Living Off The Land Attacks (LOTL)

What is Living off the Land (LOTL)?

Living off the land refers to the use of dual-use tools, which are either already installed in the victims’ environment, or are admin, forensic or system tools used maliciously.

Tools Used for Living Off the Land Attacks

Examples for dual-use tools which have been used for “living off the land” attacks are Windows Sysinternals, NETSH, or SC tools, or forensic tools such as the password extracting tool Mimikatz, or other tools such as SSH which could be used as a backdoor. In some fileless attacks, these tools are downloaded by the malware and saved to disk - however, the attack is still commonly considered fileless in this case as the tools have legitimate uses and so would not be detected by most security vendors. In other cases, these tools are injected into memory and not saved to disk.

Example of LOTL Attack

In February 2018, a widespread fileless attack against financial institutions around the world was reported. The attackers deployed several tools to gain control of the financial networks. To gain administrative privileges, the attackers used Mimikatz for password collection. Then, the attackers placed PowerShell scripts in the registry, and generated Metasploit scripts that were executed using the Windows SC service. In addition, the Windows NETSH tool was used for communication between the victim and the C2. This comprehensive use of tools enabled the attackers to perform a highly sophisticated attack, which remained undetected for some time.

The  Deep Instinct Prevention Platform extends and enhances your existing security solutions to provide the most complete protection against malware and other cyber threats across your hybrid environment.

Deep Instinct stops attacks before they happen, identifying malicious files in <20ms, before execution. Deep Instinct prevents more threats, faster than any EPP and EDR vendor in the world, ensuring malware never enters your environment. 

Related Resources