Introduction
Revision Historyβ
| Date | Author | Summary |
|---|---|---|
| 14-OCT-2023 | TSgt. Bernadotte | Initial draft |
| 21-MAR-2026 | CW2 Bernadotte | Major expansion |
Purposeβ
The purpose of this document is to provide a comprehensive aid on leveraging Living Off the Land (LOL) techniques in Windows environments. All techniques in this document rely exclusively on signed Windows binaries and built-in system capabilities - no third-party tools or custom malware required on the victim. Grounded in the MITRE ATT&CK framework, this resource covers the full operator workflow from persistence and privilege escalation through credential access, with start-to-finish procedures showing how to reach each technique, what to do with the results, and how to clean up.
Operators are encouraged to adapt the provided examples to fit their operational context. This aid is not a one-size-fits-all blueprint - it is a versatile toolkit designed to support informed decisions during cyber threat emulation operations.
New to this document? Start with the Operational Workflow - a full kill-chain guide that routes you from initial shell to cleanup based on what you find on each host.
Technique Coverageβ
| Section | Techniques |
|---|---|
| Persistence | Scheduled Task, Registry Run Keys, Startup Folder, Windows Service, Screensaver, BITS Jobs, WMI Event Subscription, IFEO Injection, COM Hijacking, Active Setup, Create Local Account, Accessibility Features |
| Privilege Escalation | AlwaysInstallElevated (msiexec β SYSTEM), Bypass UAC (Fodhelper / Control.exe), Unquoted Service Path, Services File Permissions Weakness, Services Registry Permissions Weakness |
| Credential Access | LSASS MiniDump (comsvcs.dll), SAM/SYSTEM/SECURITY Hive Export, NTDS.dit via Shadow Copy, Credential Manager (cmdkey / runas /savecred), Credentials in Files/Registry (findstr / reg query / netsh WiFi / PS history) |
| Lateral Movement | SMB Admin Shares (net use), WMI Remote Process Creation, Remote Scheduled Task, Remote Service Creation, PowerShell Remoting |
| Defense Evasion | Regsvr32 (Squiblydoo), Mshta (remote HTA / inline VBScript), Certutil (download / encode-decode), Wscript/Cscript (VBS/JS), Rundll32 (inline JavaScript), Obfuscation (-EncodedCommand, string concat, char arrays, reversal, caret/backtick escaping, alternate IEX), Disable Defender / Firewall / AuditPol / AMSI, Indicator Removal (wevtutil / timestomp / prefetch) |
| Discovery | System Info (systeminfo / wmic), User/Group Enumeration (net / whoami), Network Mapping (ipconfig / arp / netstat), Process & Service Enumeration (tasklist / wmic / sc.exe), Registry Intel (reg query) |
| Collection | Clipboard Monitoring (Get-Clipboard), Keystroke Polling (GetAsyncKeyState P/Invoke), Low-Level Keyboard Hook (SetWindowsHookEx P/Invoke) |
| Command and Control | BITSAdmin HTTP/HTTPS Download, EsentUtl UNC File Copy, Expand Cabinet / UNC Copy, MsiExec Remote MSI Download+Execute, FTP Script Mode |
LOL Binary Referenceβ
All victim-side execution in this document uses only the following Windows built-in binaries:
| Binary | Used For |
|---|---|
schtasks.exe | Scheduled task creation - local and remote |
reg.exe | Registry modification and hive export |
sc.exe | Service creation and control - local and remote |
bitsadmin.exe | BITS job management |
rundll32.exe | DLL function invocation (comsvcs.dll MiniDump) |
vssadmin.exe | Shadow copy management |
takeown.exe / icacls.exe | File permission modification |
net.exe | Account/group/session/share management and SMB session control |
wmic.exe | Remote process creation, service enumeration |
powershell.exe | Scripting and in-memory execution throughout |
cmd.exe | Shell execution |
regsvr32.exe | Remote scriptlet (SCT) execution - AppLocker bypass |
mshta.exe | HTA and inline VBScript execution |
certutil.exe | File download and base64 encode/decode |
wscript.exe / cscript.exe | VBScript and JScript execution |
whoami.exe | User identity and privilege enumeration |
ipconfig.exe | Network adapter and DNS configuration |
arp.exe | ARP cache - recently contacted hosts |
netstat.exe | Active connections and listening ports |
tasklist.exe | Running process enumeration |
nbtstat.exe | NetBIOS name resolution |
nltest.exe | Domain controller identification |
route.exe | Routing table |
esentutl.exe | File copy from UNC/SMB path |
expand.exe | Cabinet extraction and UNC file copy |
msiexec.exe | Remote MSI download and execution |
ftp.exe | Script-mode FTP file download |
cmdkey.exe | Credential Manager enumeration and credential implant |
runas.exe | Execute commands using saved Credential Manager entries |
csc.exe | C# compiler - compile service EXEs and DLLs on-victim |
netsh.exe | Firewall management and WiFi password retrieval |
auditpol.exe | Audit policy enumeration and modification |
wevtutil.exe | Event log enumeration, export, and clearing |
cipher.exe | Free-space overwrite for secure file deletion |
fsutil.exe | USN journal management |
findstr.exe | Recursive file content search for credential strings |