1. What is Living off the Land?
The use of Living off the Land (LotL) tactics and tools by cyber criminals has been a growing trend on the cyber security landscape in recent times. The concept of LotL is not new, and has been around for as long as 25 years. Using system tools as backdoors was common back in the day, and has been mentioned in quite a few articles and e-zines like Phrack. However, in recent years, it has returned and grown in importance.
Fileless attacks, which are often spoken of, are a subset of LotL attacks. The exploitation of dual-use tools and memory only tools is also often referred to under the umbrella of LotL.
Attackers who use LotL tactics use trusted off-the-shelf and preinstalled system tools to carry out their work. It might not be obvious, but there are more than 100 Windows system tools that can be used by cyber attackers for nefarious purposes.
Cyber attackers use these tools for a few reasons, often in an effort to hide their activity: they hope their malicious activity will be hidden in a sea of legitimate processes.
As well as allowing attackers to operate stealthily, using LotL tools means that it is often difficult for investigators to determine who is behind malicious activity if they do discover it. Cyber attack groups are generally identified by the malware that they use, with sophisticated cyber crime groups and state-backed hackers often using custom malware, which makes it easy to identify if they are behind certain activity. However, if an attack is carried out using LotL tools and non-custom malware it is much more difficult to determine who might be behind such activity.
Other reasons for a growth in LotL activity by cyber criminals is a reduced availability of zero-day vulnerabilities and the effort required to find them. Improvements in browser security have made such vulnerabilities more difficult to find. Bug bounty programs have eliminated the easy-to-find vulnerabilities so that only the most dedicated researchers and attackers are able to root out critical vulnerabilities. In some scenarios, system tools are whitelisted and might be the only process allowed to run on a secured system, making them the only tools available for the attacker.
These reasons combined mean attackers are often increasingly turning to LotL tools to carry out their activities.
Legitimate tools that are often exploited by cyber criminals for LotL attacks include:
- PowerShell scripts
- VB scripts
In general, all these tools have legitimate uses on devices, so it can be difficult for victims and security software to determine when they are being exploited for malicious purposes. Using just LotL tools, attackers could gain remote access to a device, steal data, or disrupt its operations — without needing to use any malware.
One of the most famous recent examples of a cyber attack that heavily exploited LotL tools was the Petya/NotPetya attack, which made headlines all over the world in 2017. Petya used a software supply chain attack as its initial infection vector, compromising the update process of a software accounting program known to be widely used in Ukraine, where a lot of the Petya/NotPetya infections occurred.
Petya also used system commands during the infection process. Once executed, it dropped a recompiled version of LSADump from Mimikatz, which is used to dump credentials from Windows memory. The account credentials were then used to copy the threat to the Admin$ share of any computers the threat found on a network. Once the threat accessed a remote system it executed itself remotely using a dropped instance of PsExec.exe and the Windows Management Instrumentation (WMI) command line tool.
Petya used LotL tools to spread across networks, but it is also common for system tools to be used for reconnaissance. Of ten targeted attack groups examined by Symantec, including Tick, Chafer, and Greenbug, all of them used system tools to explore the devices and networks they had infected.
A more recent campaign Symantec wrote about that heavily leveraged LotL tools was a cyber espionage campaign being carried out by a targeted attack group. Thrip used a combination of LotL tools and custom malware to carry out a cyber espionage campaign focused on targets operating in the telecommunications and defense sectors. Among the LotL tools leveraged by Thrip were PowerShell, PsExec, and Mimikatz.
You should take the following steps to reduce the chances of your network or devices being exposed to cyber attackers:
- Monitor the usage of dual-use tools inside your network
- Use application whitelisting where applicable
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails
- Be wary of Microsoft Office attachments that prompt users to enable macros
- Keep security software and operating systems up to date
- Enable advanced account security features, like 2FA and login notification, if available
- Use strong passwords for all your accounts
- Always log out of your session when done
Symantec has various protection features in place to protect against fileless threats and living off the land attacks. Symantec’s memory exploit mitigation (MEM) techniques can proactively block remote code execution exploits (RCE); heuristic based memory scanning can detect memory only threats, and Symantec’s behavior-based detection engine SONAR can detect malicious usage of dual-use tools and block them.
Symantec’s Targeted Attack Analytics (TAA) also leverages advanced artificial intelligence and machine learning to comb through Symantec’s data in order to spot patterns associated with targeted attacks. It can spot and flag the suspicious use of seemingly legitimate tools.
100 Windows system tools: https://github.com/api0cradle/LOLBAS/tree/master/OSBinaries