In recent years, the prevalence of endpoint cyber security defenses has significantly improved, resulting in the effectiveness of attacker's malware such as trojans, rootkits, and keyloggers being degraded considerably. This is excellent news! However, due to this success, attackers are adapting their tools, techniques, and procedures (TTPs) used to compromise organizations. Instead of utilizing malware tools, easily identified by anti-malware software, attackers are more frequently using existing applications and services already installed on the endpoint to perform their malicious actions. This technique is known as "Living off the Land".
Living off the Land is not a new tactic; attackers have used this technique for decades. However, we have seen a resurgence in recent years in their popularity and effectiveness. In Q4 of 2021, of all the attacks detected by CrowdStike, 62% were malware-free, up from 40% in 2019.
In this article, we will describe how LotL attack techniques are performed, why they are so effective, and how defensive controls, such as the principle of least functionality, can be implemented to mitigate the risks associated with Living off the Land attacks.
Principle of Least Functionality
Before discussing Living off the Land attacks in too much detail, we should describe a core security principle - the Principle of Least Functionality.
The Principle of Least Functionality requires that systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and services that are not integral to the operation of that system.
Unfortunately, the principle of Least Functionality is not as commonly known and implemented as its more famous sibling, The Principle of Least Privilege. "Least Privilege" is concerned with what users and services can access, whereas "Least Functionality", as previously stated, is concerned with how a system is configured. These two principles can and should be implemented side by side and given equal priority.
Modern Operating Systems come pre built with many preinstalled applications and enabled and running services. Windows Server 2019 has over 600 preinstalled applications and over 200 services, 90 of which are running by default. While this may be useful as so much functionality is available straight out of the box, the attack surface exposed by so much functionality is a significant security risk.
When deploying a new server, you should adhere to the Principle of Least Functionality by following server hardening guides such as the CIS benchmark, assessing what is installed and running, and removing or disabling unneeded applications and services. Doing so significantly reduces the likelihood that an attacker would be able to "live off the land" if they could gain access to the server.
Implementing the Principle of Least Functionality provides several benefits; the primary benefits are:
- Reduced attack surface
- If a server has only the required services running and ports open, an attacker has fewer avenues to attack.
- Easier to maintain
- If only the minimum required software is installed, then there are fewer applications to manage, secure, and patch.
Living off the Land
Historically, "Living off the Land" referred to one's ability to be self-sufficient on the Land they inhabit - hunting, foraging, and using survival skills to maintain a subsistence life. Within the cyber security industry, "living off the land" has taken a new yet related meaning: an attacker's ability to use the legitimate applications and services that already exist within their target environment to perform malicious actions.
An attacker's common technique to Live off the Land is to utilize legitimate system binaries to perform malicious actions. The applications used for this purpose are known as LOLBins (Living off the LAND Binaries). The objective of attackers using LOLBins is to find built-in executables that can achieve a malicious goal without requiring additional external tools or files or alerting system owners to their malicious activities.
Open source projects such as LOLBAS (for Windows binaries) and GTFOBins (for UNIX binaries) have documented many LOLBins and how they can be utilized for malicious purposes. While some people may see projects such as these as "aiding the enemy", offensive security research has a more significant positive impact on defenders as it provides them with the knowledge and intelligence into what they need to defend against.
LOLBins generally share the following characteristics:
- Native or extremely common to the operating system
- Provides "interesting" functionality, such as:
- File operations (upload, download, copy)
- Credential harvesting
- Privilege escalation
- System monitoring (memory, network)
- Code execution
Why are they so useful?
So why are LOLBins so effective and widely used? By using trusted applications and services such as LOLBins, the actions of an attacker blend into expected system behavior, making them difficult to detect and deny.
When an attacker lives off the Land, they no longer need to develop or distribute malware to compromise a system, which would most likely be detected by anti-malware software. Living off the Land instead of creating custom exploits also increased investigators' difficulty determining attribution. By attribution, we mean the ability to determine the identity or location of an attacker.
Additionally, many security controls, such as application whitelisting, signature-based malware scanners, and user access controls, are ineffective against Living off the Land techniques. This is because many of these tools need to be accessible to users for legitimate purposes and cannot simply be removed, disabled or blocked.
For these combined reasons, we can see clear benefits to why LOLBins and other Living off the Land techniques have become attackers' preferred techniques and why defenders are having such difficulties defencing against them.
Collectively, the LOLBAS and GTFOBINS projects have documented over 400 different LOLBin that can be used for malicious purposes.
According to data collected by Kaspersky, the top Windows-based LOLBins used by attackers in 2021 are:
- PowerShell is a Windows native command-line shell and associated scripting language. Powershell is heavily used by system administrators for performing a wide variety of automated and scripted tasks.
- The versatility of PowerShell and its ability to interact with the Windows API makes it an extremely attractive tool for attackers.
- rundll32.exe is a binary that is used to load and run dynamic-link libraries (DLLs). It provides core functionality within a windows environment that cannot be removed.
- Attackers can utilize rundll32.exe to proxy the execution of malicious code through a trusted application or process.
- Attacks using rundll32.exe commonly bypass security monitoring tools as rundll32.exe is typically an allowed executable.
- PsExec.exe is a Microsoft tool used to execute a program on another computer. While not a native windows binary, it is part of the commonly used Microsoft Sysinternal tools. PSExec is used by system administrators to automate the deployment of changes to a wide fleet of hosts.
- PsExec can be utilized by attackers to remotely create accounts, upload or download files over the network or execute remote PowerShell scripts and commands.
Other Windows-based LOLBins commonly used by attackers include:
- whoami, procdump, certutil.exe, schtasks.exe, sc.exe, wmic.exe, reg.exe, and many more.
For an attacker to take advantage of Living off the Land and exploit various LOLBins, they must first gain access to the network or device - this is known as an initial attack vector.
One of the most common attack vectors an attacker uses to gain access to a network or device is phishing. Phishing is a type of social engineering attack that involves an attacker sending a message to their intended victims in an attempt to trick them into performing an action that may result in the compromise of sensitive information.
Phishing attacks often utilize LOLBins by providing users with a script or document that will execute a malicious action through a standard system application or service, allowing the attacker access to the system or its information.
We recommend you read our previous blog post, Phishing Mechanicicals and Why Phishing Works, to better understand this initial attack vector.
Lateral movement is a technique used by attackers to move around and deeper into a network. When an attacker gains initial access to a network, one of their objects is usually to move around the network to locate the sensitive data or high-value assets.
Using Living off the Land techniques to perform a lateral movement, the attacker's actions can remain silent, blending into legitimate network traffic and administrative activities.
Compromise of internet-facing services
Organizations that have internet-facing services need to ensure these systems are secure. If the internet-facing service is compromised, attackers will attempt to gain a foothold in the network.
Attackers will aim to configure a secondary communication source and implement access persistence to gain a foothold in a network. These objectives are frequently achieved through the exploitation of LOLBins. Communication channels can be configured via system services such as SSH, RDP, DNS, or HTTP. Persistence can be achieved through scheduled or autostart tasks, DLL hijacking, or login scripts. All achievable without malware or specialized tools - just Living off the Land.
Living off the Land attack techniques and LOLBin exploitation are some of the most challenging attacks to mitigate, detect and deny.
Endpoint Detection and Response
Tools that attempt to detect Loving off the Land techniques have historically had high "false positive" rates. A false positive is an alert that incorrectly identifies a malicious activity. When a security tool has a high false positive rate, the team responsible for responding to those alerts will begin to deprioritize their triage or ignore them entirely, making the security control ineffective.
Modern security incident detection tools, such as many of the leading Endpoint Detection and Response (EDR) tools, utilize heuristics, machine learning, and AI to reduce false favorable rates and identify patterns of behavior outside the expected norm.
The most effective mitigation strategy against Living off the Land attach techniques is implementing and maintaining security hardened systems.
Back to the Principle of Least Functionality, system hardening is the practice of minimizing the attack surface of a device by removing, disabling unneeded functionality and hardening those services needed for the device to perform its defined purpose.
CIS Benchmarks are the industry standard for system hardening guides.
Containerization, as discussed in our previous blog post, "A Container Primer for Auditors", when implemented securely, provides isolation and a reduced attack surface for deployed services.
Distroless container images can be used to implement the Principle of Least Privileged for containerized service. Distroless images are built to restrict what's running within a runtime container to only what is necessary for the application to run. If an attacker could compromise the service running within a container built on top of a distroless image, there would not be LOLBins available to the attack to further extend their attack chain.
Unfortunately and ironically, the current prevalence of Living off the Land attack techniques is predominantly due to defenders' effective jobs in mitigating malware-based attacks.
As attackers modify their tools, techniques, and procedures (TTPs), defenders must remain vigilant and ensure their own TTPs used to defend their network and systems are current and effective.
The most effective mitigation strategy we have against Living off the Land attack techniques is to implement and maintain the Principle of Least Functionality. By limiting attackers' access to the system tools they need, we can reduce the likelihood of LOLBin-based attacks.