Living off the Land: How hackers blend into your environment
Cyber-criminals don’t need to write bespoke malware for every heist. It is often cheaper, easier, and more effective to make use of an organization’s own infrastructure in an attempt to attack. This strategy – known as ‘Living off the Land’ – involves threat actors leveraging the utilities readily available within the target organization’s digital environment to move through the cyber kill chain.
Among some of the most commonly used tools exploited for nefarious purposes are Powershell, Windows Management Interface (WMI), and PsExec. These tools are regularly used by network administrators as part of their daily routines, and traditional security tools reliant on static rules and signatures often have a hard time distinguishing between legitimate and malicious use.
While the term was first coined in 2013, Living off the Land tools, techniques, and procedures (TTPs) have boomed in popularity in recent years. In part, this is because the traditional approach of defensive security — blocklisting file hashes, domains, and other traces of threats encountered in previous attacks — is ill-equipped to identify these attacks. So these stealthy, often fileless attacks, have pushed their way into the mainstream.
And concerningly, Living off the Land attacks have a particular history in highly organized, targeted hacking. APT groups have long favored Living off the Land TTPs, since evasion is a top priority. And trends show that ransomware groups are opting for human-operated ransomware that relies heavily on Living off the Land techniques, instead of commodity malware.
Hallmarks of a Living off the Land attack
Before a threat actor turns your infrastructure against you in a Living off the Land attack, they must be able to execute commands on a targeted system. Therefore, Living off the Land attacks are a post-infection framework for network reconnaissance, lateral movement, and persistence.
Once a device is infected, there are hundreds of system tools at the attacker’s disposal – these may be pre-installed on the system or downloaded via Microsoft-signed binaries. And, in the wrong hands, other trusted third-party administration tools on the network can also turn from friend to foe.
As Living off the Land techniques evolve, a single typical attack is hard to determine. However, we can group these TTPs in broader categories.
Microsoft-signed Living off the Land TTPs
Microsoft is ubiquitous in the business world and across industries. The Living off the Land Binaries and Scripts (LOLBAS) project aims to document all Microsoft-signed binaries and scripts that include functionality for APT groups in Living off the Land attacks. To date, there are 135 system tools on this list that are vulnerable to misuse, each aiding a different objective. These could be the creation of new user accounts, data compression and exfiltration, system information gathering, launching processes on a target destination or even the disablement of security services. Both Microsoft’s documentation of vulnerable pre-installed tools and the LOLBAS project are growing, non-exhaustive lists.
Command line
When it comes to delivering a malicious payload to the target, WMI (WMIC.exe), the command line tool (cmd.exe), and PowerShell (powershell.exe) were used most frequently by attackers, according to a recent study. These commonly exploited command line utilities are used during the configuration of security settings and system properties, provide sensitive network or device status updates, and facilitate the transfer and execution of files between devices.
Specifically, the command line group shares three key traits:
- They are readily available on Windows systems.
- They are frequently used by most administrators or internal processes to perform everyday tasks.
- They can perform their core functionalities without writing data to a disk.
Mimikatz
Mimikatz differs from other tools in that it is not pre-installed on most systems. It is an open-source utility used for the dumping of passwords, hashes, PINs and Kerberos tickets. While some network administrators may use Mimikatz to perform internal vulnerability assessments, it is not readily available on Windows systems.
Traditional security approaches used to detect the download, installation, and use of Mimikatz are often insufficient. There exists a wide range of verified and well documented techniques for obfuscating tooling like Mimikatz, meaning even an unsophisticated attacker can subvert basic string or hash-based detections.
Self-Learning AI fights Living off the Land attacks
Living off the Land techniques have proven incredibly effective at enabling attackers to blend into organizations’ digital environments. It is normal for millions of credentials, network tools, and processes to be logged each day across a single digital ecosystem. So how can defenders spot malicious use of legitimate tools amidst this digital noise?
As with most threats, basic network hygiene is the first step. This includes implementing the principle of least privilege, de-activating all unnecessary programs, setting up software whitelisting, and performing asset and application inventory checks. However, while these measures are a step in the right direction, with enough time a sophisticated attacker will always manage to work their way around them.
Self-Learning AI technology has become fundamental in shining a light on attackers using an organization’s own infrastructure against them. It learns any given unique digital environment from the ground up, understanding the ‘pattern of life’ for every device and user. Living off the Land attacks are therefore identified in real time from a series of subtle deviations. This might include a new credential or unusual SMB / DCE-RPC usage.
Its deep understanding of the business enables it to spot attacks that fly under the radar of other tools. With a Living off the Land attack, the AI will recognize that although usage of particular tool might be normal for an organization, the way in which that tool is used allows the AI to reveal seemingly benign behavior as unmistakably malicious.
For example, Self-Learning AI might observe the frequent usage of Powershell user-agents across multiple devices, but will only report an incident if the user agent is observed on a device at an unusual time.
Similarly, Darktrace might observe WMI commands being sent between thousands of combinations of devices each day, but will only alert on such activity if the commands are uncommon for both the source and the destination.
And even the subtle indicators of Mimikatz exploitation, like new credential usage or uncommon SMB traffic, will not be buried among the normal operations of the infrastructure.
Living off the Land techniques aren’t going away any time soon. Recognizing this, security teams are beginning to move away from ‘legacy’-based defenses that rely on historical attack data to catch the next attack, and towards AI that uses a bespoke and evolving understanding of its surroundings to detect subtle deviations indicative of a threat – even if that threat makes use of legitimate tools.
Thanks to Darktrace analysts Isabel Finn and Paul Jennings for their insights on the above threat find and supporting MITRE ATT&CK mapping.
Learn more about Self-Learning AI
MITRE ATT&CK techniques observed:
| Tactics | MITRE techniques and Darktrace detections |
| Reconnaissance | Active Scanning: Vulnerability Scanning (T1595.002) Anomalous Server Activity::Server Activity on New Non-Standard Port |
| Resource Development | Obtain Capabilities: Malware (T1588.001) Anomalous File::EXE from Rare External Location |
| Initial Access | Drive-By Compromise (T1189) Anomalous File::EXE from Rare External Location Unusual Activity::Suspicious RPC Sequence External Remote Services (T1133) Anomalous Connection::IPSec VPN to Rare IP Hardware Additions (T1200) Device::New Device with Attack Tools Device::Attack and Recon Tools Trusted Relationship (T1199) Device::Large Outbound VPN Data Anomalous Connection::New Outbound VPN Valid Accounts (T1078) User::New Admin Credentials on Client |
| Execution | Command and Scripting Interpreter: PowerShell (T1059.001) Anomalous Connection::Powershell to Rare External IaaS::Compute::Anomalous Command Run on Azure VM Device::New PowerShell User Agent Device::Anomalous Active Directory Web Services Command and Scripting Interpreter: Unix Shell (T1059.004) IaaS::Compute::Anomalous Command Run on Azure VM Command and Scripting Interpreter: Windows Command Shell (T1059.003) IaaS::Compute::Anomalous Command Run on Azure VM Inter-Process Communication: Component Object Model (T1559.001) Unusual Activity::Suspicious RPC Sequence Windows Management Instrumentation (T1047) Device::New or Uncommon WMI Activity Device::Unusual WinRM - Heuristic Anomalous Connection::Rare WinRM Outgoing Device::Incoming WinRM And Script Download |
| Persistence | Create Account (T1136) User::New Credential for Client User::Multiple Uncommon New Credentials on Device Create Account: Domain Account (T1136.002) User::Anomalous Domain User Creation Or Addition To Group External Remote Services (T1133) Anomalous Connection::IPSec VPN to Rare IP Valid Accounts (T1078) User::New Admin Credentials on Client Valid Accounts: Domain Accounts (T1078.002) User::New Credential Following DPAPI BackupKey Request |
| Privilege Escalation | Domain Policy Modification (T1484) Device::Unusual Group Policy Access Domain Policy Modification: Group Policy Modification (T1484.001) Device::Unusual Group Policy Access Valid Accounts (T1078) User::New Admin Credentials on Client Valid Accounts: Domain Accounts (T1078.002) User::New Credential Following DPAPI BackupKey Request |
| Defense Evasion | Domain Policy Modification (T1484) Device::Unusual Group Policy Access Domain Policy Modification: Group Policy Modification (T1484.001) Device::Unusual Group Policy Access Valid Accounts (T1078) User::New Admin Credentials on Client Valid Accounts: Domain Accounts (T1078.002) User::New Credential Following DPAPI BackupKey Request Use Alternate Authentication Material: Pass the Hash (T1550.002) User::New Admin Credentials on Client |
| Credential Access | Bruteforce (T1110) Unusual Activity::Large Volume of Kerberos Failures Device::Bruteforce Activity Device::Spike in LDAP Activity Device::SMB Session Bruteforce Device::Anomalous NTLM Bruteforce Unusual Activity::Successful Admin Bruteforce Activity Device::LDAP Bruteforce Activity Anomalous Server Activity::Unusual Server Kerberos Bruteforce: Credential Stuffing (T1110.004) Device::Spike in LDAP Activity Anomalous Connection::RDP Bruteforce Device::LDAP Bruteforce Activity Device::LDAP Password Spray Bruteforce: Password Cracking (T1110.002) Device::Spike in LDAP Activity Anomalous Connection::RDP Bruteforce Anomalous Connection::RDP Bruteforce Device::LDAP Bruteforce Activity Bruteforce: Password Guessing (T1110.001) Device::Spike in LDAP Activity Anomalous Connection::RDP Bruteforce Device::LDAP Bruteforce Activity Unusual Activity::Large Volume of Radius Failures Bruteforce: Password Spraying (T1110.003) Device::Spike in LDAP Activity Device::LDAP Password Spray OS Credential Dumping: DCSync (T1003.006) Unusual Activity::Suspicious RPC Sequence Steal or Forge Kerberos Tickets: Golden Ticket (T1558.001) Device::Active Directory Reconnaissance Unsecured Credentials: Group Policy Preferences (T1552.006) Device::Unusual Group Policy Access Unsecured Credentials: Credentials In Files (T1552.001) Anomalous File::Internal::New Access to Sensitive File |
| Discovery | Account Discovery: Domain Account (T1087.002) Device::Possible Active Directory Enumeration Domain Trust Discovery (T1482) Device::Possible Active Directory Enumeration File and Directory Discovery (T1083) Anomalous Connection::SMB Enumeration Compliance::SMB Drive Write User::Suspicious Admin SMB Session Device::Suspicious SMB Query Unusual Activity::SMB Access Failures Network Service Scanning (T1046) Unusual Activity::Possible RPC Recon Activity Device::Possible RPC Endpoint Mapper Dump Network Share Discovery (T1135) Anomalous Connection::SMB Enumeration Unusual Activity::Anomalous SMB Reads to New or Unusual Locations Device::Suspicious SMB Query Query Registry (T1012) Device::Suspicious SMB Query Remote System Discovery (T1018) Anomalous Connection::SMB Enumeration System Information Discovery (T1082) Device::Suspicious SMB Query System Network Configuration Discovery (T1016) Device::Suspicious SMB Query |
| Lateral Movement | Exploitation of Remote Services (T1210) Device::New User Agent To Internal Server Device::Suspicious New User Agents Device::New PowerShell User Agent Device::New User Agent Lateral Tool Transfer (T1570) Compliance::SMB Drive Write Anomalous File::Internal::Internal File Transfer on New Port Taint Shared Content (T1080) Compliance::SMB Drive Write Use Alternate Authentication Material: Pass the Hash (T1550.002) User::New Admin Credentials on Client |
| Collection | Automated Collection (T1119) Unusual Activity::Internal Data Transfer Data Staged (T1074) Unusual Activity::Internal Data Transfer Anomalous Connection::Unusual Incoming Data Volume Email Collection (T1114) Unusual Activity::Internal Data Transfer |
| Command and Control | Application Layer Protocol: Web Protocols (T1071.001) Compromise::Empire Python Activity Pattern Ingress Tool Transfer (T1105) Anomalous File::EXE from Rare External Location Non-Standard Port (T1571) Anomalous Connection::Application Protocol on Uncommon Port |
| Impact | Account Access Removal (T1531) User::Admin Domain Password Change Data Encrypted for Impact (T1486) Unusual Activity::Sustained Anomalous SMB Activity Service Stop (T1489) Anomalous Connection::New or Uncommon Service Control Anomalous Connection::High Volume of New or Uncommon Service Control |
