Skip to main content

Living off the Land Attacks (aka LOL, LOTL, LOLbin, LOLBAS…)– Bitdefender TechZone

Abstract

LOTL attacks use legit system tools for malicious actions, blending with normal activity. They're vital in breaches, from ransomware to APTs, enabling stealthy operations. Defense requires strong EDR/XDR, behavioral analysis, and expert security teams.

Living Off the Land (aka LOL, LOTL, LOLbin, LOLBAS…) attacks are a class of cyberattacks that use legitimate, pre-existing system binaries, scripts, and libraries within the target environment with malicious intent. Without the introduction of external, potentially detectable tools, malicious actions can easily blend with normal system operations.

While security teams are familiar with LOTL attacks, their critical role in modern breaches is still underestimated. Nearly every significant incident we investigate, from ransomware to APTs, leverages them. In ransomware, while the attention is often on the final data encryption, the attack's core is a manual hacking operation conducted by affiliates (as explained in our whitepaper). LOTL techniques are the backbone of these operations, handling everything from privilege escalation and lateral movement to data exfiltration and automated mass deployments, like ransomware deployment through GPO. APT groups use similar LOTL tactics for persistent access and espionage. LOTL is the backbone of today's threat landscape, a daily tool for attackers of all sophistication levels.

This article aims to provide a clear understanding of these attacks: their popularity, operation, and effective countermeasures.

Reasons for popularity of LOTL attacks

Modern operating systems have evolved into incredibly powerful platforms with a vast array of built-in tools and functionalities. It's difficult to imagine managing a Windows environment today without the capabilities of PowerShell, for example. This isn't just a Windows problem; all advanced platforms, including Linux/UNIX and macOS, are susceptible to LOTL attacks. But what are the top 3 reasons why this technique keeps gaining popularity?

  1. Using What’s Already There

    LOTL attacks benefit from the readily available and trusted tools already present within systems. Many tools, like PsExec and PowerShell, are often explicitly allowed on systems, with their ports open, for legitimate administrative purposes. Furthermore, these tools are usually signed by Microsoft or other trusted parties. These tools do exactly what they're supposed to do, so vendors aren't going to 'fix' them.

    With no financial investment required, these pre-existing tools are easily accessible for any attacker. Attackers can easily learn how to use these tools thanks to readily available documentation. The deep familiarity of experienced sysadmins with these tools creates a tempting opportunity for those struggling in the IT job market, making them prime candidates for ransomware affiliates.

  2. Tools for Every Stage

    LOTL techniques are incredibly versatile and can be employed throughout the entire attack lifecycle. They cover all stages of an attack, from initial reconnaissance to lateral movement, data exfiltration, and even data encryption. Some tools, like PowerShell, are particularly flexible and can be adapted to various tasks. The use of human-readable commands allows attackers to easily modify and adjust their actions in real-time, making them adaptable to changing environments. For instance, an attacker might use net to discover network shares, then use copy to move files, and finally use certutil to encode and exfiltrate data. Our ShrinkLocker research is an example of how ransomware can cripple entire companies using only built-in Windows tools.

  3. Blending with Normal Activity

    One of the biggest advantages of LOTL attacks is the ability to blend seamlessly with normal system activity. By using legitimate tools, they bypass legacy security solutions that rely on detecting signatures and known malicious files. The crucial difference lies in the intent behind the tool's use. For instance, an attacker might use PowerShell to create a scheduled task, a common administrative task. This activity, while flagged by EDR/XDR systems, isn't enough to block an action.

    This results in a shift from clear-cut "malicious" to a more nuanced "suspicious." This move to "shades of gray" necessitates a more sophisticated approach to security , relying less on simple signature-based alerts and more on behavioral analysis, threat intelligence, and a deep understanding of legitimate system administration. Analysts are then required to investigate the context of the action, moving beyond simple automated detection.

    The extended dwell times typical of LOTL attacks allow attackers to expand their operations and inflict significant damage. In ransomware attacks, affiliates can spend weeks or months compromising the network before deploying the ransomware, effectively targeting entire networks rather than individual machines. This capability also enables long-term espionage operations, where attackers can maintain persistent access and exfiltrate data over extended periods.

Categories of LOTL attacks

There's a lot of muddied information out there about LOTL attacks. So, before we get into the different types, let's clear up some common misunderstandings and talk about what they're not.

Tools like Mimikatz, which are specifically designed for malicious tasks, are not considered LOTL. However, the line between LOTL and malware can become blurred. For example, while DLL sideloading using system libraries aligns with LOTL principles, using it to execute entirely custom malicious library crosses into traditional malware territory. In this scenario, the loading source—the legitimate application—is a system tool, but the loaded binary is typically a third-party malicious library. Thus, the loading process itself is LOTL, but the loaded module is not. This is the same situation as using Rundll32.exe, a system tool, to run a malicious external DLL.

It's also important to distinguish LOTL from fileless attacks, which, while related, are not interchangeable. LOTL emphasizes the source of the tools – abusing legitimate system functionalities – while fileless attacks focus on the method of execution, aiming to avoid writing files to disk. Although LOTL techniques frequently result in fileless actions, such as executing PowerShell code in memory, their core difference lies in their primary focus: tool origin versus execution method.

While we consistently emphasize the pre-installed nature of LOTL tools, there's one area where we're making an exception. We would include widely used, trusted, and typically whitelisted tools like SysInternals' Process Explorer (procexp.exe) or PsExec (psexec.exe), despite them not being default components. We believe including them offers a more nuanced and practical view of real-life attack vectors.

  1. Direct Misuse of System Tools

    Attackers take tools already present on a system, issuing the same commands as legitimate users, but their goals are malicious. For example, they might use Remote Desktop Protocol (RDP) to move through a network, PowerShell to run discovery code, or WMIC to access systems remotely. Sometimes, attackers bring in legitimate tools from trusted sources such as Microsoft Store. While not strictly "pre-existing," these actions are similar to LOTL attacks. For example, they might download QuickAssist to take control of a victim's computer under the guise of providing help.

    With direct misuse, context is king. Solid EDR/XDR platforms that provide correlation and minimize the noise need to be combined with security analysts (SOC or MDR) to triage these alerts.

  2. Exploiting Unintended Functions

    Many system tools support a combination of parameters that, when used in specific ways, can lead to unintended and potentially harmful consequences. Attackers often exploit these combinations to achieve their objectives. For example, the legitimate Teams.exe executes arbitrary processes under a trusted Microsoft-signed binary by utilizing the --gpu-launcher argument. Similarly, certutil can download executable files, bypassing typical download restrictions.

    Another common tactic involves abusing binaries or drivers that support DLL sideloading or unintended command execution. For instance, BGInfo.exe, a tool frequently used by administrators for managing large environments, can be manipulated to execute VBScript referenced in a specified .bgi file.

    This category also includes unintended behaviors resulting from misconfigurations or default settings. For instance, attackers can override BitLocker protectors, or impersonate IT support by exploiting allowed external connections in Microsoft Teams.

    Security solutions often raise alerts for these types of LOTL attacks, as they deviate from common usage patterns. However, to minimize false positives, advanced security solutions focus on the behavior of the loaded implant rather than the technique itself. For example, they might not alert on DLL sideloading in general (relatively common), but they will alert when a sideloaded DLL begins performing suspicious or malicious actions.

List of LOTL Binaries and Scripts

Rather than providing an exhaustive list of individual tools, which would require constant updates, we've curated a selection of valuable repositories. Moreover, the scope of LOTL extends beyond individual tools. Threat actors frequently abuse higher-level technologies like GPO and Active Directory.

While these repositories list hundreds of tools, they are far from comprehensive. They deliberately omit tools primarily used for direct misuse, such as PsExec and basic PowerShell commands. These repositories focus on tools that possess unexpected functionalities, often falling into the "Unintended Tool Functions" category of LOTL attacks.

While there are numerous tools that can be misused, these top 10 Windows utilities are frequently observed during our real-world investigations:

  • Remote Desktop Protocol (RDP): While designed for legitimate remote access, RDP is often hijacked to gain control of systems and move laterally within networks.

  • PowerShell (+ VBScript): Powerful scripting languages are a favorite for administrators (and attackers) due to their versatility. No matter how extensive one's experience with these tools, there's always more to discover. The complexity stems from several factors. First, executing PowerShell code on a default Windows installation can be achieved through a multitude of methods, far beyond simply running powershell.exe. Second, PowerShell extends beyond its native cmdlets, allowing interaction with COM objects, the .NET framework, Win32 APIs, and more.

    • Similar complexities exist with VBScript and related technologies. Office macros, cscript.exe/wscript.exe, and more exotic methods like mshta.exe (HTA) offer a plethora of code execution options.

  • WMI + WMIC.exe: WMI (and its command-line interface wmic.exe) allows remote command execution and system management. Attackers use it for lateral movement, persistence, and gathering system information.

  • Certutil.exe: This command-line utility can download and encode/decode files, enabling attackers to bypass download restrictions and exfiltrate data.

  • Regsvr32.exe: Attackers use this to register and execute COM objects, often from remote locations, bypassing typical execution restrictions.

  • Rundll32.exe: This utility executes DLLs, allowing attackers to run malicious code within legitimate processes.

  • Bitsadmin.exe: The Background Intelligent Transfer Service (BITS) is used to download files in the background for stealthy malware delivery.

  • SchTasks.exe: Attackers abuse scheduled tasks for persistence and automated execution of malicious scripts or programs at specific times.

  • Net.exe + Net1.exe: These command-line tools are used for network reconnaissance, user management, and other system- and network-related tasks.

  • MSBuild.exe: Microsoft Build Engine. This tool is designed to build software applications, but it can be abused to execute code in-memory from malicious project files. This allows attackers to bypass application whitelisting and execute code under a trusted Microsoft binary.

While LOTL attacks are often conflated with fileless attacks, it's useful to maintain a clear distinction. Mixing these two concepts, though related, leads to a significant expansion of scope and can distract from the core focus of LOTL techniques.

How to defend against LOTL attacks

As with most other threats, the most effective strategy to counter LOTL attacks is multilayered, defense-in-depth strategy. Prevention, through hardening and attack surface reduction, is critical. This includes rigorous Active Directory hardening, strict application of the principle of least privilege, and regular red team exercises to identify vulnerabilities. While strategies like application whitelisting sound promising in theory, their practical implementation is often challenging. Many of these tools are used infrequently or by third-party applications and disabling them without careful and exhausting planning can lead to unexpected behavior. Furthermore, once a binary is whitelisted, it's typically whitelisted indefinitely, and these lists are rarely revisited or updated.

Solid endpoint protection platforms, like Bitdefender GravityZone, incorporate multiple layers designed to block or detect LOTL attacks. For example, Process Protection monitors for anomalous process behavior, Fileless Protection provides additional protection of top of AMSI scanning, and Anomaly Detection uses ML models on every endpoint to identify user and system anomalies.

Especially for direct misuse of system tools, actionable detection and response is critical. EDR/XDR solutions should provide effective detection while minimizing alert fatigue. A well-designed EDR/XDR system will leverage anomaly detection, correlation, and advanced algorithms to determine the level of suspiciousness as accurately as technically possible, assigning a probability score that indicates malicious intent. A dedicated SOC (or MDR) team is vital for monitoring and triaging reported suspicious events. Crucially, the goal is to provide security analysts with sufficient context to determine if an action is malicious or benign. This determination is probabilistic, not deterministic, as the intent behind the use of legitimate tools often resides in shades of gray. Analysts must weigh the available evidence and context to prioritize and respond to the most critical threats efficiently.

More Resources

Bitdefender PHASR official website: Bitdefender PHASR

Bitdefender XDR official website: GravityZone XDR

Discover the full potential with our dedicated video masterclasses: Bitdefender Masterclass