Table of Contents
Introduction
When you think about any crime, generally, criminals choose the path of least resistance. The path that gets them in and out without being noticed or leaving evidence behind. Cybercriminals are no different. Once they locate their target, hackers use easy-to-deploy tactics that can fly under the radar. They hope to get in, exfiltrate data, and leave without a trace before the enterprise realizes they’ve been breached. As NextGen AV and EDR solutions have evolved to better respond to malware, more and more cybercriminals are performing living off the land (LOTL) attacks instead.
What Is a LOTL attack?
Computers have powerful built-in tools that are crucial to an operating system functioning. A LOTL attack is an attack that uses these computer tools or other legitimate software for nefarious purposes. Hackers manipulate these built-in tools and use your computer against you to accomplish their mission, which is usually to steal your data.
What Tools Do Hackers Use in LOTL Attacks?
87% of cyberattacks today use PowerShell, making it the most popular LOTL attack vector by far. PowerShell is a shell interface built into Windows to provide IT admins with a powerful tool to interact with the OS and automate tasks. Hackers commonly use PowerShell to run scripts in target environments that install backdoors, exfiltrate data, and install ransomware. Once a cybercriminal gains access to PowerShell on a victim computer, they can control that computer and potentially access every computer that shares the same network.
Although PowerShell may be the most popular tool to abuse, every operating system contains multiple other powerful built-in tools that hackers can exploit. Windows Management Instrumentation (WMI) is often used to manipulate volume shadows, determine what AV is installed, and stop the endpoint firewall. Rundll32 is often used to bypass application control, abuse legitimate DLLs, and execute malicious DLLs. Cybercriminals even abuse the Windows Registry by modifying specific registry keys to steal credentials and bypass other security controls. Unfortunately, as defenders figure out a way to defend against a particular method of attack, cybercriminals find a new tool to misuse to access data, and the cycle continues.
Related: ThreatLocker Webinar "Stop Hackers from Abducting Your Data - A LOTL Attack and Mitigation Demo"
Why Are LOTL Attacks Popular?
- The tools are readily available.
LOTL attacks are a popular choice for cybercriminals to use when perpetrating their mal deeds. These signed, legitimate tools are built into computers by default, so they are readily available.
- LOTL attacks are hard to detect.
As computers rely on these native tools for normal operational functions, it’s difficult for EDRs and NextGen AVs to distinguish between typical, expected use and an attack leveraging the same tool. The attacks perpetrated using LOTL techniques are considered “fileless,” which further assists in obfuscating them from security tools.
- LOTL attacks can allow threat actors to achieve persistence.
As they are difficult to detect, threat actors can use these built-in functions to achieve persistence, meaning the adversary can keep a foothold in an environment. Gaining persistence enables the cybercriminals to observe and explore the target environment over time, discovering all the keys to the kingdom without being detected.
- LOTL attacks are hard to prevent.
The native tools abused in LOTL attacks are pre-installed on all Windows computers and are necessary for normal administrative functions. Because of this, most environments can’t just disable, uninstall, or block these common attack vectors. Fileless attacks can’t be prevented using traditional endpoint security, as they are not viewed as “malware” by these detect and respond tools.
How Can ThreatLocker Help Mitigate the Risks Associated with LOTL Attacks?
So, you can see why LOTL attacks are challenging to combat. The good news is, challenging isn't impossible, and ThreatLocker can help mitigate the risk associated with LOTL attacks. ThreatLocker works differently from traditional endpoint security tools to help create a Zero Trust environment. ThreatLocker Application Allowlisting prevents any unauthorized applications, scripts, or DLLs from running. As these built-in tools are necessary for normal administrative functions, creating a rule to block their execution will not work in most environments. Although you can't block them without breaking a computer, if a bad actor gains access to one of these native Windows tools and attempts to run an unauthorized script, the script will be blocked.
To reduce risk further, ThreatLocker has developed Ringfencing™ technology. Ringfencing™ creates boundaries around permitted applications to dictate what those authorized apps can interact with, blocking unauthorized interactions with other applications, the registry, your files, and the internet. Block applications from interacting with PowerShell, WMI, Rundll32, and any other application it doesn't need access to, helping prevent a bad actor from gaining access to PowerShell using another application, like using a malicious Word document to run a PowerShell script. Suppose a cybercriminal manages to access PowerShell. With the Ringfencing™ solution applied, PowerShell can't reach the internet to get more instructions from a command-and-control center or copy your files to a malicious URL.
Summary
LOTL attacks provide cybercriminals with an effective means of stealing valuable data without alerting security tools. These built-in tools are necessary components of Windows, which means they can't be uninstalled or blocked. While LOTL attacks present challenges for cyber defenders, their risks can be mitigated with the proper tools. ThreatLocker Allowlisting supports a Zero Trust environment, and all unauthorized apps, scripts, and libraries will be blocked by default, protecting against malicious scripts. ThreatLocker Ringfencing™ allows you to place guardrails around your permitted applications and native tools to prevent applications from unapproved interactions with other applications and the powerful native tools. The ThreatLocker Endpoint Protection Platform allows you to mitigate risks associated with LOTL attacks.
While no single product can prevent or mitigate every risk today, the ThreatLocker Endpoint Protection Platform provides many tools to help keep you in control of your environment. Schedule a live product demonstration today and see for yourself how ThreatLocker protects against LOTL attacks and mitigates other cyber vulnerabilities.