Living off the land (LOTL) attacks use legitimate programs that already exist on a computer, rather than installing malware from an external source onto a system. The stealthy nature of these attacks can make them effective \u2014 and difficult for security teams to detect and prevent.<\/p>\n\n\n\n
To prevent LOTL attacks, security teams must use sophisticated detection methods, as well as closing loops in popular computer programs with known vulnerabilities. This guide to LOTL security explains some of the most common LOTL vulnerabilities and prevention methods that security teams can use.<\/p>\n\n\n\n
Jump ahead to:<\/strong><\/p>\n\n\n\n Living off the land attacks originate within a valid computer program, like script-writing software or a command line tool. Attackers gain access to the program and perform actions like writing new malicious code or escalating their own user privileges.<\/p>\n\n\n\n Many attacks like these are known as fileless malware attacks because they don’t need code to be installed onto a machine through an external file. Rather, they use a legitimate source. Often, LOTL attacks don’t have a signature, either.<\/p>\n\n\n\n A lack of signature or of recognizable malware<\/a> makes it very difficult to track and identify LOTL attacks. Such an attack can’t always be found in a feed of common threats. IT and security teams will often have trouble locating the initial problem because the threat comes from a valid computer program on their organization’s network.<\/p>\n\n\n\n If a threat actor finds legitimate existing credentials for an application or program, they can log in without having to download malware or brute force their way into the system. They may use a tool like Mimikatz to extract credentials stored in memory, steal credentials to a powerful management program like PowerShell, or they might find login information for IT remote access applications like TeamViewer and AnyDesk, which help IT admins connect remote computers. Any compromised application that allows users to make changes \u2014 or even an application that simply allows too many permissions \u2014 can result in an LOTL attack.<\/p>\n\n\n\n Note that although brute forcing passwords can still permit a threat actor to carry out an LOTL attack, they’re more noticeable to security teams.<\/p>\n\n\n\n Threat actors can also identify backdoors that haven’t been closed off properly. Back doors are vulnerabilities within a computer program that allow users to access the program without following the predetermined guidelines for entry (namely, credentials and any additional authentication).<\/p>\n\n\n\n LOTL attacks are often simplest for malicious insiders<\/a> to carry out. These attackers may not even need to steal credentials or find a backdoor because they’re already a trusted member of the organization they’re attacking.<\/p>\n\n\n\n Read more about the ways hackers evade detection<\/a>.<\/strong><\/p>\n\n\n\n While there are literally hundreds of avenues an LOTL attacker can use, not all of them are regularly exploited. The following tools are some common vectors used to carry out LOTL attacks.<\/p>\n\n\n\n Windows Management Instrumentation (WMI) is a management tool for Windows admins to write scripts and connect computer systems. If taken over, it has admin privileges that allow an attacker to perform a variety of different tasks. An attacker could download code from an external system to then run it on that computer system. This type of malicious code is harder to track because it was pulled by a legitimate Windows tool, rather than downloaded directly from an outside email or file.<\/p>\n\n\n\n Mimikatz can pull credentials from computer memory and increase users’ access privileges. It’s a vulnerability within Windows that allows an attacker to decrypt hidden passwords while they’re in memory. Mimikatz can be exploited either by using older versions of Windows than Windows 10 or by escalating privileges enough to then toggle the Mimikatz capability on.<\/p>\n\n\n\n PowerShell is a Microsoft task and configuration tool that uses command line functionality. It’s useful for IT admins who need to manage configuration jobs for business devices, including for remote workforces. But PowerShell is also highly exploitable \u2014 a Cisco study found that it was used in more than a third of critical security threats<\/a>. Its remote support means that an attacker who takes control of the command line can control the entire network of connected devices. PowerShell is also available to more junior IT employees, so it often doesn’t have tight enough access controls.<\/p>\n\n\n\n Read more: Cybersecurity Agencies Release Guidance for PowerShell Security<\/a><\/strong><\/p>\n\n\n\n Once a threat actor has breached a legitimate application, they may do the following:<\/p>\n\n\n\n A prized target of hackers is often Active Directory<\/a>, which controls credentials and access rights on Windows domain networks.<\/p>\n\n\n\n The following strategies help your business not only prepare for LOTL attacks but also reduce threat actors’ opportunities to compromise your legitimate systems.<\/p>\n\n\n\n The Living off the Land Binaries, Scripts, and Libraries project (LOLBAS<\/a>) offers a comprehensive list of exploits attackers use. It’s best to study one binary (LOLBIN) at a time, examining how the specific program is typically used. Once your team knows what appropriate usage looks like, you can begin identifying abnormal behavior from that program.<\/p>\n\n\n\n Derek Wilson, principal consultant at security firm NetSPI, underscored the importance of using this resource. “By finding a way to baseline detections against something like the Living Off the Land Binaries And Scripts (LOLBAS) project, which is set up to track LOTL threats, teams can then build proactive detection plans for the procedures that aren’t caught,” he said.<\/p>\n\n\n\n Wilson recommended additional software to help teams develop general detection methods. “Breach and attack simulation (BAS) tools are invaluable in baselining detective controls and continuously improving detection of LOTL attacks,” he said. BAS tools<\/a> give security teams insight into an attack lifecycle, behaving like a threat actor might to find security weaknesses more quickly.<\/p>\n\n\n\n Block binaries that are frequently exploited in LOTL attacks. According to Wilson, prevention is the first step to protect computer systems from attacks. He recommends that security teams review Microsoft\u2019s recommended block rules<\/a> and attack surface reduction rules<\/a> as a “jumping-off point.”<\/p>\n\n\n\n “These resources are full of LOTL-abusable binaries that organizations should not use,” Wilson said. “Still, the recommendation is to find out if you really need these binaries available and, if not, to block them outright.”<\/p>\n\n\n\n Wilson also recommends application allowlisting<\/a>, which helps reduce LOTL risks by significantly limiting the number of applications that your systems can use. Rather than just blocking a few bad applications, allowlisting, or whitelisting, permits only the software your business’s teams explicitly need.<\/p>\n\n\n\n Employ advanced behavioral monitoring and analytics. While behavioral monitoring may not solve every LOTL question, it’s a more advanced method of tracking user behavior. Behavioral technology like UEBA<\/a> looks at the details of user activity, including lengthy periods spent in a particular system, the time of day that a command is given, and other deviations from typical behavior.<\/p>\n\n\n\n Read more about behavioral analytics in cybersecurity<\/a>.<\/strong><\/p>\n\n\n\n Update credentials if one account has been demonstrating strange behavior \u2014 the account may have been hacked or abused. If an IT admin’s PowerShell account has been giving unusual series of commands or performing actions at a strange time of day, reset the password for that local user account. If an attacker is using valid credentials to access that PowerShell instance, they’ll have to find another way into the program.<\/p>\n\n\n\n MFA technologies<\/a> help minimize the chance that an attacker can log in using valid credentials. They’d have to have access to the legitimate user’s phone or biometrics, depending on the additional MFA method. While MFA is difficult to set up for tools like PowerShell, it’s critical for all security software and important for programs that integrate with other programs. If an attacker logs into one of these programs, they could laterally move to another tool in the network and wreak havoc.<\/p>\n\n\n\n If your business has already undergone an LOTL attack, take the following recovery steps:<\/p>\n\n\n\n While not an exhaustive list, the following technologies provide advanced security measures that go beyond basic detection and response methods.<\/p>\n\n\n\n UEBA<\/a> providers like LogRhythm and Rapid7 help businesses explore user behavior at a more advanced level. Using behavioral analytics to detect malicious actions can help security teams identify LOTL threats they wouldn’t otherwise find.<\/p>\n\n\n\n Symantec’s endpoint protection<\/a> solution has an Adaptive Protection feature that uses behavioral analytics and threat telemetry to identify legitimate applications that are being exploited and to shut down LOTL attack paths. It also examines legitimate applications’ standard behavior to identify anomalies over time.<\/p>\n\n\n\n Managed threat hunting<\/a> providers employ teams of experts to perform detailed threat searches and analysis. If your IT or security teams don’t have the time or resources to examine computer systems for potential LOTL attacks, managed services like MDR<\/a> are a good choice. These experts have dedicated time and tools to identify potential malicious behavior from legitimate business applications.<\/p>\n\n\n\n Detection engineering uses logs and other data sources to identify specific predetermined threats that security teams don’t yet have a method of detecting. It’s intended to develop a long-term threat detection lifecycle that teams can use over time. To begin the detection engineering process, teams should perform threat modeling based on the attacks they’re most likely to experience and the tools they use most often. While few vendors have solutions specific to detection engineering, teams can use log management<\/a> and threat intelligence<\/a> tools as part of their own detection strategy. <\/p>\n\n\n\n While living off the land attacks are challenging for security teams to identify, the development of advanced cybersecurity methods and threat detection will help organizations approach LOTL with more confidence. While LOTL threat reduction can be time-consuming, tactics like managed threat hunting and behavioral analytics are promising because they help teams dive into the specifics of attack prevention and identification. The more data your team can access and understand, the better prepared you’ll be to identify subtle attacks.<\/p>\n\n\n\n Read next: Network Protection: How to Secure a Network<\/a><\/strong><\/p>\n\n\n\n
How Living off the Land Attacks Work<\/h2>\n\n\n\n
How Do LOTL Attackers Access Your Machine?<\/h2>\n\n\n\n
Commonly exploited programs<\/h3>\n\n\n\n
Windows Management Instrumentation<\/h4>\n\n\n\n
Mimikatz<\/h4>\n\n\n\n
PowerShell<\/h4>\n\n\n\n
Behaviors on exploited systems<\/h3>\n\n\n\n
\n
5 Best Practices for Preventing LOTL Attacks<\/h2>\n\n\n\n
Use LOLBINS to track binary activity<\/h3>\n\n\n\n
Block binaries and allow only necessary applications<\/h3>\n\n\n\n
Monitor user behavior<\/h3>\n\n\n\n
Keep a close eye on credentials<\/h3>\n\n\n\n
Use multifactor authentication<\/h3>\n\n\n\n
How to Recover from Living Off the Land Attacks<\/h2>\n\n\n\n
\n
What Tools Help Defend Against LOTL Attacks?<\/h2>\n\n\n\n
UEBA<\/h3>\n\n\n\n
Adaptive Protection<\/h3>\n\n\n\n
Managed threat hunting<\/h3>\n\n\n\n
Detection engineering<\/h3>\n\n\n\n
Bottom Line: Protecting Against Living-off-the-Land Attacks<\/h2>\n\n\n\n