search

Upload and Download with Built in OS Tools

hashtag
πŸ₯Ύ Living off the Land (LOTL) – File Transfers without Dropping Tools

🧠 The term "Living off the Land" was coined by @obscuresec & @mattifestation and refers to leveraging built-in binaries on Windows and Linux to perform tasks like:

  • πŸ“€ Uploads

  • πŸ“₯ Downloads

  • βš™οΈ Execution

  • πŸ“– File access

  • πŸ” Bypasses

πŸ’‘ This stealthy technique reduces the need for external tools β€” which helps evade EDRs, AVs, and logging solutions.

hashtag
🧰 Toolkits to Know

hashtag
πŸͺŸ Windows – LOLBASarrow-up-right

A catalog of Living off the Land Binaries And Scripts for Windows.

hashtag
🐧 Linux – GTFOBinsarrow-up-right

A curated list of Unix binaries that can be abused by attackers or red teamers.

Use filters like:

  • /download

  • /upload

  • +file read

  • +file write

hashtag
πŸ”Windows: Upload Using certreq.exe (LOLBAS)

From the target system:

This sends win.ini to our attack server. We catch it with:

πŸ“ Copy-paste the contents from the netcat listener!

⚠️ Heads-up: Some versions of certreq.exe do not support the -Post parameter. Use an updated version if needed.

hashtag
πŸ“₯ Linux: Download Using OpenSSL (GTFOBins)

hashtag
πŸ› οΈ Step 1: On Attacker (Start SSL Server)

hashtag
πŸ“₯ Step 2: On Target (Download File)

βœ… File received securely over SSL without any need for web servers or wget/curl.

hashtag
🧱 Other Powerful LOTL Tools

hashtag
πŸ›°οΈ Bitsadmin (Windows)

Transfers files silently using BITS, which mimics legit system update behavior.

hashtag
πŸŒ€ PowerShell BITS Transfer

More advanced, supports proxies and credentials πŸ•΅οΈβ€β™‚οΈ

hashtag
πŸ” Certutil.exe

Originally used for certs… now a defacto wget for red teamers.

⚠️ AMSI may flag this! Useful in lab environments or bypass testing.

PreviousSending Files over HTTP/SNextDetect or Be Detected

Last updated