Living off the Land (LOL) attack techniques, tools, and defender resources.
Living off the land (LOL/LoTL) is an attack strategy where adversaries abuse tools and features commonly present in the target environment to blend in with normal activity and evade detection.
- Azure IP Lookup - Maps IPs and domains to Azure service tags, regions, and data centers; useful for identifying when Azure services are abused to masquerade as legitimate Microsoft traffic.
- Entra ID First Party Apps & Scope Browser - First-party applications including their pre-consented permissions in Microsoft Entra ID, apps vulnerable to ConsentFix/AuthCodeFix, and those with default exceptions from conditional access policies.
- Hacking the Cloud - Encyclopedia of attacks/tactics/techniques for cloud exploitation.
- LOLAPI - Real-world abused APIs across Windows, Cloud, and Browser platforms with detection strategies, mitigation guidance, and red team POCs.
- LOLAPPS - Living Off The Land Applications, including built-in and third-party applications.
- LOLFSaaS - Free-tier SaaS platforms documented for abuse surface, OPSEC profiles, detection logic, and C2 framework mappings.
- Microsoft 365 Application IDs – BEC Investigation Resources - Reference for application IDs commonly abused in M365.
- Microsoft Graph Permissions Explorer - Reference for Microsoft Graph permissions, mapping each to the APIs and data objects exposed, useful for assessing abuse potential of app registrations and OAuth grants.
- RogueApps - OIDC/OAuth 2.0 applications that are often abused and used maliciously.
- TrailDiscover - Repository of AWS CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents, references, and security implications.
- Argument Injection Vectors - Intended features of legitimate programs exploitable as argument injection vectors.
- Bootloaders.io - Known malicious bootloaders for various operating systems.
- BYOL - Bring Your Own Land (BYOL): Executing custom C#-based assemblies entirely within memory to reduce reliance on tools present on the target system.
- Evasion Techniques - Encyclopedia of evasion and anti-debug techniques.
- Filesec.io - File extensions being used by attackers, tagged by function and operating system.
- GTFOArgs - Unix binaries that can be manipulated for argument injection, possibly resulting in security vulnerabilities.
- GTFOBins - Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
- HijackLibs - DLL hijacking candidates mapping vulnerable executables to abusable DLLs, with Sigma detection rules for defenders.
- lcdbins - Collection of oneliners that use lowest-common denominator binaries (lcdbins) present on most UNIX-based operating systems to perform enumeration and post-exploitation activities.
- LOFLCAB - Living off the Foreign Land Cmdlets and Binaries (cmdlets, binaries, scripts, and WMI classes).
- LOLAD - Catalog of Active Directory techniques, commands, and functions that attackers can abuse.
- LOLBAS - Living Off The Land Binaries, Scripts and Libraries.
- LOLBins CTI-Driven - Maps threat actor LOLBin usage during intrusions into graphical, STIX-formatted data for threat intelligence platforms.
- LOLBins Reference - Interactive reference for Windows and Linux LOLBins with a dynamic payload builder, ATT&CK mapping, and auto-updates from official sources.
- LOLDrivers - Windows drivers used by adversaries to bypass security controls and carry out attacks.
- LOLESXi - Binaries/scripts natively available in VMware ESXi that adversaries have utilized.
- LOLGlobs - Glob-based command obfuscation techniques for Linux, macOS, Windows CMD, and PowerShell used to bypass signature-based detection in AV, EDR, and WAF products.
- LOLRMM - Remote Monitoring and Management (RMM) tools that could be abused by threat actors.
- LOOBins - Living Off the Orchard (LOO): Built-in macOS binaries that can be abused by attackers, with detailed usage information.
- LOTHardware - Catalog of hardware and devices commonly abused by attackers.
- MalAPI.io - Maps Windows APIs to common techniques used by malware.
- Persistence Info - Windows persistence mechanisms including registry keys, scheduled tasks, services, and DLLs, with detection and protection guidance.
- Sploitify - Interactive cheat sheet of public server-side exploits, searchable by product.
- WADComs - Interactive cheat sheet with offensive security tools and their respective commands to be used against Windows / Active Directory environments.
- WTFBins - Benign applications that exhibit suspicious behavior, generating noise and false positives in threat hunting and automated detections.
- Awesome Tunneling - Tunneling software and services, including self-hosted alternatives to ngrok and Cloudflare Tunnel, commonly abused for C2 and exfiltration.
- LOLC2 - C2 frameworks that leverage legitimate services to evade detection.
- LOLEXFIL - Data exfiltration reference covering LOLBins, RMM tools, cloud storage, tunneling protocols, and more, each with detection patterns, simulation commands, DFIR artifacts, IOCs, and ATT&CK mappings.
- LOTS Project - Living Off Trusted Sites: Legitimate popular domains abused for phishing, C2, exfiltration, and tool delivery to evade detection.
- LOTTunnels - Living Off the Tunnels: Legitimate tunneling services abused for exfiltration, persistence, and shell access.
- LoTWH - Living Off The Webhooks: Webhook services abused for data exfiltration and C2 communications.
- LoLCerts - Living Off The Leaked Certificates: Code signing certificates known to have been leaked or stolen, then abused by threat actors.
- LOTP - Living Off the Pipeline: Inventories how development tools (typically CLIs) commonly used in CI/CD pipelines have lesser-known RCE-By-Design features ("foot guns").
- LoFP - Living off the False Positive: Autogenerated collection of false positives sourced from popular rule sets.
- Project LOST - Living Off Security Tools: Security tools used by adversaries to bypass security controls and carry out attacks.