The idea of a cyber attack conjures up many ideas in peoples’ minds. It is easy to imagine the attacks that make headlines: companies paying millions of dollars to ransomware gangs, massive DDoS attacks rendering websites inaccessible, or data breaches that compromise droves of sensitive records. These attacks are loud. The attacker wants you to know that they are out there. What many do not picture is the threat that hides in plain sight and uses organizations’ own tools against them. That is the threat of “living off the land.”
What is Living off the Land?
Living off the land (LotL) refers to the tactic of using built-in applications and features to carry out a cyber attack against a victim network or device. Taking advantage of the legitimate operating system capabilities and functionality that do not raise any suspicious, makes the attack difficult to distinguish from legitimate system activity. Living off the land is becoming more and more popular amongst attackers because of how difficult it can be for security systems to detect. These types of sophisticated attacks can lie undetected for months or even years, allowing threat actors plenty of time to gather data, harvest credentials, and steal information.
Exploring LOLbins and Fileless Malware
Living off the Land binaries or “LOLbins” is the term used to describe the trusted applications attackers will use in carrying out a living off the land attack. These tools are usually already installed on a victim’s system and have legitimate administrative uses. In a Windows environment, these are things like PowerShell, Windows Management Instrumentation (WMI), and PsExec. In some cases, an attacker may use fileless techniques to install legitimate tools, such as the forensics memory extraction tool, Mimikatz, and use it for nefarious purposes. None of these applications are inherently malicious, in fact many of them are widely trusted, and consequently fall short of arousing suspicion. The use of LOLbins is often synergized with fileless malware techniques to create a potent and stealthy combination. Fileless malware is malicious code that doesn’t write to a device’s hard drive, instead it resides in memory and , may seek to manipulate the Windows registry or compromise Dynamic Link Libraries (DLL). All these techniques can allow for malicious code to be executed under the radar of traditional antivirus.
Recent Example of Living off the Land
One prominent example of a threat actor utilizing living off the land techniques is the Chinese sponsored actor Volt Typhoon. Active since 2021, the group prioritizes stealth in their attacks utilizing compromised credentials to gain access to Active Directory environments and operating primarily in the command line using native tools. Their activities consisted of credential harvesting, system discovery, and data collection. In only a few cases has Volt Typhoon been reported to have used malware or installed post-exploitation tools.
Volt Typhoon has been detected lurking inside US critical infrastructure for over five years according to US intelligence reports. This includes multiple US-based utility providers, telecommunications companies, and mass transit infrastructure. The group has a particular interest in operational technology and industrial control systems, positioning themselves to conduct destructive cyber attacks on US critical infrastructure. They use living off the land techniques to remain hidden while carrying out their industrial reconnaissance.
Mitigations
Incidents such as the one mentioned previously are effective in many cases due to organizations lack of security and network management practices that are effective in catching malicious living off the land activities. Even in organizations that do implement security best practices, relying on untuned endpoint detection and response systems and default logging configurations will still make it difficult to detect this type of activity. To enhance defenses against living off the land attacks, organizations should establish and regularly update baselines for network and user activity, while also implementing out-of-band log aggregation and storage to prevent unauthorized manipulation. Additionally, utilizing behavioral analytics will aid in detecting anomalies that deviate from the established baseline.