goLoL Review: Seatbelt Alternative for Windows Security Teams

What Is goLoL?

goLoL is one of the best Windows Security Scanners tools for Windows red teamers, pentesters, and blue team defenders. Built by Aaron Kidwell, it scans a live Windows endpoint for LOLBAS binaries, shows only techniques your current token can run, and annotates results with MITRE ATT&CK IDs and example commands. The README example reports 147 binaries and 299 techniques, which is enough coverage to make host triage materially faster without adding an agent.

Quick Overview

Who Should Use goLoL?

• Red teamers doing local LOLBAS discovery who need a quick way to see what binaries already exist on a host before planning an assessment path.
• Pentesters working under time pressure who want a command-line inventory of abuse primitives without manually checking %WINDIR%, %ProgramFiles%, or %USERPROFILE% locations.
• Blue team analysts validating exposure who need to understand which LOLBAS techniques are actually reachable at standard-user, administrator, or SYSTEM privilege.
• Incident responders on Windows endpoints who want a fast read on whether living-off-the-land binaries are present and relevant to the current machine.

Not ideal for:

• OPSEC-sensitive intrusions where fetching a live catalog and enumerating host binaries is too noisy.
• Offline or air-gapped workflows because goLoL downloads the LOLBAS catalog on each run and does not cache it offline.
• Linux/macOS-first teams since the privilege detection logic is Windows-centric and non-Windows builds only stub the checks.

Key Features of goLoL

• Live LOLBAS catalog — goLoL pulls https://lolbas-project.github.io/api/lolbas.json every run, so the binary list reflects the current LOLBAS project state instead of a stale bundled snapshot. That matters when new LOLBAS entries land and you need the scanner to know about them immediately.
• Privilege-aware filtering — it distinguishes between standard user, local Administrators group member, and SYSTEM, then suppresses techniques that are not reachable from the current token tier. SYSTEM-only entries stay hidden unless the process token is S-1-5-18.
• On-disk path resolution — documented LOLBAS paths are remapped into local Windows locations such as %WINDIR%, %ProgramFiles%, %USERPROFILE%, and WindowsApps. That lets goLoL confirm whether the binary is actually present instead of assuming the reference path exists unchanged.
• MITRE ATT&CK labeling — technique IDs are converted into readable labels, such as T1003.003: NTDS, so triage does not require a second lookup against the ATT&CK navigator. That is useful when you want to pivot from binary inventory to likely abuse paths in one pass.
• Flexible sort modes — the -sort flag supports binary, privilege, and attack, with aliases like priv and mitre. This makes goLoL useful both as an inventory tool and as a prioritization tool when you want the most dangerous items first.
• Plain output mode — -plain strips Unicode, color, and cursor control for reverse shells, telnet sessions, and other unstable terminals. That is a practical feature when the target shell is brittle and ANSI sequences would wreck readability.
• Low process overhead — file existence checks are done through Go APIs, and local admin detection uses a single net localgroup child process on Windows. That keeps the scanner lightweight enough for ad hoc host checks without spinning up a heavy runtime.

goLoL vs Alternatives

Pick goLoL when the question is "which LOLBAS binaries do I actually have on this box, and what can I do with them right now?" Pick Seatbelt when you need wider Windows reconnaissance across services, sessions, and security posture. If your goal is detector validation instead of discovery, AV Chaos Monkey is the better fit. If you are correlating host behavior after enumeration, pair the results with OpenTrace so the discovery output sits next to telemetry.

How goLoL Works

goLoL uses a simple pipeline: detect the current privilege context, fetch the LOLBAS catalog, resolve documented paths to the local filesystem, deduplicate by resolved path, and print only the commands that are runnable from the current token tier. The data model is effectively a LOLBAS entry with a binary name, a local path check, one or more ATT&CK technique IDs, and metadata that describes whether the technique requires user, administrator, or SYSTEM context.

The design choice is intentionally boring in the best possible way. Instead of shipping a static database, goLoL treats the LOLBAS project as the source of truth and turns the scanner into a thin Windows-aware projection layer over that catalog. That reduces maintenance burden and keeps the output aligned with the upstream project, which is the right tradeoff for a utility that is supposed to be used during live assessments.

# triage the host with output that survives weak shells
go run . -plain -sort attack

# check whether a specific binary is present
.\golol.exe -s certutil

The first command prints a compact, ASCII-only summary grouped by ATT&CK technique, which is useful when you are moving quickly through a shell that does not handle ANSI well. The second command narrows the output to a single binary and tells you whether it exists on disk, which is the fastest way to answer "is this host exposed to certutil-style LOLBAS abuse?"

Pros and Cons of goLoL

Pros:

• Live data source keeps the catalog current without a manual refresh workflow.
• Privilege filtering removes techniques you cannot execute from the current token, which cuts down on noise.
• ATT&CK IDs and labels make it easier to communicate findings to both offensive and defensive teams.
• Path remapping is practical on real Windows endpoints where documented paths often need local translation.
• Plain output mode works in brittle shells where color and cursor control are a liability.
• Small operational footprint means the tool is suitable for quick checks on a live endpoint.

Cons:

• Not OPSEC safe for stealth-sensitive operations because it downloads the catalog and enumerates the filesystem.
• Requires network access on each run, so it is a poor fit for disconnected or tightly controlled environments.
• Windows-first behavior means non-Windows builds do not give you the same privilege checks or workflow.
• Not a full host inventory suite because it focuses on LOLBAS discovery rather than broad system reconnaissance.
• Admin-tier commands may still need elevation even when the account belongs to the Administrators group.

Getting Started with goLoL

git clone https://github.com/aaron-kidwell/goLoL.git
cd goLoL
go build -ldflags="-s -w" -trimpath -o golol.exe .
.\golol.exe -plain -sort attack

If you prefer a remote install path, go install github.com/aaron-kidwell/goLoL@latest also works when a tagged release is available. After the first run, goLoL fetches the LOLBAS catalog, checks your current privilege level, and prints only the binaries and techniques that match what the host can actually run. If you use go install, make sure your GOPATH/bin directory is on PATH; if you build locally, run it from the module root so the internal/ packages resolve correctly.

Verdict

goLoL is the strongest option for Windows LOLBAS enumeration when you need current, privilege-aware coverage without an agent. Its biggest strength is the live catalog plus ATT&CK mapping, and its main caveat is that it is not OPSEC safe and depends on network access. Use it for lab work, triage, and authorized assessments; do not treat it as a stealth tool.