    return fnmatch(value.lower(), pattern.lower())

Tool Definition Quality

A4.4/5.0
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations declare readOnlyHint=true, destructiveHint=false, idempotentHint=true, which the description supports by describing a non-destructive lookup. The description adds functional details (returns risk level, abuse categories, MITRE IDs) and behavior when binary not found.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise (four sentences) and front-loaded with the primary purpose. Each sentence adds value, though the examples could be integrated more efficiently.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the simple one-parameter input and presence of an output schema, the description is complete. It outlines return fields (risk level, abuse categories, MITRE IDs, description, source) and the case where the binary is not found, including a suggestion.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With schema description coverage at 0%, the description provides crucial context: the 'filename' parameter is a binary name, with examples like 'certutil.exe' or 'python', and that it searches both datasets. This adds meaning beyond the bare schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

Description clearly states the tool checks if a binary is a known LOLBAS (Windows) or GTFOBins (Linux) living-off-the-land binary. It provides examples and specifies the return fields, distinguishing it from sibling tools like detection_list_by_category or detection_search.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Description implies usage context: 'Provide the filename' and 'Searches both LOLBAS and GTFOBins datasets.' It does not explicitly compare to siblings, but the purpose is well-defined and distinct.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/detection-forge/agentic-detection-lookups'

If you have feedback or need assistance with the MCP directory API, please join our Discord server