Living off the land (LOTL) techniques involve the use of legitimate tools and applications to carry out malicious activities, making it challenging to detect and defend against them. These techniques are often used by Advanced Persistent Threats (APTs) to infiltrate and remain hidden in a victim's network, enabling them to exfiltrate sensitive information or carry out sabotage.
An Advanced Persistent Threat (APT) is a type of cyberattack where a threat actor, typically a nation-state, criminal group, or other highly skilled attacker, gains unauthorised access to a network or system and remains undetected for an extended period. The goal of an APT is to steal sensitive information, disrupt operations, or maintain long-term access to the target network.
APTs are different from other types of cyber threats because they are highly skilled, patient, and well-resourced. They often have a specific target in mind and will use multiple attack vectors to achieve their goal. APTs are also capable of adapting to changes in the target environment and modifying their tactics to evade detection.
Why APTs use Living off the land (LOTL) techniques?
The term "living off the land" comes from the fact that the attackers use the resources that are already available on the compromised system. They exploit operating system features, administrative tools, and other built-in applications to execute their attack. This approach allows attackers to remain hidden and avoid detection, as the tools and programs used are often overlooked by security teams.
Another significant advantage of Living off the land (LOTL) attacks is that they allow threat actors to remain undetected for long periods. Since these attacks don't always rely on known malicious code or exploits and include zero days, they are difficult to detect using traditional antivirus software. Moreover, attackers can execute their activities in stages and take their time to move laterally across a network, making it harder for security teams to track and isolate the attack.
One of the most common techniques used by APTs is EDR bypass. EDR (endpoint detection and response) solutions are designed to detect and respond to threats on endpoints, such as desktops, laptops, and servers. However, APTs find ways to bypass EDR solutions by using LOTL techniques, such as PowerShell scripts or WMI tools, that mimic legitimate system activities. By doing so, APTs can remain undetected by EDR solutions and continue their attack undetected.
For reference a report in 2021 “An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors” By George Karantzas and Constantantinos from the Department of Informatics, University of Piraeus.
This report outlines the ways bypass can be achieved and in nearly all EDR tested, the researchers were able to be bypassed with known techniques. Furthermore, Red Piranha has observed Malware in the wild with the capability to detect up to 25 EDR products being used by the defenders and then running active bypass on the detected EDR being operated.
APTs are using advanced techniques, such as LOTL and EDR bypass, to evade traditional security measures and carry out their attacks. To defend against these threats, organisations need to adopt a comprehensive security approach that combines EDR and NDR solutions. This approach provides complete visibility into the network, detects threats that have already infiltrated the network, and responds to them quickly, reducing the risk of damage to the organisation.
Living off the land (LOTL) techniques and tools used by APTs:
- PowerShell attacks: PowerShell is a powerful command-line shell and scripting language that is built into Windows. It is widely used by IT administrators for system administration tasks. However, APTs use PowerShell scripts to carry out malicious activities, such as executing commands, downloading and executing malware, or extracting sensitive data.
- Windows Management Instrumentation (WMI) attacks: WMI is a management framework built into Windows that provides a standard way of accessing system management information. APTs use WMI to execute commands, download and execute malware, or extract sensitive information.
- Registry manipulation: The Windows Registry is a central database that stores configuration information for the operating system, applications, and users. APTs use registry manipulation techniques to execute malicious code or hide their activities from security tools.
- Fileless attacks: Fileless attacks do not rely on malware files but instead use legitimate system tools and applications to carry out their activities. For example, APTs can use PowerShell commands or WMI queries to download and execute malicious code in memory, making it difficult to detect and defend against. Frodo and The Dark Avenger are early examples of some these attacks, examples of execution can be from compressed files or PDF’s.
To address this challenge, organisations need to adopt a Network Detection and Response (NDR) approach in conjunction with Endpoint Detection and Response (EDR). NDR solutions are designed to monitor network traffic, including east-west traffic, and can detect and respond to threats that have already infiltrated the network. By combining NDR and EDR, organisations can gain a comprehensive view of their network, detect threats that have evaded endpoint defences, and respond to them quickly.
To defend against Living off the land (LOTL) attacks, security teams need to focus on achieving a Zero Trust Architecture as well as focussing on detecting anomalous behaviour with a strong monitoring program that is constantly reviewed and tuned. This requires the use of advanced threat detection tools, such as Network Detection and Response (NDR) solutions, that can analyse network traffic and detect unusual patterns of behaviour with expanded SOC capability.
NDR solutions use advanced machine learning algorithms to detect anomalous behaviour in network traffic, such as unusual data transfer patterns, lateral movement, or C2 traffic. In addition, NDR solutions can provide context and visibility into the network, enabling security teams to investigate and respond to threats quickly.
In conclusion, Living off the land (LOTL) techniques are a significant challenge for security teams, as they leverage trusted tools and applications to carry out malicious activities. To defend against these techniques, organisations need to adopt a comprehensive security approach that includes the use of advanced threat detection tools, such as Network Detection and Response (NDR) solutions , that can detect and respond to anomalous behaviour on the network.