Cyber trends tend to come and go, but one popular technique we’re seeing currently is the use of living-off-the-land binaries. The concept of “living off the land” (LotL) was first introduced by Christopher Campbell and Matt Graeber at Derbycon 3.0 (2013) and refers to attacker behavior when they use any binary supplied by the operating system or the user that is normally used for legitimate purposes but can also be abused by malicious actors. This allows the attacker to blend in with regular network activity and normal administrative tasks, while remaining hidden, which in turn is less likely to raise any red flags.
It should be noted that LotLBins are being used by different threat actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organization, usually during post-exploitation attack phases. Some capabilities of LotLs include DLL hijacking, hiding payloads, process dumping, downloading files, bypassing UAC keylogging, code compiling, log evasion, code execution, moving laterally, and persistence. The concept of LotLBins is not new. Almost all conventional operating systems, beginning with the early DOS versions and Unix systems, contained executables that attackers could exploit. However, for Windows, there are more than 100 Windows system tools that can be used by cyber attackers.
In this blog series, we’ll explore why threat actors use LotL, review how it works, and discuss examples of actual LotL attacks. We’ll also provide some guidance for detecting and preventing some of the commonly used approaches.
Why Attackers Live Off the Land
The living off the land technique provides attackers with an opportunity to fly under the radar. A legitimate tool is less likely to raise suspicions, and they can avoid a lot of detection methods such as Hash Values, IOCs, and signatures.
LotL attacks can be highly effective. The Ponemon Institute’s State of Endpoint Security Risk Report found that fileless attacks are about ten times more likely to succeed than file-based attacks.
Since these tools are usually whitelisted from rules by security operation centers (SOC), any activity from them is also often ignored. Living off the land (LotL) tactics enable attackers to curb the use of malware until much later stages in the attack chain, as in the case with ransomware, leaving the victim little or no time to respond.
It also makes attribution even more time intensive, as it leaves investigators to determine who is behind malicious activity if they do discover it. Cyberattack groups are generally identified by the malware that they use, with sophisticated cybercrime groups and state-backed hackers often using custom malware, which makes it easy to identify if they are behind certain activity. However, if an attack is carried out using LotL tools and non-custom malware, it is much more difficult to determine who might be behind such activity.
These reasons combined mean attackers are often increasingly turning to LotL tools to carry out their activities since it is clearly beneficial to attackers.
Why is Popularity Continuing?
The evidence shows that LotL TTPs (tactics, techniques, and procedures) will only become more popular in time. Crowdstrike’s 2019 Global Threat Report advises over 40% of attacks are now performed using already installed tools and features.
LotL TTPs are becoming increasingly accessible within open-source and popular hacking frameworks and tools, such as MetaSploit, PowerSploit, Exploit Pack and more. Not to mention, commodity malware, which can be rented or purchased for cheap, already includes LotL functionality when sold.
Until recently, LOL techniques were mostly used in post-compromise activities, where attackers leveraged legitimate admin tools such as PowerShell, Windows Management Instrumentation (WMI), CMD, Psxec.exe, and others to perform reconnaissance and lateral movement. But, over the last few years, LotLBins have become popular among malware authors as part of their initial compromise payload.
The detection and analysis of LotL being used in cyberattacks is no longer indication of an advanced threat actor group or robust malware. Nevertheless, detection and mitigation still prove to be difficult for most organizations and even security teams.
How Do LotL Attacks Work?
As we mentioned, the concept of LotLBins is not new and isn’t specific to Windows. Almost all conventional operating systems (OS) contain executables that attackers could exploit; however, for the sake of examples, we will focus on Windows OS.
Attackers who are living off the land will usually use one of four approaches:
- Dual-use tools– Hijacking of tools that are used to manage networks and systems which give the attacker the ability to traverse networks, run commands, steal data, and even download additional programs or malware. Examples include File Transfer Protocol (FTP) clients or system functions such as PsExec, a Microsoft Sysinternals tool that is used for the execution of processes on other systems.
- Fileless persistence– A form of attack in which a malicious infection can remain on the system after a reboot even though it wasn’t loaded on to the hard disk. This is usually performed by storing malicious scripts in the Windows Registry—such as changes associated with Visual Basic Scripting (VBS).
- Memory-only threats– The harmful payload is executed directly in the memory. This is a well-established form of attack. In 2001, the memory-only Code-Red worm infected a large number of systems through a vulnerability in Microsoft’s IIS webserver. Using a memory-only approach allows for infections to breach directly into a device’s memory, and while they can be removed with a restart, an unpatched computer is at constant risk for reinfection.
Attacks may involve activities in one or more of these categories and there have been several combined threats identified over the years.
How to Protect Against Living-off-the-Land Attacks
Primary Defense Tactics
The first line of defense against LotL attacks is to limit the possibility of illicit access to the network. It is important that two-factor authentication and effective credential management are in place on all VPNs and remote access systems. A sophisticated approach to overseeing user and machine identities will narrow the attack vector for malicious actors—making it harder for them to gain access and move laterally in the network. Companies with lost or compromised keys and certificates are particularly at risk. Stolen keys and login credentials can give attackers initial access to otherwise private and encrypted areas. The ability to analyze and monitor identity creation and use will also make it more likely that the behavior of an infiltrator will be spotted in the first place. (Remember that attackers living off the land usually behave in ways that make it hard to identify the attack.)
In addition, ensuring that data exchange between tools and system functions inside the network are effectively encrypted will also limit the damage an attacker can do if they do get inside undetected. Attackers have also exploited system features that help manage certificates. For example, the Windows program CertUtil (used to download and update certificates) has been exploited by attackers who have used it to download additional malicious payloads once they have enticed users to open compromised files.
- Monitor the usage of dual-use tools inside your network.
- Use application whitelisting where applicable.
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails.
- Be wary of Microsoft Office attachments that prompt users to enable macros.
- Keep security software and operating systems up to date.
- Enable advanced account security features, like 2FA and login notification, if available.
- Use strong passwords for all your accounts.
- Always log out of your session when done.
Taking a Parent-Child Perspective
Things get a little interesting when viewed from a parent-child lens, since unusual child processes spawned by a parent process can indicate malicious activity. For example, word.exe spawning powershell.exe could indicate a Spearphishing Attachment. Current solutions to detect LotL attacks using parent-child relationships include writing rules and heuristics. While these solutions work well, they can sometimes be either too rigid or too lax and do not generalize well. There is also a significant amount of manual effort that goes into writing them.
Perhaps a more helpful tactic is to use your SIEM and search for all these binaries, libraries, scripts, commands, and operations (depending on the logs you have). Once you have run the search, here are some additional steps:
- To start off, these searches will show lots of administrative account behavior. These tools will be used regularly by network and system admins to perform their daily duties. Build a list of these users and then exclude them from your search.
- Now, look through these events, grouping by username and count. Any accounts with large amounts of these tools and features being used regularly should be investigated. Work using this method until you are happy that most legitimate behavior is known about. (The time period will depend on the scale and complexity of your environment.)
- We can then use the tuned-down data for two purposes. Firstly, you can regularly threat hunt your logs for any accounts with spikes in these events which are not known to you. You can also set up SIEM rules to detect any spikes in usage of these tools or features by any non-admin accounts.
- After that, create a lookup table or reference set containing all the binaries, libraries, scripts, commands, and operations. Then, if an account uses a large amount of these during a set time frame (24 hrs recommended, however you can tune this to your liking) and is not an admin account, alert for further investigation.
Knowing what tools and features these attackers use will help you better protect against these attacks. There are a lot of great resources out there already. Let’s highlight a few of the most helpful:
- The LOLBAS Project
This project documents every binary, script and library that can be used for LotL techniques on Windows. View the Read Me here for further info. More importantly for us, see LOLBAS, which lists all the 115 binaries, scripts, and libraries we will look for in the next steps.
Inspired by LOLBAS, GTFOBins documents 188 Unix binaries which can be abused and, therefore, used as part of LOTL attacks. See the site here – GTFOBins.
JPCERT (The Japanese CERT) releases a lot of great cybersecurity content. Back in 2016, they released a post of Windows commands abused by attackers, which still applies today. It breaks these down into three categories – Initial Investigation, Recon, and Spread of Infection. See the full post here.
- Azure Sentinel Rare Operations
One of the Azure Sentinel detection’s looks for rare operations which should not occur outside a few accounts but can be useful for attackers. See the post here for the operations to look for and the accounts to ignore.
These binaries, libraries, scripts, commands, and operations can be a great resource to help detect and block LotL attacks.
Ultimately, an attacker who is living off the land has a finite set of resources available – the tools and systems they can access once they’ve infiltrated a network. By limiting which of the potentially harmful features they can access and what they are able to do with them, a LotL attack can hopefully be identified and stopped much faster. We hope you have found this article interesting and will be able to implement some of the above defense tactics.
Check out our next article, “Astaroth: Banking Trojan,” as we dive into real-world examples of living-off-the-land attacks.