Core PlatformTools

Live off the land

Perform host reconnaissance using native system utilities in Reaper, with zero additional tooling deployed to the target.

What are Living off the Land Tools?

Living off the Land (LotL) Tools use native utilities already present on a target host (systeminfo, whoami, ipconfig, netstat, and others) to perform reconnaissance without deploying additional binaries. Because these utilities blend in with normal system activity, they are far less likely to trigger endpoint detection.

Method wraps these native utilities into structured Tool executions. Each runs through a deployed Jackal and feeds normalized Objects back into your Operation.

Find LotL Tools

Browse the full list of LotL Tools (and every other Tool in the platform) from the Tools app. Open it from the left sidebar on the Method homepage.

Method homepage with the Tools app highlighted in the left sidebar
Select Tools from the left sidebar.
Tool catalog showing Host reconnaissance Tools organized by family
Browse and filter the full list of Tools available in Method.

The following LotL Tools are available in Method:

Reconnaissance

  • Host Domain Discovery: Enumerates Active Directory domain controllers, IPs, and site names
  • Host Domain Account Discovery: Lists domain accounts from AD groups such as Domain Admins and Domain Users
  • Host Jackal Context Discovery: Captures the Jackal’s identity context, group memberships, and privilege level
  • Host Local Account Discovery: Enumerates local user accounts and group memberships on the host
  • Host Network Enumeration: Collects network interfaces, routes, and open connections
  • Host Software Inventory: Inventories installed software, hotfixes, and security-tool footprints
  • Host System Information: Collects OS version, hostname, and system characteristics

Credential Access

  • Host Credential Dump: Extracts NTLM hashes, Kerberos tickets, and cached credentials from the host

Discovery

  • Host Domain Dump: Dumps AD users, groups, computers, SPNs, delegation settings, and trust relationships

Lateral Movement

  • Native Jackal Drop: Deploys a Jackal to a remote host using native WMI or WinRM with the current security token

Persistence

  • Jackal Persist: Configures a Jackal to restart automatically on boot or login
  • Host User Persistence: Creates a privileged local or domain user account for persistent access

Privilege Escalation

  • Jackal Privilege Escalation: Elevates Jackal privileges via token impersonation or unquoted service paths
  • Jackal UAC Bypass: Bypasses UAC to elevate a Jackal from medium to high integrity

To run these Tools in an Operation, see Run your first Operation. For background on how Tools work across the platform, see Tools.