Living off the land (LOTL) is a fileless malware or LOLbins cyberattack technique where the cybercriminal uses native, legitimate tools within the victim’s system to sustain and advance an attack.
How Do Living Off the Land Attacks (LOTL) Work?
Unlike traditional malware attacks, which leverage signature files to carry out the attack plan, LOTL attacks are fileless — meaning they do not require an attacker to install any code or scripts within the target system. Instead, the attacker uses tools that are already present in the environment, such as PowerShell, Windows Management Instrumentation (WMI) or the password-saving tool, Mimikatz, to carry out the attack.
Using native tools makes LOTL attacks far more difficult to detect, especially if the organization is leveraging traditional security tools that search for known malware scripts or files. Because of this gap in the security toolset, the hacker is often able to dwell undetected in the victim’s environment for weeks, months or even years.
LOTL Tools
If living off the land attackers don’t have to install code to launch a fileless malware attack, then how do they gain access to the environment so they can modify its native tools to serve their purposes? Access can be accomplished in several ways, such as through the use of:
- Exploit kits
- Hijacked native tools
- Registry resident malware
- Memory-only malware
- Fileless ransomware
- Stolen credentials
Exploit Kits
Exploits are pieces of code, sequences of commands, or collections of data; exploit kits are collections of exploits. Adversaries use these tools to take advantage of vulnerabilities that are known to exist in an operating system or an installed application.
Exploits are an efficient way to launch a fileless malware attack, such as a LOTL attack, because they can be injected directly into memory without requiring anything to be written to disk. Adversaries can use them to automate initial compromises at scale.
An exploit begins in the same way, regardless of whether the attack is fileless or uses traditional malware. Typically, a victim is lured through a phishing email or social engineering. The exploit kit usually includes exploits for a number of vulnerabilities and a management console that the attacker can use to control the system. In some cases, the exploit kit will include the ability to scan the targeted system for vulnerabilities and then craft and launch a customized exploit on the fly.
Hijacked Native Tools or Dual Use Tools
In LOTL attacks, adversaries commonly hijack legitimate tools to escalate privileges, access different systems and networks, steal or encrypt data, install malware, set backdoor access points or otherwise advance the attack path. Examples of native or dual use tools include:
- File transfer protocol (FTP) clients or system functions, such as PsExec
- Forensic tools such as the password extracting tool Mimikatz
- PowerShell, a script-launching framework that offers broad functionality for Windows device administration
- WMI, an interface for access to various Windows components
Registry Resident Malware
Registry resident malware is malware that installs itself in the Windows registry in order to remain persistent while evading detection.
Commonly, Windows systems are infected through the use of a dropper program that downloads a malicious file. This malicious file remains active on the targeted system, which makes it vulnerable to detection by antivirus software. Fileless malware may also use a dropper program, but it doesn’t download a malicious file. Instead, the dropper program itself writes malicious code straight into the Windows registry.
The malicious code can be programmed to launch every time the OS is launched, and there is no malicious file that could be discovered — the malicious code is hidden in native files not subject to AV detection.
The oldest variant of this type of attack is Poweliks, but many have emerged since then, including Kovter and GootKit. Malware that modifies registry keys is very likely to remain in place undetected for extended periods of time.
Memory-Only Malware
Memory-only malware resides only in memory. An example of memory-only malware is the Duqu worm, which can remain undetected because it resides exclusively in memory. Duqu 2.0 comes in two versions; the first is a backdoor that allows the adversary to gain a foothold in an organization. The adversary can then use the advanced version of Duqu 2.0, which offers additional features such as reconnaissance, lateral movement and data exfiltration. Duqu 2.0 has been used to successfully breach companies in the telecom industry and at least one well-known security software provider.
Fileless Ransomware
Adversaries do not limit themselves to one type of attack. They use any technology that will help them capture their payload. Today, ransomware attackers are using fileless techniques to embed malicious code in documents through the use of native scripting languages such as macros or to write the malicious code directly into memory through the use of an exploit. The ransomware then hijacks native tools like PowerShell to encrypt hostage files without ever having written a single line to disk.
Stolen Credentials
Attackers may commence a fileless attack through the use of stolen credentials so they can access their target under the guise of a legitimate user. Once inside, the attacker can use native tools such as WMI or PowerShell to conduct their attack. They can establish persistence by hiding code in the registry or the kernel, or by creating user accounts that grant them access to any system they choose.
Why Are Living Off the Land Attacks so Popular?
Data from the 2023 Global Threat Report, CrowdStrike’s annual analysis of the threat landscape and adversary universe, reveals that 6 in 10 detections (62%) indexed by the CrowdStrike Security Cloud in the final quarter of 2021 were malware-free. Instead, adversaries were leveraging legitimate credentials and built-in tools — a hallmark of living off the land attacks — to advance the attack path.
Living off the land attacks are becoming more common because they tend to be more effective than traditional malware attacks. This is because they are far more difficult to detect with legacy security tools, which increases the likelihood of success and grants the attacker more time to escalate privileges, steal data, and set backdoors for future access.
Other reasons why LOTL attacks are appealing to cybercriminals:
- Many common LOTL attack vehicles, such as WMI and PowerShell, are in the victim network’s “allow” list, which makes for a perfect cover for adversaries as they carry out malicious activity — activity that is often ignored by the victim’s security operations center (SOC) and other security measures.
- LOTL attacks do not use files or signatures, which means that attacks cannot be compared or connected, making it more difficult to prevent in the future and allowing the criminal to reuse tactics at will.
- Use of legitimate tools and lack of signature makes it difficult to attribute LOTL attacks, thus fueling the attack cycle.
- Lengthy, undisturbed dwell times allow the adversary to set up and carry out complex, sophisticated attacks. By the time the victim is aware of the issue, there is often little time to effectively respond.
Preventing and Detecting Living off the Land Attacks
Fileless ransomware and LOTL attacks are extremely challenging to detect using signature-based methods, legacy AV, allowlisting, sandboxing or even machine learning-based analysis. So how can organizations protect themselves from this common and potentially devastating attack type?
Here we share a short list of security measures that, when taken together as an integrated approach, can help prevent and detect LOTL, fileless malware, unknown ransomware and similar attack methods:
Indicators of Attack (IOAs)
One of the most effective ways to reduce the risk of LOTL attacks is by relying on indicators of attack (IOAs) instead of indicators of compromise (IOCs) alone.
Indicators of attacks are a more proactive detection capability that look for signs that an attack may be in progress. IOAs include signs such as code execution, lateral movements and actions that seem to be intended to cloak the intruder’s true intent.
IOAs are effective in detecting fileless attacks because they do not focus on how the steps are launched or executed. It does not matter whether the action was initiated from a file on the hard drive or from a fileless technique. The only thing that matters is the action performed, how it relates to other actions, its position in a sequence and its dependent actions. These indicators reveal the true intentions and goals behind their behaviors and the events around them.
Because fileless attacks exploit legitimate scripting languages such as PowerShell and are never written to disk themselves, they go undetected by signature-based methods, allowlisting and sandboxing. Even machine learning methods fail to analyze fileless malware. But IOAs look for sequences of events that even fileless malware must execute in order to achieve its mission.
And because IOAs examine intent, context and sequences, they can even detect and block malicious activities that are performed using a legitimate account, which is often the case when an attacker uses stolen credentials or hijacks legitimate programs.
Learn More
To learn more about IOAs and how they differ from IOCs, please read our related post: Read: IOA vs IOC
Managed Threat Hunting
Threat hunting for fileless malware is time-consuming and laborious work that requires the gathering and normalization of extensive amounts of data. Yet it is a necessary component in a defense that protects against fileless attacks, and for these reasons, the most pragmatic approach for the majority of organizations is to turn their threat hunting over to an expert provider.
Managed threat hunting services are on watch around the clock, proactively searching for intrusions, monitoring the environment, and recognizing subtle activities that would go unnoticed by standard security technologies.
Threat hunting is a critical discipline that more organizations are using to disrupt stealthy attacks before they become mega breaches. With managed threat hunting, you are engaging a team of expert threat hunters for a simple, but important task: to continuously sift through your enterprise security data, looking for faint signs of the most sophisticated attacks. Managed threat hunting services are tailor-made to fill this critical gap for organizations of all types.
Account Monitoring
Account monitoring and management controls can detect and prevent unauthorized activities by providing full visibility into work environments. It enables preventing loss of data due to such activities and violations of credentials, while allowing resource owners to control who has access to the data and indicating whether the access is inappropriately granted.
Application Inventory
This proactively identifies outdated and unpatched applications and operating systems so you can securely manage all the applications in your environment. Streamlining your application inventory with an IT hygiene solution solves security and cost problems simultaneously. Visibility enabled via IT hygiene prevents exploits related to patches and system updates. It also optimizes your software configuration. Real-time and historical views of application usage identify unused software that can be removed, potentially saving your organization thousands of dollars in unnecessary licensing fees.
Asset Inventory
Asset Inventory shows you what machines are running on your network and allows you to deploy your security architecture effectively to ensure that no rogue systems are operating behind your walls. It enables security and IT ops to differentiate between managed, unmanaged and unmanageable assets in your environment and take appropriate steps to improve overall security.
Recovering from Living off the Land Attacks
Because living off the land attackers can evade detection for weeks or months, recovering from these events can be extremely complex and time intensive. Organizations that suspect they may be the victim of such an attack should engage a reputable cybersecurity partner to help them conduct a compromise assessment (CA) to determine if the organization has been breached and, if so, where in the attack journey they may be.
During the compromise assessment, the security team will review current and historical events to identify signs of historical attacks, such as suspicious registry keys and suspicious output files, as well as identifying active threats. Many sophisticated adversaries spend months and years in their victims’ networks without being detected and the CA historical analysis is critical to identifying if this has happened.
If the compromise assessment reveals that an attack has occurred or is still in progress, the security team will then work with the company to contain the damage, recover and repair affected systems and harden the network for the future.
To prevent future attacks, the security partner will need to conduct an extensive review of the client’s environment to ensure that the adversary has not created any access points that could be exploited at a later date. The partner will also likely recommend advanced tools and services that could help prevent the likelihood of fileless attacks in the future.
How CrowdStrike Can Prevent LOTL and Fileless Attacks in Your Organization
As we have seen, fileless techniques are extremely challenging to detect if you are relying on signature-based methods, sandboxing, allowlisting or even machine learning protection methods.
To protect against stealthy, fileless attacks, CrowdStrike uniquely combines multiple methods into a powerful and integrated approach that delivers unrivaled endpoint protection. The CrowdStrike Falcon® platform delivers cloud-native, next-generation endpoint protection via a single lightweight agent and offers an array of complementary prevention and detection methods:
- Application inventory discovers any applications running in your environment and identifies any potential vulnerabilities that need to be patched or updated so that they can’t be the target of exploit kits.
- Exploit blocking stops the execution of fileless attacks via exploits that take advantage of unpatched vulnerabilities.
- Indicators of attack (IOAs) identify and block malicious activity during the early stages of an attack, before it can fully execute and inflict damage. This capability also protects against new categories of ransomware that do not use files to encrypt victim systems.
- Script Control provides expanded visibility and protection against fileless script-based attacks.
- Advanced Memory Scanning protects against fileless and malware-free attacks like APTs, ransomware and dual use tools like Cobalt Strike in memory.
- Managed threat hunting proactively searches around the clock for malicious activities that are generated as a result of fileless techniques.
