Create LOLBINS_File_Info

[marktsec]

As a security researcher, LOLBINS file information is required while writing rules. I would like to contribute this information to your project in order to add missing data for LOLBIN files. This table doesn't include all LOLBINS, but it's a good start.

[josehelps]

👋 Hey! Thanks for this contribution. The file metadata looks useful for detection rules!

I have some quick questions:

• How do you plan to use this data?
• Are you building detection tools that need file hashes?

I'm concerned about having this as a separate table. The YAML files already have file paths, and adding the same data in two places makes maintenance harder. Also, you mentioned hashes change with OS versions, so we'd need frequent updates.
What if we add this info directly to the YAML files instead? We could add fields like Internal_Name and SHA256 to the existing Full_Path sections. This keeps everything together and matches the project structure.

Can you tell me more about your use case? That would help us find the best way to integrate this data.

Thanks for contributing!

[marktsec]

Hey, Thanks for your thoughtful feedback — I'm glad to hear the metadata looks useful! Use Case & Detection Value: This type of metadata can be very helpful for researchers and detection engineers when writing detection rules. The most detection-relevant and stable fields across OS versions are: Internal_Name Original_File_Name Product_Name FileDescription (optional but valuable for added context) File_Hash (optional) These fields are especially useful in scenarios such as identifying LOLBINS binaries executing from both expected and unexpected locations, as well as detecting abuse techniques like masquerading, DLL hijacking, and other forms of binary tampering. I understand your concern about maintaining this data in a separate table. I’m open to adjust the contribution to embed the metadata directly into the existing YAML structure. Please let me know if you have preferred field names or formatting guidelines — I’m happy to update the PR accordingly. Thanks again for your time and feedback! Best regards, Mark

…

On Sun, Jun 29, 2025 at 7:34 PM Jose Enrique Hernandez < ***@***.***> wrote: *josehelps* left a comment (LOLBAS-Project/LOLBAS#398) <#398 (comment)> 👋 Hey! Thanks for this contribution. The file metadata looks useful for detection rules! I have some quick questions: - How do you plan to use this data? - Are you building detection tools that need file hashes? I'm concerned about having this as a separate table. The YAML files already have file paths, and adding the same data in two places makes maintenance harder. Also, you mentioned hashes change with OS versions, so we'd need frequent updates. What if we add this info directly to the YAML files instead? We could add fields like Internal_Name and SHA256 to the existing Full_Path sections. This keeps everything together and matches the project structure. Can you tell me more about your use case? That would help us find the best way to integrate this data. Thanks for contributing! — Reply to this email directly, view it on GitHub <#398 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BFZ3PFK3S7WGEWECHBJE7YT3GAIQZAVCNFSM6AAAAACAMLYFD2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAMJWHAZTQNRVGY> . You are receiving this because you were assigned.Message ID: ***@***.***>