Article
Living off the land: How attackers exploit built-In tools and evade detection
Living off the Land (LOTL) is a stealth-focused technique where attackers leverage trusted and built-in tools, that often come with the operating system or are already installed from third-party, to carry out malicious activity. Because these tools, often referred to as LOTL binaries, are already signed, trusted, and routinely used for legitimate administration, there is an increased risk that malicious activity goes unnoticed and evades detection.
Attackers increasingly rely on LOTL binaries to achieve their objectives. A relevant example is Volt Typhoon, which is a threat actor that, since at least 2021, has targeted various critical infrastructure organizations [1]. Threat intelligence from multiple sources suggests that their primary objectives include long-term espionage and lateral movement to operation technology (OT) assets. To avoid detection, the group has relied heavily on LOTL binaries and direct interaction with compromised systems. They have used built-in Windows utilities such as netsh.exe to configure port proxies to facilitate access and to enumerate network topology, ntdsutil.exe to access and harvest credentials for domain accounts, and wmic.exe to perform reconnaissance and remote execution.
Detection strategies for LOTL binaries
Some LOTL binaries are rare in day-to-day operations, and their mere execution could be considered a high confidence signal of suspicious activity. Other tools are routinely used by administrators, which makes broad monitoring challenging, although certain invocations can still strongly indicate malicious activity and warrant further investigation.
However, a major complication in detecting some LOTL binaries is that they provide interactive shells where commands can be executed without generating command-line telemetry that defenders rely on. If detection of malicious activity solely depends on arguments provided upon the initial invocation of the binary, an attacker can simply execute commands interactively to evade detection.
To mitigate this, defenders should strive to adopt a defense-in-depth detection strategy that correlates multiple events rather than relying solely on the arguments passed to a binary. For example, when monitoring netsh.exe port-proxy creation, tracking both netsh.exe executions and corresponding registry modifications provides a far more reliable signal of malicious activity. Additionally, network monitoring complements endpoint telemetry by identifying potentially malicious network activity, such as those associated with Discovery, Lateral Movement, and Command and Control.
Key takeaways for OT environments
In critical IT and OT environments, organizations should take additional precautions to reduce the risk of attackers evading defenses and abusing LOTL binaries by adopting a defense-in-depth detection strategy. OT networks are also often highly specialized, and what is normal in one environment may be entirely abnormal in another, making tailored detection essential for identifying abuse of LOTL binaries. Organizations in critical infrastructure should alert on any execution of LOTL binaries that appear suspicious or deviate from expected behavior. Detection logic should also be tailored to the specifics of each environment to minimize false positives and avoid flagging benign activity.
References