Blog

What are "living off the land" attacks, and how are they influencing cybersecurity defence techniques in 2024 and beyond?

Well, the answer begins with the following: if defenders can identify an attack at an early stage, they can respond, reduce dwell time, and, ideally, prevent the worst outcomes of costly ransomware or data theft.

Conversely, threat actors constantly evolve their tactics in order to evade detection. They employ methods such as purging system logs to erase evidence of their presence and opting for passive monitoring techniques instead of actively seeking out sensitive information – which could alert vigilant defenders. Stealth greatly improves the attacker's chances of success. This game of cat and mouse defines the current state of cybersecurity: both endpoint and network.

One effective technique employed by threat actors for evading detection is the "Living Off the Land" (LOTL) approach to cyberattacks. In this article, our team explains this technique, how it makes their chances of evasion skyrocket, and list some of the most common tools used in LOTL attacks to better inform your organization's own cybersecurity plans for 2024.

Firstly, What Are Living Off the Land Attacks?

LOTL attacks refer to a strategy where attackers use legitimate tools already present on the target system to conduct malicious activities. These tools could include administrative utilities like PowerShell, system functions such as Windows Management Instrumentation (WMI), or even common software like file transfer protocol (FTP) clients. Essentially, instead of importing large and easily detectable malware, the attacker chooses to leverage the system's existing administrative, maintenance, and operational tools to achieve their goals.  In LOTL attacks, these legitimate tools are repurposed for malicious activities.

These attacks are particularly challenging to detect because they leverage tools that are typically trusted and allowed in the network, making their malicious activities blend in with normal operations. The attacker can thus avoid triggering alerts from malware scanners, Endpoint Detection and Response (EDR) solutions, and network security tools such as Firewalls and Intrusion Detection Systems (IDS) because their activity and traffic won't appear abnormal from regular day to day activities. LOTL attacks can also easily be carried out by an organization's own insiders, since all computers are equipped with sophisticated tools by default.

LOLBin attacks, a subset of fileless malware attacks, specifically involve the use of binaries (executables) that are part of the operating system or other legitimate software.

How DO LOTL Attacks Benefit Threat Actors?

The primary benefit that LOTL attacks bestow attackers is avoiding detection. However, an attacker who is really skilled with built in system tools can save time and resources required to build sophisticated malware.

• No need to import complex tools: Importing complex malware into a compromise system offers defenders more opportunity to detect the compromise and take action to remove the attacker's access

• Minimize foot-print: Leaving as little evidence as possible on the victim's system to avoid detection and enhance the attack's stealth

Examples Of LOTL Techniques

Living Off The Land (LOTL) attacks against Windows systems commonly utilize a range of built-in tools and features. These tools are part of the Windows operating system and are generally used for legitimate administrative, maintenance, and operational tasks.

• PowerShell: A powerful scripting language and command-line shell, PowerShell provides extensive control over Windows systems. It can automate tasks, manage configurations, and access virtually any system components. Attackers often use PowerShell to execute malicious scripts, escalate privileges, move laterally across a network, encrypt, exfiltrate, or destroy data

• Windows Management Instrumentation (WMI) and wmic.exe: WMI and wmic.exe are used for system management and monitoring. It allows for the automation of administrative tasks and can access system information. In LOTL attacks, WMI can be used to execute commands remotely, gather information, change system configurations, install backdoors for maintaining persistence, and more

• Command Prompt (cmd.exe): The Windows command-line interface is a basic tool for executing batch files and system commands. Attackers can use it to run commands, collect or manipulate system settings, or launch custom scripts, as well as encrypt, exfiltrate, or destroy data

• PsExec: Part of the Sysinternals Suite, PsExec is a lightweight telnet-replacement that lets you execute processes on other systems. It is often used by attackers for remote execution of PowerShell commands making it a very powerful tool

• Regsvr32: Used to register and unregister Object Linking and Embedding controls, including DLLs, in the Windows registry. Malicious use includes executing code and bypassing application whitelisting

• BITSAdmin: A command-line tool to create, download or upload jobs and monitor their progress. Attackers use it to discreetly transfer files, including malware, using the Background Intelligent Transfer Service (BITS)

• MSBuild: A build tool for Visual Studio. It can be exploited to execute code without triggering security software that monitors for malicious activity

Conclusion

Living Off the Land Attacks are a stealthy approach to compromise cyberattacks where threat actors utilize a system's built-in tools to achieve their goals rather than importing malware onto the compromised system. These attacks are challenging to detect because they tend to blend in with normal endpoint and network activities. Administrative tools like PowerShell, Windows Management Instrumentation (WMI), are among the most commonly used.

LOTL strategies highlight the diverse and sophisticated nature of cyber threats, underscoring the need for more advanced cybersecurity activities. Understanding the nuances of LOTL strategies is crucial for developing more effective defense mechanisms against cybercrime in 2024 and beyond.

Our team is always just one click away. Our specialized experts can answer any further questions you may have and can start the process of kickstarting the most proactive security assessment of your organization’s most mission-critical people, processes, premises, and technology.