Living of the land methods have been more prevalent in the threat landscape in the past few years. Though it has been around for a while, the idea of "living of the land" has gained popularity among various threat actors as a primary attack strategy due to its stealthiness nature.
Threat actors leverage the preinstalled software and binaries on Windows systems during living off the land attacks for the nefarious purposes.
Most threat actors who prefer to keep a low profile by avoiding any footprints, such as running random binaries on the system, employ stealthy moves by blending in Living off the land binaries and drivers that are difficult to distinguish from valid ones and thus may go undetected as false positives.
It has been discovered that a reduced number of zero day vulnerabilities, as well as the effort necessary for finding them, has switched adversaries' focus to living off the land techniques. Furthermore, in the majority of cases, the system tools have been whitelisted or only a few tools are available to carry out an attack, forcing threat actors to adopt a living off the land strategy.
The LOLABS project was developed to describe and provide details on the binaries, scripts, and libraries that adversaries can leverage. This project's purpose is to build a comprehensive catalog of these tools, together with usage examples and detection mechanisms, to help defenders better comprehend and identify Living off the land attacks.
Red Canary has released an excellent threat report. The threat report includes a chart that illustrates the most common and impactful threats found in their client list in 2022.
Five of the top ten threats were identified to be living off the land binaries as shown below.
T1059.003: Windows Command Shell
T1059.001: PowerShell
T1047: Windows Management Instrumentation
T1218.011: Rundll32
T1569.002: Service Execution
The majority of these sub-techniques were accomplished through the use of pre-installed binaries, such as "cmd.exe," "powershell.exe" "rundll32" "wmic.exe" and "service.exe".
Living off the land binaries have been observed in numerous sophisticated attacks launched by APT and ransomware groups. The most notable examples are Solarwinds attack perpetrated by Nobelium (Directed by the Russian intelligence service), Kaseya VSA supply chain attack perpetrated by the REvil group, and Wannacry conducted by Lazarus Group.
Finding and detecting living off the land binaries is extremely important for security analysts. You can detect them, and possibly even block them, by following these guidelines.
Microsoft has recommended to block a few applications unless they are being explicitly used.
There is a blog article outlining eight LoLbins that every threat hunter should be aware of was released by CrowdStrike.
Conclusion
In conclusion, the use of "Living Off The Land" (LOTL) strategies and their prevalence highlight how cyber risks are constantly changing. Because these attacks are subtle and more challenging for defenders to detect, there is attraction to using built-in system tools and binaries for malicious objectives. The LOLABS project and information from reports, such Red Canary's threat report, highlight how important it is for defenders to understand and successfully counter living off-the-land binaries. Attackers are still using popular, pre-installed binaries, as seen by the discovery of top LOTL tactics like Windows Command Shell, PowerShell, and others. This means that security analysts need to be proactive and cognizant. Recommendations from industry experts such as Microsoft and CrowdStrike are critical in guiding defenders in their attempts to detect, prevent, and reduce the impact of these sophisticated and stealthy attacks .
Comments