LOLBAS Odyssey: Tracing the Path of Finding Hidden Gems in Executables

Thursday, September 14, 2023

9:00 AM - 10:00 AM PDT

60 minutes, including Q&A

LOLBAS leverage legitimate binaries and scripts for malicious purposes making them hard to catch. They also happen to be one of the growing trends in cybersecurity attacks and are found in most cyber attack campaigns. Armed with this knowledge, Pentera Labs set out to find new official LOLBAS, increasing the number of known LOLBAS downloaders by 30%.

Follow Pentera researcher Nir Chako’s journey as he traces the path to identifying new LOLBAS executables and functions manually, and then as he writes the automation to find more at scale.

This session will help Red Teamers uncover their own LOLBAS gems, while Blue Teamers can learn how to proactively protect against these new threats.

Sign up to go on the LOLBAS odyssey!

Sponsored by:



Nir Chako

Senior Security Researcher


Nir Chako is a Senior Security Researcher at Pentera Labs. His primary research areas are Network Defense, Linux OS and DevOps Security. Prior to Pentera, Nir spent two and a half years at CyberArk Labs as a Researcher and Research Team Leader and was also the Team Leader of an Israel Defense Force (IDF) Red Team.

Oddvar Moe

Head of official LOLBAS open source project


Oddvar is a Principal Security Consultant working as a Red Teamer in the Targeted Operations Group at TrustedSec. Working with Red Teaming towards Fortune 100 companies Oddvar has gained a lot of experience from some of the most secure customers in the world. He has more than 20 years of working experience in the IT industry and is passionate about Windows Security, so passionate that Microsoft has awarded him the Most Valuable Professional Award 8 years in row.

As a speaker he has delivered top notch sessions at conferences such as DerbyCon, IT Dev Connections, Paranoia, HackCon, Microsoft Security Week and Nordic Infrastructure Conference. He also actively contributes to the security community and he is most known for his contributions around the LOLBins/LOLBAS and the Ultimate AppLocker Bypasslist.

He has also discovered several weaknesses (CVE) in the Windows operating system and found several new persistence techniques that have since then been used by APT groups. Oddvar also actively blogs about techniques and releases tools to the community.

Terry Sweeney


Black Hat

Terry Sweeney is a Los Angeles-based writer and editor who's covered business technology for three decades. He's written about cyber security for more than 15 years and was one of the founding editors of Dark Reading. Sweeney has covered enterprise networking extensively, as well as its supporting technologies like storage, wireless, cloud-based apps and the emerging Internet of Things. He's been a contributing editor to The Washington Post, Crain’s New York Business, Red Herring, Information Week, Network World, SearchAWS.com, and Stadium Tech Report.

Sustaining Partners