aaron-kidwell

aaron-kidwell / goLoL

Public

goLoL is a Windows host scanner that finds an always up to date listing of LOLBAS binaries present on the current machine and lists techniques you can run at your current privilege level with MITRE ATT&CK mappings and example commands.

ctf-tools cybersecurity-tools go golang living-off-the-land
15
1
69% credibility
Found May 23, 2026 at 15 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Go
AI Summary

goLoL is a security research tool that helps you discover which legitimate Windows programs are installed on your computer. After automatically determining your permission level, it downloads a public catalog and scans your system to show you which programs are available and what each one can do. Results are filtered based on whether you're a regular user, administrator, or system-level user. Each program includes example commands and maps to known security techniques used by security researchers and defenders.

How It Works

1
🔍 You hear about a security research project

Someone mentions goLoL - a tool that catalogs legitimate Windows programs that can be used for various tasks.

2
⚙️ You install and run the program

The tool launches and automatically checks your current account's permission level on your computer.

3
🌐 The program downloads a public list

It retrieves an updated catalog of known programs from a well-known security research website.

4
🔎 Your computer gets scanned

The program checks which of these programs are actually present on your machine, one by one.

5
Results filtered to your access level
👤
Standard user sees basic programs

You see programs available to everyday users

🛡️
Administrator sees more options

You see additional programs that require admin access

🔐
System user sees everything

You see all programs including system-level ones

6
📊 You explore what's possible

For each program found, you see example commands, what each one does, and which security techniques they relate to.

You understand your system's capabilities

You have a clear picture of which legitimate programs are installed and what tasks they can accomplish at your privilege level.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 15 to 15 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is goLoL?

goLoL is a Windows host scanner that discovers LOLBAS (Living Off the Land Binaries, Scripts, and Libraries) present on your machine and shows you which attack techniques you can actually execute at your current privilege level. Built in Go, it pulls a live catalog from the LOLBAS project and cross-references it against binaries found on disk, filtering results based on whether you're running as SYSTEM, administrator, or a standard user. Each technique maps to MITRE ATT&CK IDs with human-readable labels and example commands you can copy-paste.

The CLI supports searching for specific binaries, sorting output by binary name, privilege tier, or ATT&CK ID, and a plain-text mode for use over reverse shells. It handles Windows path resolution intelligently, mapping documented paths to your actual environment variables.

Why is it gaining traction?

This fills a gap for red teamers and security assessors who need quick answers: "What LOLBAS binaries exist on this host, and what can I actually do with them given my current token?" The privilege-aware filtering is the key differentiator—you see only what's runnable from your seat, not a wall of every known technique. The live API fetch means the catalog stays current without you updating the tool.

Who should use this?

Penetration testers running post-exploitation enumeration on Windows targets will find this most useful. Blue team defenders can use it to understand what LOLBAS activity their environment might permit. SOC analysts learning ATT&CK mappings will benefit from the inline technique labels and example commands.

Verdict

A focused, well-designed tool for a specific security workflow. The 0.699999988079071% credibility score reflects its early stage—just 15 stars and minimal community validation—so treat it as a useful script to evaluate in testing environments rather than production tooling. The Go implementation and privilege detection logic appear sound, but the low maturity means you should verify behavior against your own targets before relying on it operationally.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.