Skip to main content

Introduction


Revision History​

DateAuthorSummary
14-OCT-2023TSgt. BernadotteInitial draft
21-MAR-2026CW2 BernadotteMajor expansion

Purpose​

The purpose of this document is to provide a comprehensive aid on leveraging Living Off the Land (LOL) techniques in Windows environments. All techniques in this document rely exclusively on signed Windows binaries and built-in system capabilities - no third-party tools or custom malware required on the victim. Grounded in the MITRE ATT&CK framework, this resource covers the full operator workflow from persistence and privilege escalation through credential access, with start-to-finish procedures showing how to reach each technique, what to do with the results, and how to clean up.

Operators are encouraged to adapt the provided examples to fit their operational context. This aid is not a one-size-fits-all blueprint - it is a versatile toolkit designed to support informed decisions during cyber threat emulation operations.

New to this document? Start with the Operational Workflow - a full kill-chain guide that routes you from initial shell to cleanup based on what you find on each host.

Technique Coverage​

SectionTechniques
PersistenceScheduled Task, Registry Run Keys, Startup Folder, Windows Service, Screensaver, BITS Jobs, WMI Event Subscription, IFEO Injection, COM Hijacking, Active Setup, Create Local Account, Accessibility Features
Privilege EscalationAlwaysInstallElevated (msiexec β†’ SYSTEM), Bypass UAC (Fodhelper / Control.exe), Unquoted Service Path, Services File Permissions Weakness, Services Registry Permissions Weakness
Credential AccessLSASS MiniDump (comsvcs.dll), SAM/SYSTEM/SECURITY Hive Export, NTDS.dit via Shadow Copy, Credential Manager (cmdkey / runas /savecred), Credentials in Files/Registry (findstr / reg query / netsh WiFi / PS history)
Lateral MovementSMB Admin Shares (net use), WMI Remote Process Creation, Remote Scheduled Task, Remote Service Creation, PowerShell Remoting
Defense EvasionRegsvr32 (Squiblydoo), Mshta (remote HTA / inline VBScript), Certutil (download / encode-decode), Wscript/Cscript (VBS/JS), Rundll32 (inline JavaScript), Obfuscation (-EncodedCommand, string concat, char arrays, reversal, caret/backtick escaping, alternate IEX), Disable Defender / Firewall / AuditPol / AMSI, Indicator Removal (wevtutil / timestomp / prefetch)
DiscoverySystem Info (systeminfo / wmic), User/Group Enumeration (net / whoami), Network Mapping (ipconfig / arp / netstat), Process & Service Enumeration (tasklist / wmic / sc.exe), Registry Intel (reg query)
CollectionClipboard Monitoring (Get-Clipboard), Keystroke Polling (GetAsyncKeyState P/Invoke), Low-Level Keyboard Hook (SetWindowsHookEx P/Invoke)
Command and ControlBITSAdmin HTTP/HTTPS Download, EsentUtl UNC File Copy, Expand Cabinet / UNC Copy, MsiExec Remote MSI Download+Execute, FTP Script Mode

LOL Binary Reference​

All victim-side execution in this document uses only the following Windows built-in binaries:

BinaryUsed For
schtasks.exeScheduled task creation - local and remote
reg.exeRegistry modification and hive export
sc.exeService creation and control - local and remote
bitsadmin.exeBITS job management
rundll32.exeDLL function invocation (comsvcs.dll MiniDump)
vssadmin.exeShadow copy management
takeown.exe / icacls.exeFile permission modification
net.exeAccount/group/session/share management and SMB session control
wmic.exeRemote process creation, service enumeration
powershell.exeScripting and in-memory execution throughout
cmd.exeShell execution
regsvr32.exeRemote scriptlet (SCT) execution - AppLocker bypass
mshta.exeHTA and inline VBScript execution
certutil.exeFile download and base64 encode/decode
wscript.exe / cscript.exeVBScript and JScript execution
whoami.exeUser identity and privilege enumeration
ipconfig.exeNetwork adapter and DNS configuration
arp.exeARP cache - recently contacted hosts
netstat.exeActive connections and listening ports
tasklist.exeRunning process enumeration
nbtstat.exeNetBIOS name resolution
nltest.exeDomain controller identification
route.exeRouting table
esentutl.exeFile copy from UNC/SMB path
expand.exeCabinet extraction and UNC file copy
msiexec.exeRemote MSI download and execution
ftp.exeScript-mode FTP file download
cmdkey.exeCredential Manager enumeration and credential implant
runas.exeExecute commands using saved Credential Manager entries
csc.exeC# compiler - compile service EXEs and DLLs on-victim
netsh.exeFirewall management and WiFi password retrieval
auditpol.exeAudit policy enumeration and modification
wevtutil.exeEvent log enumeration, export, and clearing
cipher.exeFree-space overwrite for secure file deletion
fsutil.exeUSN journal management
findstr.exeRecursive file content search for credential strings