What's included
Legion has a built-in reference library with cheat sheets, tools, and resources that work completely offline. Everything is searchable and available without an internet connection, which matters when you're working in an air-gapped or restricted environment.
GTFOBins
GTFOBins is a curated list of Unix binaries that can be used to break out of restricted environments or escalate privileges. If you land on a box and need to escalate, look up the binaries available to you and GTFOBins will show you exactly how to use them. Common examples include find, vim, python, awk, and tar. Each entry shows the specific command needed for shell spawning, file read, file write, SUID exploitation, and more.
LOLBAS
LOLBAS stands for Living Off The Land Binaries and Scripts. It covers the Windows equivalent of GTFOBins. If you're on a Windows target and need to download a file, run a payload, or move laterally without dropping custom tools, LOLBAS shows you which built-in Windows binaries can do it. Things like certutil, mshta, rundll32, and wmic all have documented abuse cases here. Useful for staying within what's already on the machine.
WADComs
WADComs is a cheat sheet focused on Windows and Active Directory attacks. It covers the commands you need for common AD techniques like Kerberoasting, AS-REP roasting, Pass-the-Hash, DCSync, and BloodHound enumeration. Each entry shows the exact command syntax for the relevant tool, whether that's Impacket, CrackMapExec, Rubeus, or others. It's the fastest way to look up a command mid-task without stopping to search.
Reverse Shells
The reverse shell generator builds a ready-to-use reverse shell command based on the OS and language you pick. Select your target platform, choose from options like bash, Python, PHP, PowerShell, Ruby, or netcat, enter your IP and port, and it gives you the full command to paste. You can also start a netcat listener directly from the same screen with one click so both sides are ready at the same time.
Payloads & Dorks
This section has injection payloads for web application testing. XSS payloads, SQL injection strings, SSTI templates, and path traversal sequences are all here organized by type. It also includes Google dork templates for finding exposed login pages, open directories, and sensitive files indexed by search engines. Useful for manual web app testing when you want a quick reference without switching out of the app.
CVE Browser
The CVE browser lets you search for known vulnerabilities by keyword or product name. It pulls from the NVD (National Vulnerability Database) at nvd.gov, which is updated regularly so you're working with current data. If you identify a specific software version during recon, you can look it up here to see what CVEs exist for it without needing a browser. Results show the CVE ID, severity score, and a description of the vulnerability.
To use the CVE browser, add your NVD API key in the Settings menu. You can get a free key at nvd.nist.gov. Without a key it still works, but requests are rate limited.
CyberChef Lite
CyberChef Lite is a stripped-down version of the CyberChef data transformation tool that runs entirely offline inside Legion. You can encode and decode base64, URL-encode strings, compute MD5, SHA1, and SHA256 hashes, convert hex, and run basic transforms on data you collect during a task. It covers the operations you reach for most often without needing the full browser-based tool.
Using the library
Open the Library section from the left sidebar. Use the search bar to find what you need across all categories at once, or browse by section. Everything is formatted for quick scanning rather than reading top to bottom.