lolbins.psm1
# This function loads the JSON data from a file function Import-LOLBASData { param ( [string]$Path ) $json = Get-Content -Path $Path -Raw | ConvertFrom-Json return $json } # This function retrieves detailed information about a specific LOLBIN function Get-LOLBINDetail { param ( [Parameter(Mandatory=$true)] [string]$LOLBINName, [Parameter(ValueFromPipeline=$true)] $LOLBASData = $LOLBASData ) $LOLBIN = $LOLBASData | Where-Object { $_.Name -eq $LOLBINName } return $LOLBIN } function Find-LOLBINCommandsByProperty { param ( [Parameter(Mandatory=$true)] [string]$PropertyName, [Parameter(Mandatory=$true)] [string]$PropertyValue, [Parameter(ValueFromPipeline=$true)] $LOLBASData ) $filteredCommands = @() foreach ($entry in $LOLBASData) { # Filter commands by any property $commands = $entry.Commands | Where-Object { $_.$PropertyName -eq $PropertyValue } if ($commands) { foreach ($command in $commands) { # Construct a custom object for better readability $obj = [PSCustomObject]@{ Name = $entry.Name Command = $command.Command Description = $command.Description Usecase = $command.Usecase Category = $command.Category Privileges = $command.Privileges MitreID = $command.MitreID OperatingSystem = $command.OperatingSystem } $filteredCommands += $obj } } } return $filteredCommands } function Get-LOLBINFilePaths { param ( [Parameter(ValueFromPipeline=$true)] $LOLBASData ) $filePathCollection = @() foreach ($entry in $LOLBASData) { # Check if Full_Path property exists and is not empty if ($entry.Full_Path) { foreach ($path in $entry.Full_Path) { # Construct a custom object for better readability $obj = [PSCustomObject]@{ Name = $entry.Name FullPath = $path.Path } $filePathCollection += $obj } } } return $filePathCollection } function Test-LOLBINFilePathExistence { param ( [Parameter(ValueFromPipeline=$true)] $LOLBINFilePaths ) $existingPaths = @() foreach ($item in $LOLBINFilePaths) { if (Test-Path -Path $item.FullPath) { # If the path exists, add it to the collection $existingPaths += $item } } return $existingPaths } $path = "$PsScriptRoot\lolbas.json" function Invoke-LOLBINAnalysis { # Load LOLBAS data $LOLBASData = Import-LOLBASData -Path $path # Get all file paths for LOLBINs $LOLBINFilePaths = Get-LOLBINFilePaths -LOLBASData $LOLBASData # Verify which paths exist and store them in a new object $ExistingLOLBINPaths = Test-LOLBINFilePathExistence -LOLBINFilePaths $LOLBINFilePaths Return $LOLBASData, $ExistingLOLBINPaths } $LOLBASData, $ExistingLOLBINPaths = Invoke-LOLBINAnalysis |