Understanding Living Off the Land Attacks and How to Stop Them

Understanding Living Off the Land Attacks and How to Stop Them

Over the last couple of years, the massive incremental investment that businesses and other organizations have made to increase cyber defenses has paid off and stopped many types of attacks. But this dance between cyberattacks and cybersecurity is continuously evolving. As such, cybercriminals are working around the clock to advance their tools and aggression, sometimes drawing on age-old tactics to disguise their schemes.  

Business owners, IT teams, and security professionals must remain vigilant to understand how threats change and stay one step ahead to prevent a breach. There is an often-used saying that “all things old are new again,” and cyberattacks are no exception. Living off the land attacks, also known as LotL attacks, have been around for over 25 years. However, they have remerged as a trend in the cybersecurity landscape. 

Recognizing LotL Attacks

LoTL attacks are virtually lifeless malware attacks. They are challenging to detect and can be described as malicious code or tools gaining access and using native system tools as part of the system’s normal operating state. LotL attacks often take occur in three stages:

  • A user accidentally visits a compromised website, opens a phishing email, or uses an infected external data device, like a USB drive. Alternatively, a hacker can scan a network for a vulnerable device using a backdoor or rootkit to gain access. 
  • The attack kit establishes a foothold in the system. It then looks to deploy itself, often hiding in or among system administrator tools like PowerShell, VB scripts, Windows Management Instrumentation (WMI), Mimikatz, and PsExec.
  • With the system compromised and the attack tools well hidden, the hacker can now remotely access the system, steal data, disrupt operations, or probe for different methods to compromise.

LotL Attacks Facts

Hackers have figured out that if an organization’s cyber defence tools are too useful to bypass, another attack strategy involves using vulnerable operating systems and system administrator tools to attack devices from a different angle subtly. By avoiding detection in an apparent head-on attack, the hacker uses LotL tactics to slip into the system, hide, and exploit the design along with its resources and data over time. 

SecurityBoulevard article points to the growing sophistication of malware; it explains that cybercriminals “target pre-installed tools (such as PowerShell) to not only make it more difficult to detect them, but also to enable them to spread more stealthily and wreak more havoc.”  

To understand LotL attacks, you can look to a few high-profile attacks: 

  • Seen first in 2016, Silence Group is an example of a financially motivated bad actor that uses LotL attacks to target financial institutions in Russia, Ukraine, Poland, and other neighbouring countries. Notably, this group successfully penetrated the Russian Central Bank systems, ATMs, and card processing capabilities. 
  • In 2018, organizations in Ukraine were hit with NotPetya ransomware, which leveraged LotL attacks. The ransomware used a software supply chain attack as its initial infection point, then used LSADump and Mikikatz to steal account credentials to copy the threat to other computers on the network.
  • cyberespionage campaign known as “Thrip” targeted telecommunications and defense companies using LotL tactics involving the Windows PsExec utility to install Catchamas info-stealer malware. 

Building Your Defense 

A next-generation cloud-based anti-malware software package, paired with behavioural endpoint detection and response (EDR), is currently the most advanced defence against both malware and non-malware attacks.  

Non-malware attacks like LotL attacks, though difficult to detect, are defensible with the following: 

  • IT professionals can use application whitelisting to block attackers by preventing the execution processes from running.  
  • System tools can provide alerts for human investigation beyond the system’s planned maintenance windows.
  • Proactive threat hunting should be deployed. 

LotL Threat Mitigation 

While many businesses and other organizations have made strides to defend themselves against malware, cybercriminals continue to learn and adapt, using new vectors and resurfacing attacks that have worked in the past.  

Living off the land attacks are especially pernicious, given that they hide amongst other legitimate applications and utilities. While difficult to detect, they can be mitigated by whitelisting and leveraging the execution capabilities of OS and system administrator tools. Additionally, careful use of alerts and inspection can help detect LotL attacks. 


Masri serves as the Chief Content Editor at BestKodiTips. With three years of experience, she excels in creating technical content, focusing on how-to guides, Android and Kodi tutorials, app reviews, and addressing common technological challenges. She ensures to stay abreast of the latest tech updates. Outside of work, Masir finds pleasure in reading books, watching documentaries, and engaging in table tennis.

    13 Ways to Build a Happy & More Productive Workforce [Infographic]

    Previous article

    Pitfalls That the Entrepreneurs Need to Avoid According to Eric J Dalius

    Next article

    You may also like


    Comments are closed.

    More in Security