Detecting Living Off the Land attacks in corporate networks

Living Off the Land (LOTL) involves cyber attackers using existing software and services within a corporate network for malicious purposes. The ENISA Threat Landscape Report 2024 shows that ransomware groups in particular are increasingly using LOTL methods to disguise their activities and avoid early detection.

What are Living Off the Land attacks?

Instead of installing external malware, attackers use legitimate and essential applications such as PowerShell, Windows Management Instrumentation (WMI) or Remote Desktop Protocol (RDP). Because these tools are commonly used for administrative tasks, the attacks are difficult to detect. In practice, this means that attackers can move around the network undetected and gain control of tools that are supposed to be trusted.

LOTL techniques are particularly insidious because they bypass traditional security solutions such as firewalls or antivirus software. For example, an attacker can use PowerShell to run malicious scripts, extract data, or make network requests without being immediately detected. Delayed detection of such attacks increases the risk of serious damage and high recovery costs. However, there are technologies and measures that can counteract this.

Common LOTL methods and their characteristics

Look out for the following signs to recognise Living Off the Land attacks at an early stage:

PowerShell

PowerShell is a powerful Windows tool for automating tasks. Attackers use it to exfiltrate data, install malware, or load additional tools.

• Unusually high number of running PowerShell processes.
• PowerShell executions at atypical times or by unauthorised users.
• Commands originating from external servers.

Windows Management Instrumentation (WMI)

Attackers use WMI for remote monitoring, command execution or to spread malware on the network.

• Frequent WMI calls with instructions to multiple endpoints.
• WMI queries targeting sensitive data or network settings.
• WMI usage by unauthorised users or outside normal business hours.

Remote Desktop Protocol (RDP)

RDP enables remote access to systems and is often used by attackers for lateral movement in the network.

• Unusual RDP sessions, especially from unknown IP addresses.
• Connections at times when the company is not normally working.
• Increase in failed login attempts with RDP.

Task Scheduler

The Windows Task Scheduler is often used for scheduled tasks, but can be used by attackers to launch persistent malicious scripts.

• New or unknown scheduled tasks that appear in Task Scheduler.
• Scheduled tasks that are executed from unknown paths or with unknown commands.
• Regular repetition of tasks that exfiltrate data or perform other unusual activities.

Microsoft Office Makros

Macros in Microsoft Office documents can be used to execute malicious code.

• Activated macros in unknown documents, especially via e-mail.
• Documents with macros that reload external files.
• Sudden increase in macro usage by atypical users.

CertUtil

CertUtil is a Windows command for managing certificates, but can be misused for data encoding and malware transmission.

• CertUtil for downloading files from external URLs.
• Encoded or decoded files via CertUtil..
• Use of CertUtil outside of normal processes.

Bitsadmin (Background Intelligent Transfer Service)

Bitsadmin is a Windows tool that is used for file transfer and can be used by attackers to secretly transfer files.

• Bitsadmin processes that download files from external or unknown sources.
• Regular background downloads that do not relate to software updatesn.
• Unusually high data transfer via Bitsadmin processes.

Netsh (Network Shell)

Netsh is used for network configuration and can be misused by attackers to manipulate firewalls or activate ports.

• Changes to firewall rules by Netsh outside the usual network configuration.
• Activation of ports that are normally closed.
• Netsh commands that are executed by unknown users or at unusual times.

Quick Wins against LOTL attacks

Many LOTL attacks can be detected or prevented at an early stage by tweaking the security settings of commonly misused tools:

• PowerShell Script Block Logging: This function records every PowerShell input and enables filtering for unusual cmdlets or Base64-encoded content that is often used for script obfuscation.
• Alarm rules for the Task Scheduler: Set alarm rules for the creation or modification of scheduled tasks and monitor them for unknown or unusually timed tasks.
• Geofencing for RDP and other remote access tools: Restrict access to administrative tools to specific countries or regions and track unauthorised access.

Long-term strategies and measures against LOTL attacks

Protection against LOTL methods requires continuous monitoring of networks and endpoints to detect anomalies in user and device behaviour.

Network monitoring and behaviour monitoring

• EDR (Endpoint Detection and Response): EDR systems continuously monitor end devices and identify suspicious activities based on anomalies and behavioural patterns.
• SIEM (Security Information and Event Management): SIEM systems collect and analyse security-relevant event data from various sources to provide a comprehensive overview. By correlating anomalies and threat indicators, they recognise suspicious activities.
• User and Entity Behavior Analytics (UEBA): UEBA tools analyse the normal behaviour of users and devices and provide alerts in the event of deviations. Unusual use of administrative tools such as PowerShell or remote sessions can thus be detected at an early stage.
• Detection rules and alerting: Extend the monitoring with rules that identify certain attack patterns, e.g. the simultaneous use of PowerShell and CertUtil. Pay particular attention to users who suddenly access administrative tools or have unusual logon patterns.

Network segmentation and access restriction

• Segment internal resources: Restrict access to critical tools such as RDP, WMI and SMB to specific network segments and devices. Activate network logging and set alarms in the event of unauthorised access or attempts to circumvent segmentation.
• Isolated network environments for critical systems: Particularly sensitive or critical systems should be operated in isolated network segments. This prevents attackers from accessing critical systems even when they are moving around the network.
• Least privilege principle: Only grant each user the minimum required access rights. If an account is taken over, the attackers can also only access restricted areas.
• Multi-factor authentication (MFA): Add an additional level of authentication for all administrative and sensitive access. Even with compromised access data, unauthorised access is made more difficult.

Outbound Traffic Monitoring and Deep Packet Inspection (DPI)

• Monitoring outbound network traffic: DPI and outbound traffic monitoring can be used to identify suspicious connections to external command and control (C2) servers.
• Filter DNS and HTTP connections to cloud storage services such as Google Drive and Dropbox as well as frequently used APIs such as the Microsoft Graph API. Investigate unusually high data transfers.

Threat analysis and targeted deception

• Threat Intelligence: Threat data feeds provide information on current attack methods and Indicators of Compromise (IOCs). Integrate these feeds into EDR or SIEM systems to receive alerts when known threat patterns emerge.
• Use of Honeypots: Set up honeypots that masquerade as critical tools or applications. Access to these decoy systems automatically triggers an alert and enables the identification of potential attackers and their origin.

Zero Trust and Awareness

• Zero trust security model: Rely on a zero trust architecture where devices and users in the network are not classified as trustworthy by default. Strict authentication and access controls prevent unauthorised access to internal tools and applications.
• Training: As LOTL attacks are often based on social engineering, it is important to regularly train employees on current attack techniques and security guidelines.

This might also interest you:

Living off Trusted Sites: cyber attackers abuse legal services
Effective integration of threat intelligence with cyber defence
SQL Injection: Attacks by malicious code in website requests