A collection of all the sites dedicated to “living off the land” or the process, the essence of which is using legitimate resources, especially those that are not burned or misused.
You probably already know all about GTFOBins and LOLBAS, but the possibilities are far beyond that. Everything listed below can be used quite successfully and covertly in your attacks.
Classic LoTL:
— LOLBAS project — Windows
— GTFOBins — Linux
— LOOBins — MacOS
Extended LoTL:
— LOLAPPS — LoTL for 3rd party applications like VS Code and Discord
— Ground-Living Drivers — drivers for bypassing security measures and performing attacks
— LOTP — RCE-By-Design not exposed in CLI development utilities
— HijackLibs — List of verified candidates for DLL Hijacking
Management and virtualization:
— LOLRMM — remote monitoring and management utilities
— LOLESXi — scripts and binaries from VMware ESXi
— LOFL , as I wrote here , is a tactic that allows you to avoid running binaries on compromised machines
Projects from mrd0x:
— LOTS Project — legitimate sites for phishing and exfiltration
— MalAPI.io — List of WinAPI functions for Enumeration/Injection/Escape
FILESEC.IO – any file that can be useful in attacks
Blue Team:
- WTFBin – GTFOBins and LOLBAS, but for blue team and write detection rules
- bootloaders.io – a curated list of famous bootloaders
- LoLCerts – fingerprints of authenticated application signing certificates leaked from major vendors
- LOLBins CTI-Driven – a visual MindMap of APT and companies that certain bins participate in
Other:
- persistence information – fifty ways to get a foothold in Windows
- LOTHardware – “hardware” that can be used for the Red Team
- BYOL – a few words from Mandiant about LoTL
- WADComs – an interactive cheat sheet with ready-made commands for attacks against AD
