- Widely used tools for ‘Living off the land’ attacks include Mimikatz, Microsoft’s PS Exec tool, Windows Management Instrumentation (WMI), Windows Secure Copy, PowerShell scripts, VB scripts, and more.
- Using fileless threats or third-party dual-use tools helps attackers evade detection from antivirus programs.
What is it - 'Living off the land’ is one of the tactics used by cybercriminals to conduct cyber attacks.
‘Living off the land’ tactic leverages the following,
- Employing dual-use tools
- Fileless persistence
- Use of memory only threats
Why is Living off the land tactic used - When an attacker utilizes commonly available tools to carry out attacks against targets, then it is termed as ‘Living off the land’ attack. Attackers using tools that are pre-installed on the targeted machines are becoming common. Using fileless threats or third-party tools or simple scripts helps attackers evade detection from antivirus programs.
What tools are used - Widely used tools for ‘Living off the land’ attacks include,
- Microsoft’s PS Exec tool
- Windows Management Instrumentation (WMI)
- Windows Secure Copy
- PowerShell scripts
- VB scripts
What’s the attack pattern?
- Attackers make use of tools that are running simple scripts and shellcode such as PowerShell scripts or VB scripts directly in memory.
- Attackers might take passwords obtained by Mimikatz tool and use them with PS Exec to move laterally to another system.
- Attackers use phishing emails that include a Microsoft Office document attachment with embedded malicious macros to trick users to enable the macro when opening the Office doc attachment.
- They might use system tools as backdoors to bypass authentication.
- They use whitelisted legitimate tools to evade detection.
Examples of ‘Living off the land’ tactic
Example 1 - Ransomware Petya/NotPetya outbreak
In June 2018, the Ransom.Petya outbreak hit organizations in Ukraine and other countries leveraging the ‘Living off the land’ tactic.
Petya/NotPetya ransomware used a software supply chain attack as its initial infection vector for compromising the update process of a software accounting program.
- Petya also used system commands during the infection process.
- Once executed, it dropped a recompiled version of LSADump from Mimikatz tool, which is used to steal account credentials from Windows memory.
- The stolen credentials were then used to copy the threat to any computers connected to the network.
- It then launched itself remotely using a dropped instance of PsExec.exe and the Windows Management Instrumentation (WMI) command line tool.
Example 2 - Thrip threat
In 2018, researchers observed cyber espionage campaign dubbed ‘Thrip’ targeting telecommunication providers, satellites and defense companies by leveraging the ‘Living off the land’ tactic. In the attack campaign, cybercriminals used the Windows utility PsExec to install the Catchamas info-stealer malware.
Example 3 - Separ malware infecting companies via ‘Living off the land’ tactic
Recently, researchers observed a phishing campaign infecting organizations in Southeast Asia, the Middle East, and North America with the Separ malware. The malware used a combination of very short scripts or batch files and legitimate executable to evade detection.
- The phishing emails included a malicious PDF attachment that purported to be a self-extracting executable.
- The PDF document disguised as bogus quotations, shipments and equipment specifications.
- Upon opening the malicious PDF attachment, the self-extractor calls wscript.exe to run a Visual Basic Script (VB Script) called adobel.vbs.
- Once the VB Script starts running, it executes an array of short batch scripts which have various malicious functions.
The attack campaign infected almost 200 companies and over 1,000 individuals.
How to stay protected?
- To avoid such attacks, it is best to monitor the usage of dual-use tools inside the network.
- It is best to keep all your systems, applications, software, and OS updated.
- It is best to install a robust antivirus program.
- It is recommended to use strong passwords and periodically rotate passwords.
- It is recommended to use two-factor authentication while login and always log out after the session is complete.
- It is always recommended to be cautious of Microsoft Office attachments that prompt users to enable macros.
- It is recommended to never open any attachments that are from anonymous senders.
- It is better to create a list of whitelisted applications and monitor log files.