Living off the land, an introduction to blending in for red teams

Part 1 in a series

Introduction

Living off the Land (LotL) is a technique used by both red teams, and bad guys. It involves using existing tools, scripts, and resources that are already present in the target environment to achieve the objectives of the engagement. While not a new approach, it started officially being known as Living off the Land (LotL) in recent years (everything in infosec needs a good acronym afterall).

By using these built-in tools, red teams (and others) can reduce their visibility and decrease the likelihood of detection. In this article, we will provide some background information on LotL including; command line utilities, living off the network, living off the system, living off the cloud, and living off the user. We will also discuss how blue teams can detect and prevent these techniques. Subsequent articles will dig into specific areas more deeply.

He knew how to live of the land

Command Line Utilities

Command line utilities are built-in tools that can be used for various tasks such as file manipulation, network communication, and system administration. Examples include PowerShell, Batch files,  and Windows Management Instrumentation (WMI).

PowerShell is a powerful command-line tool that allows usersto execute commands and scripts on remote systems. It provides an extensive set of features such as task automation, configuration management, and remote administration.

Batch files are script files that contain a series of commands that are executed in sequence. They are commonly used for automating repetitive tasks such as file manipulation, network communication, and system administration.

Windows Management Instrumentation (WMI) is a powerful tool that allows attackers to execute commands on remote systems. It provides an extensive set of features such as querying system information, executing commands, and managing services.

Living off the Network (LotN)

This technique involves using resources available on the target network, such as shared folders, printers, and services, to achieve the objectives of the engagement. For example, an attacker may use a shared folder to transfer tools or data between systems. Red teams can also use network scanning tools such as Nmap, Ping, Netstat, and Tracert to enumerate hosts and open ports on the target network.

Living off the System (LotS)

LotS techniques involve using built-in system components, such as Windows Management Instrumentation (WMI) and Windows Registry, to achieve the objectives of the engagement. For example, an attacker may use WMI to execute commands on remote systems or modify the registry to maintain persistence. Red teams can also use tools like Regsvr32 and Rundll32 to execute malicious code in memory without leaving a trace on disk

Living off the Cloud

This technique involves using cloud services, such as AWS or Azure, to achieve the objectives of the engagement. For example, an attacker may use a cloud service to host malware or exfiltrate data. Red teams can also use cloud-based tools like Github or Pastebin to store and share sensitive information during an engagement.

Living off the User (LotU)

LotU techniques involve using built-in user tools and resources, such as web browsers and email clients, to achieve the objectives of the engagement. For example, an attacker may use a web browser to exploit a vulnerability or steal credentials. Red teams can also use social engineering techniques like phishing emails or pretexting to manipulate users into divulging sensitive information or granting access to restricted areas.

Macros and Scripts

While its a bit 1995, Attackers can use macros in Microsoft Office documents, such as Word or Excel, to execute malicious code on a target system. Similarly, red teams can use scripts written in languages like Python or PowerShell to automate tasks and evade detection. Read more on malicious macro usage here.

Windows Credential Editor (WCE)

WCE is a tool that can be used to extract plaintext credentials from the Windows operating system. Red teams can use this tool to steal credentials and move laterally within the environment.

Remote Desktop Protocol (RDP) and Windows Admin Shares

RDP and Windows Admin Shares are built-in tools that allow remote access to a target system. Red teams can use these tools to gain access to systems, move laterally within the environment and maintain persistence.

Signed Binary Proxy Execution (SBPE)

SBPE is a technique where an attacker uses a legitimate binary to execute malicious code in memory without leaving a trace on disk. Red teams can use tools like Invoke-ReflectivePEInjection and PSReflect to perform SBPE.

Detection and Prevention

To detect and prevent LotL techniques, blue teams should focus on the following:

1. Monitoring and Alerting: Implement monitoring and alerting mechanisms to detect suspicious activities related to LoL techniques. For example, monitor for unusual PowerShell activity or unexpected use of shared folders.
2. Network Segmentation: Implement network segmentation to limit lateral movement within the target environment. This can help prevent attackers from moving freely between systems.
3. Purple Teaming: Can determine how effective your controls will be in detecting this kind of activity. Any gaps can be identified and proactive measures taken.
4. Application Whitelisting: Implement application whitelisting to control which applications are allowed to run in the target environment. This can help prevent attackers from using built-in tools for malicious purposes.
5. Threat Hunting: Will identify if someone is already in your environment and using these techniques.
6. Regular Patching: Keep all systems and applications up to date with the latest patches and updates. This can help prevent attackers from exploiting vulnerabilities in built-in tools or services.

Conclusion

Living of the Land is a powerful technique used by red teams during penetration testing and offensive security engagements. By using existing tools and resources in the target environment, red teams can reduce their visibility and increase their chances of success. Blue teams must be aware of these techniques and implement appropriate countermeasures to detect and prevent them. By combining technical controls with user training and awareness, organizations can build a robust defense against LoL attacks.

In part 2 we’ll dig into some of the more technical aspects of LotL