Living Off the Land Attacks: LOTL Definition & Prevention

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Living off the land (LOTL) attacks use legitimate programs that already exist on a computer, rather than installing malware from an external source onto a system. The stealthy nature of these attacks can make them effective — and difficult for security teams to detect and prevent.

To prevent LOTL attacks, security teams must use sophisticated detection methods, as well as closing loops in popular computer programs with known vulnerabilities. This guide to LOTL security explains some of the most common LOTL vulnerabilities and prevention methods that security teams can use.

Jump ahead to:

How Living off the Land Attacks Work

Living off the land attacks originate within a valid computer program, like script-writing software or a command line tool. Attackers gain access to the program and perform actions like writing new malicious code or escalating their own user privileges.

Many attacks like these are known as fileless malware attacks because they don’t need code to be installed onto a machine through an external file. Rather, they use a legitimate source. Often, LOTL attacks don’t have a signature, either.

A lack of signature or of recognizable malware makes it very difficult to track and identify LOTL attacks. Such an attack can’t always be found in a feed of common threats. IT and security teams will often have trouble locating the initial problem because the threat comes from a valid computer program on their organization’s network.

How Do LOTL Attackers Access Your Machine?

If a threat actor finds legitimate existing credentials for an application or program, they can log in without having to download malware or brute force their way into the system. They may use a tool like Mimikatz to extract credentials stored in memory, steal credentials to a powerful management program like PowerShell, or they might find login information for IT remote access applications like TeamViewer and AnyDesk, which help IT admins connect remote computers. Any compromised application that allows users to make changes — or even an application that simply allows too many permissions — can result in an LOTL attack.

Note that although brute forcing passwords can still permit a threat actor to carry out an LOTL attack, they’re more noticeable to security teams.

Threat actors can also identify backdoors that haven’t been closed off properly. Back doors are vulnerabilities within a computer program that allow users to access the program without following the predetermined guidelines for entry (namely, credentials and any additional authentication).

LOTL attacks are often simplest for malicious insiders to carry out. These attackers may not even need to steal credentials or find a backdoor because they’re already a trusted member of the organization they’re attacking.

Read more about the ways hackers evade detection.

Commonly exploited programs

While there are literally hundreds of avenues an LOTL attacker can use, not all of them are regularly exploited. The following tools are some common vectors used to carry out LOTL attacks.

Windows Management Instrumentation

Windows Management Instrumentation (WMI) is a management tool for Windows admins to write scripts and connect computer systems. If taken over, it has admin privileges that allow an attacker to perform a variety of different tasks. An attacker could download code from an external system to then run it on that computer system. This type of malicious code is harder to track because it was pulled by a legitimate Windows tool, rather than downloaded directly from an outside email or file.

Mimikatz

Mimikatz can pull credentials from computer memory and increase users’ access privileges. It’s a vulnerability within Windows that allows an attacker to decrypt hidden passwords while they’re in memory. Mimikatz can be exploited either by using older versions of Windows than Windows 10 or by escalating privileges enough to then toggle the Mimikatz capability on.

PowerShell

PowerShell is a Microsoft task and configuration tool that uses command line functionality. It’s useful for IT admins who need to manage configuration jobs for business devices, including for remote workforces. But PowerShell is also highly exploitable — a Cisco study found that it was used in more than a third of critical security threats. Its remote support means that an attacker who takes control of the command line can control the entire network of connected devices. PowerShell is also available to more junior IT employees, so it often doesn’t have tight enough access controls.

Read more: Cybersecurity Agencies Release Guidance for PowerShell Security

Behaviors on exploited systems

Once a threat actor has breached a legitimate application, they may do the following:

  • Escalate their privileges so they can take administrative actions
  • Write malicious commands directly into the command line
  • Steal data from that application and move it to an external location for future use
  • Access another application on the company’s network through lateral movement

A prized target of hackers is often Active Directory, which controls credentials and access rights on Windows domain networks.

5 Best Practices for Preventing LOTL Attacks

The following strategies help your business not only prepare for LOTL attacks but also reduce threat actors’ opportunities to compromise your legitimate systems.

Use LOLBINS to track binary activity

The Living off the Land Binaries, Scripts, and Libraries project (LOLBAS) offers a comprehensive list of exploits attackers use. It’s best to study one binary (LOLBIN) at a time, examining how the specific program is typically used. Once your team knows what appropriate usage looks like, you can begin identifying abnormal behavior from that program.

Derek Wilson, principal consultant at security firm NetSPI, underscored the importance of using this resource. “By finding a way to baseline detections against something like the Living Off the Land Binaries And Scripts (LOLBAS) project, which is set up to track LOTL threats, teams can then build proactive detection plans for the procedures that aren’t caught,” he said.

Wilson recommended additional software to help teams develop general detection methods. “Breach and attack simulation (BAS) tools are invaluable in baselining detective controls and continuously improving detection of LOTL attacks,” he said. BAS tools give security teams insight into an attack lifecycle, behaving like a threat actor might to find security weaknesses more quickly.

Block binaries and allow only necessary applications

Block binaries that are frequently exploited in LOTL attacks. According to Wilson, prevention is the first step to protect computer systems from attacks. He recommends that security teams review Microsoft’s recommended block rules and attack surface reduction rules as a “jumping-off point.”

“These resources are full of LOTL-abusable binaries that organizations should not use,” Wilson said. “Still, the recommendation is to find out if you really need these binaries available and, if not, to block them outright.”

Wilson also recommends application allowlisting, which helps reduce LOTL risks by significantly limiting the number of applications that your systems can use. Rather than just blocking a few bad applications, allowlisting, or whitelisting, permits only the software your business’s teams explicitly need.

Monitor user behavior

Employ advanced behavioral monitoring and analytics. While behavioral monitoring may not solve every LOTL question, it’s a more advanced method of tracking user behavior. Behavioral technology like UEBA looks at the details of user activity, including lengthy periods spent in a particular system, the time of day that a command is given, and other deviations from typical behavior.

Read more about behavioral analytics in cybersecurity.

Keep a close eye on credentials

Update credentials if one account has been demonstrating strange behavior — the account may have been hacked or abused. If an IT admin’s PowerShell account has been giving unusual series of commands or performing actions at a strange time of day, reset the password for that local user account. If an attacker is using valid credentials to access that PowerShell instance, they’ll have to find another way into the program.

Use multifactor authentication

MFA technologies help minimize the chance that an attacker can log in using valid credentials. They’d have to have access to the legitimate user’s phone or biometrics, depending on the additional MFA method. While MFA is difficult to set up for tools like PowerShell, it’s critical for all security software and important for programs that integrate with other programs. If an attacker logs into one of these programs, they could laterally move to another tool in the network and wreak havoc.

How to Recover from Living Off the Land Attacks

If your business has already undergone an LOTL attack, take the following recovery steps:

  • Change credentials for any accounts or systems affected. Setting new passwords, particularly strong ones, will help re-strengthen exploited accounts.
  • Store credentials securely. Don’t just rely on creating strong passwords — use cryptographic tools like password managers to protect them from prying eyes.
  • Back up all necessary files on the hard drive from the infected system and then perform a clean install of your machine’s OS. This deletes any compromised programs so they can be replaced by a newly installed, uninfected version.
  • Perform an access control audit. Everyone in the organization should only have access to the applications they absolutely need to do their job; this reduces the number of available credentials to vulnerable programs.

What Tools Help Defend Against LOTL Attacks?

While not an exhaustive list, the following technologies provide advanced security measures that go beyond basic detection and response methods.

UEBA

UEBA providers like LogRhythm and Rapid7 help businesses explore user behavior at a more advanced level. Using behavioral analytics to detect malicious actions can help security teams identify LOTL threats they wouldn’t otherwise find.

Adaptive Protection

Symantec’s endpoint protection solution has an Adaptive Protection feature that uses behavioral analytics and threat telemetry to identify legitimate applications that are being exploited and to shut down LOTL attack paths. It also examines legitimate applications’ standard behavior to identify anomalies over time.

Managed threat hunting

Managed threat hunting providers employ teams of experts to perform detailed threat searches and analysis. If your IT or security teams don’t have the time or resources to examine computer systems for potential LOTL attacks, managed services like MDR are a good choice. These experts have dedicated time and tools to identify potential malicious behavior from legitimate business applications.

Detection engineering

Detection engineering uses logs and other data sources to identify specific predetermined threats that security teams don’t yet have a method of detecting. It’s intended to develop a long-term threat detection lifecycle that teams can use over time. To begin the detection engineering process, teams should perform threat modeling based on the attacks they’re most likely to experience and the tools they use most often.  While few vendors have solutions specific to detection engineering, teams can use log management and threat intelligence tools as part of their own detection strategy.  

Bottom Line: Protecting Against Living-off-the-Land Attacks

While living off the land attacks are challenging for security teams to identify, the development of advanced cybersecurity methods and threat detection will help organizations approach LOTL with more confidence. While LOTL threat reduction can be time-consuming, tactics like managed threat hunting and behavioral analytics are promising because they help teams dive into the specifics of attack prevention and identification. The more data your team can access and understand, the better prepared you’ll be to identify subtle attacks.

Read next: Network Protection: How to Secure a Network

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Jenna Phipps Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.




Top Cybersecurity Companies

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis