Introducing LOOBins

Brendan Chamberlain
3 min readMay 25, 2023

I am excited to announce the release of Living Off the Orchard: macOS Binaries (LOOBins). LOOBins is a new “living off the land” open-source project that aims to help defensive, offensive, and research cybersecurity professionals understand how various macOS binaries could be used for malicious purposes.

The LOOBins website can be found here: https://loobins.io

Before proceeding, I want to thank everyone who took time to contribute!

  • Jonathan Bar Or (@yo_yo_yo_jbo)
  • Cedric Owens (@cedowens)
  • Will Huang (@In0de_16)
  • Jason Trost (@jason_trost)
  • Chris Campbell (@texasbe2trill)
  • Leo Pitt (@_D00mfist)
  • Mark Morowczynsk (@markmorow)
  • Megan Carney (@PwnieFan)
  • Pratik Jeware (@Pratik-987)
  • ezaspy

Why LOOBins?

After taking advantage of the valuable information included in the LOLBAS and GTFOBins projects, I couldn’t help but wonder, “does something like this exist for macOS?” I posed the question on Twitter and received a symphony of crickets:

I started working on the project that night.

What is LOOBins?

LOOBins is a library of macOS binaries that can be used for “living off the land” techniques. The list is comprised of binaries that are shipped with macOS and does not include binaries detailed in GTFOBins with some special exceptions (e.g., sqlite3). Each LOOBin is categorized into MITRE ATT&CK tactics and various tags, allowing viewers to easily navigate and locate information on the macOS LOOBins of interest. Additionally, the resource provides example uses of each binary, recommendations and signatures on how to best detect malicious activity, and links to other third-party resources.

How can I use LOOBins?

The LOOBins website can be found here: https://loobins.io

LOOBins can also be programmatically consumed using the JSON API or by using the Python SDK/CLI tool, PyLOOBins.

How can I get involved?

We need your help! LOOBins is a living project and will likely never be complete. It will require continuous updating as new binaries and/or use cases are discovered by the community. Here are a few ways you can help:

  • Add new LOOBin binaries
  • Update existing LOOBin binaries by adding new use cases, detection sources, resources, or by simply fixing a typo
  • Help develop and maintain the PyLOOBins Python SDK/CLI
  • Submit an issue for any problems that you are experiencing with the website or PyLOOBins SDK/CLI

If you would like to contribute, please see our contribution guidelines.

How Can I Keep Up to Date with LOOBins?

There are a few ways that you can stay up to date with LOOBins:

  • Follow me on Twitter (@infosecb), Mastodon, and/or Medium; I will be posting updates as LOOBins are added or updated. I’ll also be posting about new features and updates to the website and PyLOOBins SDK/CLI
  • Star the LOOBins Github project: Updates will be included in the Releases section of the project

Thanks again to everyone who helped get this project off the ground. I hope that you all find value in this project and I look forward to seeing how the community uses LOOBins. Please help spread the word about LOOBins and don’t hesitate to reach out if you have any questions or feedback. Thanks for reading!

--

--

Brendan Chamberlain

Blue Team cybersecurity professional specializing in threat detection. Python and PowerShell developer.