I write frequently about the threat of malware and how threat actors are using it to do everything from steal personal information to fully take over users’ devices or add them to botnets. These malicious programs spread through various forms of phishing, ClickFix attacks, malvertising, and even apps that have been vetted and approved by Apple and Google.
However, as users (and security tools) have gotten better at identifying the signs of a malware infection and savvy enough to avoid them in the first place, some cybercriminals have changed tactics: Living Off the Land (LOTL) attacks exploit built-in system utilities and tools that may be less likely to raise red flags.
How Living Off the Land attacks work
As Huntress describes, LOTL refers to using local resources instead of importing new ones from outside. Rather than sneaking custom-built malware onto a user’s machine, attackers exploit tools like PowerShell, Windows Management Instrumentation (WMI), built-in utilities, and trusted applications such as Microsoft Teams for malicious purposes. Antivirus programs are unlikely to flag these tools as suspicious—in most cases, they aren’t—because they blend in to normal system processes and are supposed to be there.
By hijacking legitimate tools, threat actors are able to access systems and networks, execute code remotely, escalate privileges, steal data, or even install other forms of malware. The PowerShell command-line interface allows file downloads and command execution, making it a popular tool for bad actors, along with WMI, though Unix binaries and signed Windows drivers are also frequently exploited.
LOTL attackers may employ exploit kits, which can spread fileless malware via phishing or other forms of social engineering, as well as stolen credentials and fileless ransomware to gain access to native tools. Malwarebytes Labs recently identified a campaign spread through fake Google Meet updates to exploit a legitimate Windows device enrollment feature—run via an attack server hosted on a reputable mobile device management platform.
What do you think so far?
How to detect an LOTL attack
Many tactics for identifying, addressing, and preventing LOTL attacks are targeted at organizations with large infrastructures to defend, but individual users can (and should) also be vigilant to this type of threat. As always, look out for signs of phishing and other forms of social engineering that bad actors use to steal credentials and gain access to networks and devices. Be wary of unsolicited communication containing links, notifications about software and security updates, and anything that provokes curiosity, anxiety, urgency, or fear. Install security updates as soon as they’re available to keep vulnerabilities from being exploited.
When it comes to detecting LOTL specifically, Huntress advises looking for unusual behavior rather than just suspicious files or programs—for example, tools running outside of their normal contexts or in unexpected patterns as well as unusual network connections from systems utilities. Monitor and log usage of commonly exploited tools, and audit any remote access tools and device enrollments.