Skip to main content
Glama
detection-forge

agentic-detection-lookups

by detection-forge
OverviewSchemaRelated ServersScoreDiscussions
Python
Local

Lookup Binary

detection_lookup_binary
Read-onlyIdempotent

Check whether a binary is a known living-off-the-land binary (LOLBAS/GTFOBins) and get risk level, abuse categories, MITRE ATT&CK IDs, and source.

Instructions

Check if a binary is a known LOLBAS (Windows) or GTFOBins (Linux) living-off-the-land binary.

Provide the filename (e.g., 'certutil.exe', 'curl', 'python'). Returns risk level, abuse categories, MITRE ATT&CK technique IDs, description, and source. Searches both LOLBAS (Windows) and GTFOBins (Linux) datasets. If not found in either, returns {found: false} with a suggestion.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
filenameYes

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault

No arguments

Implementation Reference

  • mcp_server/server.py:84-139 (handler)
    Main handler function for the detection_lookup_binary tool. It takes a filename, strips any path, searches LOLBAS (Windows) and GTFOBins (Linux) datasets, and returns found/not-found with risk, categories, MITRE IDs, and description.
    def detection_lookup_binary(filename: str) -> dict[str, Any]:
    """Check if a binary is a known LOLBAS (Windows) or GTFOBins (Linux) living-off-the-land binary.

    Provide the filename (e.g., 'certutil.exe', 'curl', 'python').
    Returns risk level, abuse categories, MITRE ATT&CK technique IDs, description, and source.
    Searches both LOLBAS (Windows) and GTFOBins (Linux) datasets.
    If not found in either, returns {found: false} with a suggestion.
    """
    filename_lower = filename.lower().strip()
    # Strip path if provided
    if "\\" in filename_lower or "/" in filename_lower:
        filename_lower = filename_lower.replace("\\", "/").split("/")[-1]

    results = []

    # Search LOLBAS (Windows)
    for row in _get_lolbas():
        if row.get("filename", "").lower() == filename_lower:
            results.append({
                "source": "lolbas",
                "binary_name": row.get("binary_name", ""),
                "primary_path": row.get("primary_path", ""),
                "categories": row.get("categories", "").split("|") if row.get("categories") else [],
                "mitre_ids": row.get("mitre_ids", "").split("|") if row.get("mitre_ids") else [],
                "risk": row.get("risk", ""),
                "description": row.get("description", ""),
            })

    # Search GTFOBins (Linux)
    for row in _get_gtfobins():
        if row.get("filename", "").lower() == filename_lower:
            results.append({
                "source": "gtfobins",
                "binary_name": row.get("binary_name", ""),
                "primary_path": row.get("primary_path", ""),
                "categories": row.get("categories", "").split("|") if row.get("categories") else [],
                "mitre_ids": row.get("mitre_ids", "").split("|") if row.get("mitre_ids") else [],
                "risk": row.get("risk", ""),
                "description": row.get("description", ""),
            })

    if not results:
        return {
            "found": False,
            "filename": filename_lower,
            "suggestion": (
                "Binary not in LOLBAS or GTFOBins datasets. "
                "Try without the file extension (e.g., 'notepad' instead of 'notepad.exe'), "
                "or use detection_search to search by keyword."
            ),
        }

    # If found in one source, return that; if both, return all matches
    if len(results) == 1:
        return {"found": True, **results[0]}
    return {"found": True, "matches": results}
  • mcp_server/server.py:75-83 (registration)
    Registration of detection_lookup_binary as an MCP tool via @mcp.tool decorator with annotations for title, readOnlyHint, destructiveHint, idempotentHint, and openWorldHint.
    @mcp.tool(
    annotations={
        "title": "Lookup Binary",
        "readOnlyHint": True,
        "destructiveHint": False,
        "idempotentHint": True,
        "openWorldHint": False,
    },
)
  • mcp_server/server.py:34-41 (helper)
    _load_csv helper function used by caches to load CSV lookup files from the lookups/ directory. Called indirectly by detection_lookup_binary via _get_lolbas() and _get_gtfobins().
    def _load_csv(filename: str) -> list[dict[str, str]]:
    """Load a CSV lookup file and return rows as list of dicts."""
    filepath = LOOKUPS_DIR / filename
    if not filepath.exists():
        return []
    with open(filepath, "r", encoding="utf-8") as f:
        return list(csv.DictReader(f))
  • mcp_server/server.py:54-58 (helper)
    _get_lolbas helper that caches and returns LOLBAS CSV data. Used by detection_lookup_binary to search for Windows binaries.
    def _get_lolbas() -> list[dict[str, str]]:
    global _lolbas_cache
    if _lolbas_cache is None:
        _lolbas_cache = _load_csv("lolbas_binaries.csv")
    return _lolbas_cache
  • mcp_server/server.py:68-72 (helper)
    _get_gtfobins helper that caches and returns GTFOBins CSV data. Used by detection_lookup_binary to search for Linux binaries.
    def _get_gtfobins() -> list[dict[str, str]]:
    global _gtfobins_cache
    if _gtfobins_cache is None:
        _gtfobins_cache = _load_csv("gtfobins.csv")
    return _gtfobins_cache

Tool Definition Quality

A4.5/5.0
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already declare readOnlyHint=true, destructiveHint=false, idempotentHint=true. The description adds valuable behavioral context: it searches both LOLBAS (Windows) and GTFOBins (Linux) datasets, returns risk level, abuse categories, MITRE IDs, and a suggestion if not found. No contradiction with annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise (5 sentences), well-structured, and front-loaded with the main purpose. Every sentence adds necessary information without redundancy.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given one parameter, clear explanation, existing output schema, and annotations covering safety, the description is fully complete for an agent to understand and invoke the tool correctly. Siblings are clearly different.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With schema description coverage at 0%, the description compensates by explaining the parameter 'filename' with examples like 'certutil.exe', 'curl', 'python'. It clarifies what constitutes a valid input, adding meaning beyond the bare schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool checks if a binary is a known LOLBAS or GTFOBins binary, using the verb 'Check' and specifying the resource ('binary') and context ('living-off-the-land'). It distinguishes itself from siblings like 'detection_check_parent_child' by focusing on binary lookup.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides explicit usage guidance: provide a filename (e.g., 'certutil.exe', 'curl', 'python'). It explains what happens if found or not found. However, it does not explicitly mention when not to use or alternative tools, so it's slightly less than perfect.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/detection-forge/agentic-detection-lookups'

If you have feedback or need assistance with the MCP directory API, please join our Discord server