How to detect and block Living off the Land attacks
Living off the land attacks are becoming more and more common. The term “Living off the Land” dates way back to DerbyCon 2013, see the video here. Put simply, it means when attackers use legitimate tools and features within your environment to perform attacks. They are sometimes also called fileless, zero-footprint or as I will refer to throughout this article LOTL attacks.
So why do attackers do this?
Firstly, using legitimate tools avoids a lot of detection methods. Hash Values, IOCs and signatures do not detect living off the land attacks. The tools are usually whitelisted from rules by many SOCs and any activity from them is completely ignored.
Attackers also like using this method as it saves money on either buying or creating your own malware / attack tools. It also makes attributing attacks to a certain group a lot more difficult, as many groups use these legitimate tools during attacks.
There is evidence to back up the growing popularity of these attacks too. Crowdstrike’s 2019 Global Threat Report advises over 40% of attacks are now performed using already installed tools and features.
So how do we detect these attacks? I’ll discuss next some simple methods we can use to either detect or block LOTL attacks.
WHAT TO LOOK FOR?
The first step is knowing what tools and features these attackers use. Luckily for us, there are a lot of great resources out there already which we can reference.
Living Off The Land Binaries and Scripts (and now also Libraries)
First up, the LOLBAS project. This project documents every binary, script and library that can be used for LOTL techniques on Windows. See the read me here for further info. More importantly for us, see https://lolbas-project.github.io/ which lists all the 115 binaries, scripts and libraries we are going to look for in the next steps.
Next up, GTFOBins. Inspired by LOLBAS, GTFOBins documents 188 Unix binaries which can be abused and therefore used as part of LOTL attacks. See the site here – https://gtfobins.github.io/
JPCERT – Windows Commands Abused by Attackers
JPCERT (The Japanese CERT) releases a lot of great cybersecurity content. Back in 2016, they released a post of Windows commands abused by attackers; which still applies today. It breaks these down into three categories – Initial Investigation, Recon and Spread of Infection. See the full post here.
Azure Sentinel Rare Operations
One of the Azure Sentinel detection’s looks for rare operations which should not occur outside a few accounts but can be useful for attackers. See the post here for the operations to look for and the accounts to ignore.
Lets now use these binaries, libraries, scripts, commands and operations to detect and block LOTL attacks.
We can now use this information we have gathered to detect these attacks. The first method I recommend is using your SIEM and searching for all these binaries, libraries, scripts, commands and operations (Depending on the logs you have)
To start off with, these searches will show lots of administrative account behaviour. These tools will be used regularly by network and system admins to perform their daily duties. Build a list of these users and then exclude them from your search.
Now, look through these events grouping by username / count. Any accounts with large amounts of these tools / features being used regularly should be investigated. Work using this method until you are happy most legitimate behaviour is known about (This time period will depend on the scale and complexity of your environment.)
We can then use the tuned down data for two purposes. Firstly, you can regularly threat hunt your logs for any accounts with spikes in these events which are not known to you. You can also set up SIEM rules to detect any spikes in usage of these tools or features by any non admin accounts. Using this method personally has worked very well for me.
Just create a lookup table / reference set etc containing all of the binaries, libraries, scripts, commands and operations. Then, if an account uses a large amount of these during a set time frame (24 hrs recommended, however you can tune this to your liking) and is not an admin account, alert for further investigation.
We can also look at only allowing certain users to use these tools and features using application allow lists.
There are a lot of different applications out there which block access to all tools / features for all users and then only specific users / applications are allowed to use them. This is the perfect way to block LOTL attacks, however it does require a lot of work and also a robust application allow list setup. Here are some resources to learn more about application allow lists –
These will differ from system to system however it is worthwhile learning how these work and implementing them to block tools and features which can be used by attackers.
Thanks for reading, you should now be better prepared to detect or block living off the land attacks. Did I miss any resources / sites which list known tools used by attackers? Did I miss any other methods which can be used to protect against LOTL attacks? Please contact me at https://twitter.com/blueteamblog and tell me!
If you require any help in implementing these methods, then please contact me as above.