Malicious hackers have taken a “living off the land” approach of surviving on surrounding resources, but not because they’re big fans of Bear Grylls: They’re using a target’s available tools to blend into the background.
Mandiant’s recently published M-Trends study showed continuing popularity of Living off the Land, or LOTL, attacks—what the Cybersecurity and Infrastructure Security Agency (CISA) defines as “the abuse of native tools and processes on systems.”
In other words: using what’s around, and not going back and forth to the supermarket where one can be detected.
While the M-Trends 2024 report noted vulnerability exploits and phishing as top initial threat vectors, the M-Trends researchers also saw continuing popularity of LOTL among attackers.
When examining the year’s worth of incident response investigations against the knowledge base known as MITRE ATT&CK, Mandiant researchers observed adversaries using 74% of MITRE ATT&CK techniques and 44% of sub-techniques in their study of 2023 intrusions; the top three sub-techniques included PowerShell (a Microsoft automation tool), Web Protocols, and Remote Desktop Protocol (a Microsoft communications tool).
“Attackers likely favor these sub-techniques because they utilize readily available tools within a system, making them easy to abuse,” read the report.
As a former penetration tester, Brian Soby frequently employed native capabilities, especially when looking for vulnerabilities in the environments of defense contractors.
“Those techniques are common in those environments, especially if you’re in an air-gapped environment. You don’t really have a lot of capabilities to pull down all your favorite tools,” Soby, now chief technology officer of the SaaS security company AppOmni, said. He described one instance, after finding an entry point, of using local Python code interpreters to create a script that would move from one system to another, ultimately to the desired endpoint.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“You use whatever’s available on the system. So if there are common administrative tools that happen to be installed, great. You can use those tools because using those tools probably won’t get flagged,” Soby told IT Brew.
Cisco’s Talos threat research team provided in a February blog post details of a sophisticated “Zardoor” malware campaign that “likely persisted since at least March 2021” and used several LoLBins, or Living off the Land binaries, including the transaction-coordinating component Microsoft Distributed Transaction Coordinator (MSDTC) service (“msdtc.exe”) to evade detection.
Nick Biasini, head of outreach, Cisco Talos, noted that “hundreds and hundreds and hundreds” of scripts are available in utilities like PowerShell and the Windows Management Instrumentation command-line tools that are available for use if an attacker gets access to the right machine, at which point they could perform administrative tasks like create accounts, run commands, and gather information.
“PowerShell is one of the most powerful utilities in Windows. And it is an absolute boon for adversaries. They love abusing it just as well as IT administrators love using it to make their job easier,” Biasini told IT Brew.
In an email shared with IT Brew, Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, recommended CISA’s mitigation guide and advised admins to turn on logging capabilities within PowerShell and to limit PowerShell capabilities for non-admin users.