We covered Living Off The Land Binaries that are frequently used in red team engagements. Living Off The Land Binaries are applications and executable that come pre-installed with the operating system. An example is bitsadmin.exe in Windows operating system and ping in Linux. The LOLBAS project contains all binaries that are categorized as living off the land and GTFO bins is its equivalent for Linux operating systems. This was part of the solution walkthrough of TryHackMe Living Off the Land.

Get OSCP Study Notes

The Complete Practical Web Application Penetration Testing Course

Highlights

Living Off the Land is a trending term in the red team community. The name is taken from real-life, living by eating the available food on the land. Similarly, adversaries and malware creators take advantage of a target computer’s built-in tools and utilities.

The following are some categories that Living Off the Land encompasses:

  • Reconnaissance
  • Files operations
  • Arbitrary code execution
  • Lateral movement
  • Security product bypass

Another example is LOLBAS which stands for Living Off the Land Binaries And Scripts and whose goal is to gather and document the Microsoft-signed and built-in tools used as  Living Off the Land techniques, including binaries, scripts, and libraries.

Additional resources

  • GTFOBins – The Linux version of the LOLBAS project.
  • Astaroth: Banking Trojan – A real-life malware analysis where they showcase using the Living Off the Land technique used by Malware.

Room Answers

Visit the LOLBAS project’s website and check out its functionalities. Then, using the search bar, find the ATT&CK ID: T1040. What is the binary’s name?

Pktmon.exe

Use the search bar to find more information about MSbuild.exe. What is the ATT&CK ID?T1127.001

Use the search bar to find more information about Scriptrunner.exe. What is the function of the binary?

Execute


Run bitsadmin.exe to download a file of your choice onto the attached Windows VM. Once you have executed the command successfully, an encoded flag file will be created automatically on the Desktop. What is the file name?

enc_thm_0YmFiOG_file.txt

Use the certutil.exe tool to decode the encoded flag file from question #1. In order to decode the file, we use -decode option as follow:

C:\Users\thm> certutil -decode Encoded_file payload.txt

THM{ea4e2b9f362320d098635d4bab8a568e}


Replicate the steps of the No PowerShell technique to receive a reverse shell on port 4444. Once a connection is established, a flag will be created automatically on the desktop. What is the content of the flag file?

THM{23005dc4369a0eef728aa39ff8cc3be2}

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles