Living off the Land cyber attacks — your newest nightmare

Living Off The Land

We talk a lot about looming cyber threats out there. It’s a huge operational concern for businesses large and small. Insurance, backup, protection, you name it — we’re writing about it and talking about it with our clients and partners. What was a relatively small part of our managed services portfolio not too long ago has become a central tenet of everything we do. And given how central it is to nearly every business’s operational integrity, we keep reading about it, learning everything we can about it, and passing on that knowledge and best practices to our clients, partners and soon-to-be-partners to keep them and their businesses safe, operational and productive. So if we’re writing about cyber threats a lot… it’s only because they’re that important (and changing that often). With that, I give you your newest nightmare: Living Off The Land attacks.

Living Off The Land

Living off the Land (LOTL) attacks are a relatively recent development in the annals of cybersecurity, but they can be utterly devastating. That’s because LOTL involves taking advantage of functionality in binaries, scripts, and libraries native to the operating system OS. Living off the Land binaries and scripts (LOLBAS) as well as libraries exist in software or OS updates and because of that, can go undocumented.

To put it more simply, they’re fileless malware attacks. It doesn’t require uploading a file onto a host system, or tricking a mark into downloading malicious files. By definition LOTL attacks emanate from within the native OS of host systems.

Fileless Malware is as scary as it sounds

Fileless malware, at its core, is malicious software that executes in memory instead of writing to disk using malicious executables like traditional malware does. After infection, Cyber Threat Actors (CTAs) deploying fileless malware usually leverage legitimate system and admin tools like Windows PowerShell and Windows Management Instrumentation (WMI) to attain persistence by LOTL. And once these CTAs have established a foothold in the victim’s environment, they can then escalate privileges and move laterally across the network.

Because these attacks emanate from memory instead of writing to disk, they can be harder to detect and contain. And from where we’re sitting, we think threat actors will increasingly prefer Living off the Land techniques until security professionals are able to successfully catalog and monitor native operating system (OS) executables as well as trusted applications on their networks.

To that end, here are some of the most common LOLBAS and libraries exploited by threat actors:

  • powershell.exe
  • psexec.exe
  • bitsadmin.exe
  • regsvr32.exe
  • certutil.exe
  • wmic.exe
  • mshta.exe
  • mofcomp.exe
  • cmstp.exe
  • windbg.exe
  • cdb.exe
  • msbuild.exe
  • csc.exe

You can find some specific instructions on how to best ward off each vulnerability here.

But, but, but… part of why we bring things like this to your attention is because preventing these types of attacks (or setting up a defensive posture with adequate logging and monitoring, etc.) are really, really hard without dedicated expertise.

That’s why cybersecurity has become more and more central to what we offer our clients and partners. It’s more and more important with every passing day, as well as more and more complex and variable by the week.

If you want to learn more about how we can help keep you safe from Living Off The Land Attacks (and other fileless malware), drop us a line. We’d love to learn about your specific needs and how we can best serve you and your business.