Living Off the Land: How Hackers Exploit Victims’ Own Tools to Execute Attacks
Developing skills for self-reliance. Leveraging what’s already available in the environment. Flying a little bit under the radar.
Choosing to live off the land doesn’t seem all that bad, at least not in the physical world. But if threat actors apply the same approach to your business’ digital ecosystem, you could end up with a nasty cyberattack on your hands.
With living off the land (LOTL) techniques, threat actors can exploit an operating system’s built-in tools to discreetly hack businesses and avoid detection.
Below, we’ll explore a real-life example of an attack lifecycle using exclusively legitimate tools and how businesses can catch and stop LOTL attacks before it’s too late.
Living off the land, explained
LOTL refers to an attack strategy that abuses legitimate software and functions within an organization’s operating system for malicious intent. For example, Windows® has native tools designed for administrative purposes, like remote desktop protocol (RDP), PowerShell®, and scheduled tasks, that are regularly exploited in LOTL attacks.
Because most of these tools are already deployed and trusted in the environment, threat actors are able to modify and adapt their usage to fit their needs while remaining undetected from legacy software solutions.
Frequently, threat actors rely on deploying malicious software (malware) to disrupt system operations and encrypt data. Automated cybersecurity solutions are more adept at flagging the introduction of external malicious files rather than independently determining if a pre-installed tool is being used suspiciously.
Trusted system tools are exploited in 84% of major attacks.
Even when attacks include malware, it’s likely that threat actors are relying on some LOTL techniques, either for initial access or to move laterally through the network. Trusted system tools are exploited in 84% of major attacks.
The majority of observed LOTL attacks take place in Windows environments due to its prevalence in corporate and enterprise settings. But no system is immune: Cloud, on-premise, Windows®, Linux®, and macOS® are all susceptible to LOTL attacks. In macOS environments, it’s referred to as “living off the orchard.” No, we didn’t make that up.
Regardless of the environment, one of the biggest concerns with LOTL attacks is the considerable dwell time it grants threat actors. Undetected lateral movement can result in escalated privileges, exfiltrated data, and persistent access for future attacks.
In action: Threat actors fly under the radar
Coalition Incident Response (CIR) worked with a construction consultancy that experienced a ransomware incident that featured several LOTL techniques through the entire attack lifecycle. What happened?
Initial access and lateral movement
Threat actors gained initial access through an open RDP port (businesses with RDP exposed to the internet are the most likely to experience a ransomware attack), then used PowerShell to execute a legitimate Windows executable (ping.exe) to identify and ping devices on the network.
PowerShell is a frequently exploited tool in LOTL attacks. Commonly referred to as the “Swiss Army knife” of Windows management, it's popular among administrators and threat actors alike. An analysis from Bitdefender detected PowerShell activity on 73% of all endpoints and that PowerShell is frequently invoked by third-party applications, which suggests that many businesses could crack down on access restrictions to reduce their risk.
Next, threat actors determined the active servers and domain controllers on the network with another Windows binary (dsquery.exe). Without downloading any additional software, they had a good understanding of the environment: how many work stations, how many servers, and which devices were most valuable to attack.
Encryption, sans malware
Threat actors relied on open RDP to move around the network and log in to other devices. For encryption, they turned to BitLocker, a Windows service feature designed to protect data by encrypting drives. With the help of PowerShell, they activated BitLocker on all Windows devices and locked out users with unique recovery keys. Using another script, threat actors sent out copies of the ransom note to the desktops of several unaffected devices.
Recovery
The client had EDR, but no one monitoring activity. While several of the PowerShell commands, especially the BitLocker encryption, would have triggered alerts, none were significant enough to incite an automatic block of the activity. On the bright side, EDR recorded all of the unique keys used to decrypt devices, so the business had no need to pay for decryption keys and was able to get back up and running with the help of forensic investigators.
Prevent LOTL attacks at your organization
Application whitelisting
One way to protect against LOTL attacks at your organization is to introduce the practice of application whitelisting, which restricts the usage of certain tools and applications to those who are already vetted and approved. For example, if someone tries to open Windows Command Prompt (cmd.exe) to run unapproved commands or scripts, that action would require IT admin approval before the process is allowed to start.
Log management
Logging identifies activity within a certain application or computer system. Everything from your operating system to your endpoint devices are documenting events (like logins) as text records. These digital records, or logs, tell a comprehensive story.
Logs can help provide the necessary context to determine if activity is an administrator completing a predictable task or potentially something malicious. For example, if PowerShell is used to execute an uncommon command by an unauthorized user, that could be a red flag.
When deciding how long to retain logs, businesses should consider regulatory requirements, operational needs, and costs. Many frameworks suggest keeping a minimum of six months of log history.
A robust MDR team can set up custom alerts to flag for suspicious activity related to common LOTL techniques and intervene before attackers are able to spend significant time in your network.
Managed detection and response
EDR can be a great tool for the right businesses. Translation: EDR works when your business has the manpower to monitor and respond to hundreds of alerts every day. For most small and midsize businesses, that isn’t feasible.
Managed detection and response (MDR) provides 24/7 monitoring of an EDR tool from security experts without requiring any additional headcount. In fact, businesses with MDR in place have a 50% faster mean time to respond to potential cyber threats.
A robust MDR team can set up custom alerts to flag for suspicious activity related to common LOTL techniques and intervene before attackers are able to spend significant time in your network.
PREVENT MORE CYBER INCIDENTS. RESPOND FAST.
Round-The-Clock Threat Detection & Response
See how Coalition MDR works for your business >
