Hacking and Living off the Land Links

A curated set of references that I keep coming back to. The first half collects broad hacking knowledge bases, cheat sheets and playbooks. The second half is dedicated to Living off the Land (LOTL), the practice of abusing software that is already trusted and present on a system, so that an attacker never has to drop an obvious tool.

Summary

Resources and Guides

Knowledge Bases and Methodology

Resource What it covers
HackTricks The broad reference for pentesting and exploitation, organized by service and technique
Red Team Notes Hands on red team techniques with a strong focus on Active Directory
Exploit Notes Short, searchable exploitation notes grouped by topic
Pentest Book by n3t_hunt3r A structured methodology that walks through a full engagement
Oblivion RedOps An offensive research journal with deep technical writeups
DarthSidious A step by step path from zero access to full domain compromise

Web and Application Security

Resource What it covers
Application Security Cheat Sheet Practical web and API security cheat sheets
AppSecExplained Core application security concepts explained in plain language
Bug Hunter Handbook Bug bounty methodology, tips and recurring vulnerability patterns

Cloud Security

Resource What it covers
Hacking The Cloud Offensive techniques for AWS, Azure and GCP
HackTricks Cloud The cloud focused companion to HackTricks
CloudSec.Cybr Cloud security labs, notes and learning paths

Recon and OSINT

Resource What it covers
Subdomain Enumeration Guide A complete workflow for discovering subdomains and attack surface
OH SHINT! A large collection of OSINT resources and methodology

Defense, DFIR and Threat Hunting

Resource What it covers
Digital Forensics and Incident Response Blue team playbooks for forensics and incident response
Threat Hunter Playbook Data driven hunting analytics mapped to attacker behavior
Check Point Research Evasion Techniques A catalog of how malware detects and evades sandboxes

Linux and Privilege Escalation

Resource What it covers
Linux Privilege Escalation Techniques to go from a low privileged shell to root
Linux SysOps Handbook A solid Linux administration reference that doubles as recon background

Tools and Reference

Resource What it covers
C2 Matrix Compare command and control frameworks side by side
CyberChef The swiss army knife for encoding, decoding and data transformation
Nuclei Templates Directory A searchable index of the public Nuclei template library
offsec.tools A searchable directory of offensive security tools
Ciphersuite Info Look up any TLS cipher suite and its security rating
endoflife.date Track end of life and support windows for common products

Living off the Land

Living off the Land means reaching for binaries, scripts, drivers and services that a defender already trusts. Because the tooling is native, the activity blends into normal operations and is far harder to flag. The projects below map out which trusted components can be abused on each platform.

The LOL Project Family

mindmap
  root((Living off the Land))
    Windows
      LOLBAS binaries
      MalAPI Windows APIs
      WADComs Windows and AD
      HijackLibs DLL hijacking
      LOLDrivers drivers
      Bootloaders
      Persistence info
    Unix and Linux
      GTFOBins
    macOS
      LOOBins
    Cloud and trusted infra
      LOFLCAB foreign land
      LOTS trusted sites
      LOTP pipelines
    Hardware
      LOTHardware
    Files and apps
      Filesec extensions
      LOLAPPS applications
    Certificates
      LoLCerts
    Detection
      LoFP false positives
    Collections
      LOLOL
      ARTToolkit
      Unprotect
      WTFBins

Windows

Resource What it covers
LOLBAS Trusted Windows binaries, scripts and libraries that attackers abuse
MalAPI Windows API functions mapped to the malicious techniques they enable
WADComs Offensive techniques and commands for Windows and Active Directory
HijackLibs DLL hijacking opportunities found in legitimate software
LOLDrivers Vulnerable and malicious Windows drivers
Bootloaders Bootloaders that can be abused to bypass security controls
Persistence-info A catalog of Windows persistence techniques

Unix and Linux

Resource What it covers
GTFOBins Unix binaries that can break out of restricted shells and escalate privileges

macOS

Resource What it covers
LOOBins Native macOS binaries documented for offensive use

Cloud and Trusted Infrastructure

Resource What it covers
LOFLCAB Cmdlets and binaries for living off the foreign land
LOTS Trusted sites that attackers use for download, hosting and exfiltration
LOTP Living off the pipeline, abusing CI and CD systems
BYOL Bring your own land, a red teaming technique writeup from Google

Hardware

Resource What it covers
LOTHardware Living off the hardware, abusing firmware and physical components

Files and Applications

Resource What it covers
Filesec File extensions and how attackers weaponize them
LOLAPPS Legitimate applications that can be abused by attackers

Certificates

Resource What it covers
LoLCerts A collection of leaked code signing certificates

Detection and False Positives

Resource What it covers
LoFP Legitimate activity that commonly triggers false positives in detections

Collections and Meta

Resource What it covers
LOLOL An index that aggregates the many living off the land projects
LOLBins CTI-Driven LOLBins prioritized by real threat intelligence
ARTToolkit A red team toolkit collection
Unprotect Project A searchable database of malware evasion techniques
WTFBins Benign binaries that behave suspiciously enough to fool defenders
Written on December 22, 2024


◀ Back to the Pensieve