
A curated set of references that I keep coming back to. The first half collects broad hacking knowledge bases, cheat sheets and playbooks. The second half is dedicated to Living off the Land (LOTL), the practice of abusing software that is already trusted and present on a system, so that an attacker never has to drop an obvious tool.
Summary
Resources and Guides
Knowledge Bases and Methodology
| Resource |
What it covers |
| HackTricks |
The broad reference for pentesting and exploitation, organized by service and technique |
| Red Team Notes |
Hands on red team techniques with a strong focus on Active Directory |
| Exploit Notes |
Short, searchable exploitation notes grouped by topic |
| Pentest Book by n3t_hunt3r |
A structured methodology that walks through a full engagement |
| Oblivion RedOps |
An offensive research journal with deep technical writeups |
| DarthSidious |
A step by step path from zero access to full domain compromise |
Web and Application Security
Cloud Security
Recon and OSINT
| Resource |
What it covers |
| Subdomain Enumeration Guide |
A complete workflow for discovering subdomains and attack surface |
| OH SHINT! |
A large collection of OSINT resources and methodology |
Defense, DFIR and Threat Hunting
Linux and Privilege Escalation
| Resource |
What it covers |
| C2 Matrix |
Compare command and control frameworks side by side |
| CyberChef |
The swiss army knife for encoding, decoding and data transformation |
| Nuclei Templates Directory |
A searchable index of the public Nuclei template library |
| offsec.tools |
A searchable directory of offensive security tools |
| Ciphersuite Info |
Look up any TLS cipher suite and its security rating |
| endoflife.date |
Track end of life and support windows for common products |
Living off the Land
Living off the Land means reaching for binaries, scripts, drivers and services that a defender already trusts. Because the tooling is native, the activity blends into normal operations and is far harder to flag. The projects below map out which trusted components can be abused on each platform.
The LOL Project Family
mindmap
root((Living off the Land))
Windows
LOLBAS binaries
MalAPI Windows APIs
WADComs Windows and AD
HijackLibs DLL hijacking
LOLDrivers drivers
Bootloaders
Persistence info
Unix and Linux
GTFOBins
macOS
LOOBins
Cloud and trusted infra
LOFLCAB foreign land
LOTS trusted sites
LOTP pipelines
Hardware
LOTHardware
Files and apps
Filesec extensions
LOLAPPS applications
Certificates
LoLCerts
Detection
LoFP false positives
Collections
LOLOL
ARTToolkit
Unprotect
WTFBins
Windows
| Resource |
What it covers |
| LOLBAS |
Trusted Windows binaries, scripts and libraries that attackers abuse |
| MalAPI |
Windows API functions mapped to the malicious techniques they enable |
| WADComs |
Offensive techniques and commands for Windows and Active Directory |
| HijackLibs |
DLL hijacking opportunities found in legitimate software |
| LOLDrivers |
Vulnerable and malicious Windows drivers |
| Bootloaders |
Bootloaders that can be abused to bypass security controls |
| Persistence-info |
A catalog of Windows persistence techniques |
Unix and Linux
| Resource |
What it covers |
| GTFOBins |
Unix binaries that can break out of restricted shells and escalate privileges |
macOS
| Resource |
What it covers |
| LOOBins |
Native macOS binaries documented for offensive use |
Cloud and Trusted Infrastructure
| Resource |
What it covers |
| LOFLCAB |
Cmdlets and binaries for living off the foreign land |
| LOTS |
Trusted sites that attackers use for download, hosting and exfiltration |
| LOTP |
Living off the pipeline, abusing CI and CD systems |
| BYOL |
Bring your own land, a red teaming technique writeup from Google |
Hardware
| Resource |
What it covers |
| LOTHardware |
Living off the hardware, abusing firmware and physical components |
Files and Applications
| Resource |
What it covers |
| Filesec |
File extensions and how attackers weaponize them |
| LOLAPPS |
Legitimate applications that can be abused by attackers |
Certificates
| Resource |
What it covers |
| LoLCerts |
A collection of leaked code signing certificates |
Detection and False Positives
| Resource |
What it covers |
| LoFP |
Legitimate activity that commonly triggers false positives in detections |
| Resource |
What it covers |
| LOLOL |
An index that aggregates the many living off the land projects |
| LOLBins CTI-Driven |
LOLBins prioritized by real threat intelligence |
| ARTToolkit |
A red team toolkit collection |
| Unprotect Project |
A searchable database of malware evasion techniques |
| WTFBins |
Benign binaries that behave suspiciously enough to fool defenders |