What Is Living Off the Land Attack and How to Prevent Such Attack

Living off the land has become the standard in today’s cyberattacks intent on evading security solutions.

Living off the land attack takes its name from the “living off the land” way of life, that is, living by eating only the food that one produces from the land.

In the cybersecurity context, living off the land cyberattack refers to turning legitimate programs and processes to perform nefarious activities. Living off the land enables cyberattackers to blend into victims’ networks and hide among the legitimate programs and processes to carry out a stealth attack. Traditional security solutions often ignore living off the land attacks as these activities are considered legitimate activities coming from legitimate programs and processes.

Astaroth: Example of a Malware that Lives Off the Land

Astaroth is an example of a malicious software (malware) that completely lived off the land to avoid detection. Astaroth is an info-stealing malware that abuses various legitimate Windows processes in an attempt to run undetected on computers using Windows operating system. 

In the blog post "Latest Astaroth living-off-the-land attacks are even more invisible but not less observable," Microsoft Defender Security Research Team said they started seeing the updated attack chain of Astaroth in late 2019. In mid-2019, Microsoft Defender Security Research Team observed an unusual spike in activities related to Windows Management Instrumentation Command-line (WMIC), prompting the team to investigate it and found out that the unusual spike in activities related to WMIC was part of the Astaroth attack chain.

WMIC provides a command-line interface for Windows Management Instrumentation (WMI) – referring to the infrastructure for management data and operations on Windows operating systems.

Microsoft Defender Security Research Team said that after the WMIC abuses were exposed, Astaroth now completely avoids the use of WMIC and instead introduced new living off the land techniques that make the attack chain even stealthier such as abusing Alternate Data Streams (ADS) and abusing the legitimate process ExtExport.exe.

Alternate Data Streams (ADS) is a feature in Windows operating system that contains metadata for locating a specific file by title or author. ExtExport.exe, meanwhile, is a feature that ships with Internet Explorer to run a file. Microsoft Defender Security Research Team said that Astaroth uses ExtExport.exe to load malicious payload, while ADS is used to hide malicious payloads.

Other Examples of Living Off the Land Attacks

In the report “The Active Adversary Playbook 2021,” Sophos found that PowerShell and PsExec are among the top 3 legitimate tools used by cyberattackers in 2020 and early 2021. PowerShell and PsExec are legitimate Windows operating system tools used by system administrators.

PowerShell is an interactive command-line interface and scripting environment included in the Windows operating system, while PsExec is a Windows tool that can be used to execute a program on another computer. Microsoft said, “PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.”

According to Mitre, PowerShell commands and scripts have been known to execute malicious payloads, create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, pull Active Directory information from the target environment, issue interactive commands over a network connection, and access credential data.

Mitre reported that PsExec has been abused to download or upload a file over a network share, write programs to the ADMIN$ network share to execute commands on remote systems, and execute binaries on remote systems using a temporary Windows service.

Windows legitimate features aren’t the only programs abused by attackers in living off the land attacks. Third-party programs are also abused by living off the land attackers.

In 2017, the Petya, also known as NotPetya, malware spread worldwide via a tainted accounting software of the Ukrainian-based company MeDoc. In 2020, researchers at Sophos reported that the group behind the ransomware called "RobbinHood" used the signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte as a means so that the threat group could load a second, unsigned driver into Windows.

“This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference,” Sophos said.

Living off the land attackers recently tainted SolarWinds software affecting thousands of the customers of SolarWinds that downloaded the tainted version of SolarWinds software.

Cybersecurity Best Practices

Here are some of the cybersecurity best practices in preventing and mitigating the effects of living off the land attacks:

Switch off or remove unneeded programs

• Keep all software up to date
• Set up software whitelisting
• Practice network segmentation
• Implement the principle of least privilege