Reaper

Living off the Land

This guide will walk through a basic network reconnaissance and enumeration operation using Living off the Land (LotL) tools in Reaper.

Living off the Land

LotL tools are native system utilities or pre-installed software that adversaries repurpose to perform malicious actions while evading detection. There are several reconnaissance and enumeration LotL tools available in Reaper focused on the collection of host, system, and network information. The scenario below demonstrates host-based access and data collection on a Windows Domain Controller.

See Your First Operation to learn how to create an environment.

Begin an Operation

From the Bastion Homepage, select Start an Operation.

Start an Operation

This will drop you directly into a new workspace, where you can add a title, describe the objective, and define the scope of the operation.

Create the Workspace

Select Method Range for the environment, Installed agent as the Access vector, and select Next for starting points (since your agent is running on the domain controller, you do not need to provide an initial starting point).

Skip the Intelligence and Rules of engagement section, then click Begin Operation.

Execute

  1. Run Agent Host System Information to collect detailed information about the host’s operating system and hardware environment.
  2. Run Agent Host Account Discovery to identify all local and domain accounts and credentials present on the host.
  3. Run Agent Host Network Enumeration to gather information about the host’s network interfaces, connections, and routing configuration.
  4. Run Agent Host Software Inventory to collect a list of installed applications, system updates, and other software on the host.

“You can choose to run these tools individually in sequence or execute them in parallel.”

Collectively, these tools provide a comprehensive snapshot of a host’s identity, network, user landscape, and software environment.

Explore all the Objects Identified in this Operation