A Living off the Land (LotL) attack describes a cyberattack in which intruders use legitimate software and functions available in the system to perform malicious actions on it.
Living off the land means surviving on what you can forage, hunt, or grow in nature. LotL cyberattack operators forage on target systems for tools, such as operating system components or installed software, they can use to achieve their goals. LotL attacks are often classified as fileless because they do not leave any artifacts behind.
Most LotL attacks employ the following legitimate tools:
- PowerShell, a script-launching framework that offers broad functionality for Windows device administration. Attackers use PowerShell to launch malicious scripts, escalate privileges, install backdoors, and so on.
- WMI (Windows Management Instrumentation), an interface for access to various Windows components. For adversaries, WMI is a convenient tool for accessing credentials, bypassing security instruments (such as user account control (UAC) and antivirus tools), stealing files, and enabling lateral movement across the network.
- PsExec, a remote command execution tool that adversaries use to implant malicious code.
- Mimikatz, a security scanning tool for Windows that logs user credentials.
Risks associated with LotL attacks
Attackers do not leave traces in the form of malicious files on device hard drives, so Living off the Land attacks cannot be detected by comparing signatures.
Additionally, operating system tools, such as PowerShell and WMI, may appear in the security software’s allowlist, which also impedes detection of their anomalous activity.
Finally, adversaries’ use of legitimate tools also complicates the investigation and attribution of cyberattacks.
Protection against LotL
To counter LotL attacks, cybersecurity professionals use solutions based on behavioral analysis. The technology detects anomalous program and user activity – actions that could signify an attack in progress.