In cybersecurity, living off the land (LOTL) techniques refer to the practice of attackers using the existing tools and processes in a target system to carry out their malicious activities (LOLBAS Project, 2024). This approach is particularly dangerous because it allows the attacker to blend in with everyday activities, making detection significantly more challenging. The term “living-off-the-land” is derived from a survival strategy in which one relies on one's environment for sustenance. Similarly, in a cyber context, attackers leverage the resources within the compromised system, reducing the need to deploy their easily detectable tools or malware.
Operational technology (OT) and industrial control systems (ICS) are integral components of critical infrastructure sectors, including energy, manufacturing, water, wastewater treatment, and transportation. These systems were traditionally isolated from IT networks and the Internet. Still, over the past two decades, they have become increasingly connected, leading to a significant increase in the risk of external exploitation and attack capabilities.
Integrating IT and OT has brought about increased exposure to living-off-the-land (LOTL) techniques. Tables 1 and 2 provide a few examples of legitimate system tools and processes that an attacker could leverage in reconnaissance and exploitation tactics and techniques against IT systems in OT environments.
Table 1. Exploitable System Tools
Tactic | Technique | Tool | Example |
Discovery | Remote System Discovery | Ping | Ping to enumerate systems on a compromised network. |
Persistence | Create Account | PsExec | Remotely create accounts on target systems. |
Execution | Command and Scripting Interpreter | PowerShell | PowerShell scripts to run a credential harvesting tool in memory to evade defenses. |
Privilege Escalation | Scheduled Task | Windows Task Scheduler | Windows Task Scheduler schedules tasks for the initial or recurring execution of malicious code. |
Table 2. Exploitable Processes
Technique | Processes | Example |
Create or Modify System Process | services.exe | To evade detection analysis, attackers use these services and others to hide malicious payloads among legitimate services within the Windows OS or as benign software components. |
Get-Service | ||
sc.exe | sc.exe can be used to make service configuration settings or modify them using this system utility, such as modifying the Registry or interacting directly with the Windows API. |
The stealthy nature of LOTL techniques allows them to infiltrate and manipulate OT/ICS systems undetected, potentially causing significant disruptions. Given that OT/ICS systems control physical processes, a successful LOTL attack can have severe real-world consequences, including physical damage and service interruptions. This new dimension of risk introduced by LOTL techniques underscores the critical need for robust security measures to counter these threats in OT/ICS contexts.
LOTL techniques, the use of legitimate system binaries and scripts, can be exploited in various ways to compromise OT/ICS environments. For instance, an attacker could use a binary like cmd.exe or powershell.exe to execute malicious commands or a script like bitsadmin.exe to download additional malicious tools or exfiltrate data. These techniques can allow an attacker to gain control over critical infrastructure systems, disrupt operations, or steal sensitive information, all while blending in with legitimate system activity and evading detection.
While it’s challenging to provide specific real-world examples of these LOTL binaries and scripts being used in OT/ICS attacks due to the sensitive nature of these incidents and the confidentiality of the involved entities, it’s important to note that these techniques are commonly used in sophisticated cyber-attacks.
For example, the use of legitimate system tools like cmd.exe and powershell.exe for command execution or bitsadmin.exe for file transfer has been documented in numerous cyber-attacks, including those targeting OT/ICS environments. These attacks often result in the execution of malicious commands, modification of system configurations, or exfiltration of sensitive data, demonstrating the potential impact and versatility of LOTL techniques.
An example where LOTL was used in cyber-attacks against the Ukraine electric power grid dating back to 2015 and as recent as 2022. In these attacks, the Russian advanced persistent threat (APT) Group, Sandworm, leveraged several LOTL techniques to successfully exploit Ukrainian electrical companies’ business IT systems to gain access to OT devices and used BlackEnergy3 and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid (MITRE ATT&CK, C0028, Campaigns, 2023).
In 2016, Sandworm again used LOTL techniques with Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid (MITRE ATT&CK, C0025, Campaigns, 2023). In 2022, Sandworm used a combination of GOGETTER, Neo-REGEORG, CaddyWiper, and LOTL techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system (MITRE ATT&CK, C0034, Campaigns, 2024).
The LOLBAS Project provides a comprehensive list of binaries and scripts used in cyberattacks. LOTL techniques have been mapped to the techniques in the MITRE ATT&CK for ICS framework. This mapping can help organizations understand potential threats and develop effective mitigation strategies. Taking Sandworm’s techniques identified by MITRE ATT&CK in the three campaigns against the Ukraine power grid, we can easily see the LOTL used in each attack in Tables 3-5.
Table 3. 2015 Ukraine Electric Power Attack
Domain | Technique ID | Name | LOTL | Binary | Functions | Type |
Enterprise | T1562.001 | Impair Defenses: Disable or Modify Tools | T1562.001: Disable or Modify Tools | fltMC.exe | Tamper | Binaries |
Enterprise | T1105 | Ingress Tool Transfer | T1105: Ingress Tool Transfer | AppInstaller.exe | Download (INetCache) | Binaries |
Enterprise | T1040 | Network Sniffing | T1040: Network Sniffing | Pktmon.exe | Reconnaissance | Binaries |
Enterprise | T1055 | Process Injection | T1055: Process Injection | coregen.exe | Execute (DLL) | OtherMSBinaries |
Enterprise | T1218.011 | System Binary Proxy Execution: Rundll32 | T1218.011: Rundll32 | Rundll32.exe | Execute (DLL) | Binaries |
Enterprise | T1078 | Valid Accounts | T1078: Valid Accounts | Cmdkey.exe | Credentials | Binaries |
Table 4. 2016 Ukraine Electric Power Attack
Domain | Technique ID | Name | LOTL | Binary | Functions | Type |
Enterprise | T1543.003 | Create or Modify System Process: Windows Service | T1543.003: Windows Service | Dnscmd.exe | Execute (DLL) | Binaries |
Enterprise | T1036.005 | Masquerading: Match Legitimate Name or Location | T1036.005: Match Legitimate Name or Location | Colorcpl.exe | Copy | Binaries |
Enterprise | T1003.001 | OS Credential Dumping: LSASS Memory | T1003.001: LSASS Memory | rdrleakdiag.exe | Dump | Binaries |
Table 5. 2022 Ukraine Electric Power Attack
Domain | Technique ID | Name | LOTL | Binary | Functions | Type |
Enterprise | T1059.001 | Command and Scripting Interpreter: PowerShell | T1059: Command and Scripting Interpreter | powershell.exe | Execute (DLL) | Binaries |
Enterprise | T1485 | Data Destruction | T1485: Data Destruction | Fsutil.exe | Tamper | Binaries |
Enterprise | T1053.005 | Scheduled Task/Job: Scheduled Task | T1053.005: Scheduled Task | Schtasks.exe | Execute | Binaries |
Mitigations exist to address the LOTL techniques used in these three cyberattacks against the Ukraine electric power grid in 2015, 2016, and 2022. Table 6 lists the LOTL technique ID, the name of the executable or process that was abused or the action performed by the attacker, and the mitigation ID corresponding to the best practice or countermeasure to prevent or detect the technique. The mitigation IDs are explained in detail in the description provided.
Table 6. Mitigations for LOTL Techniques Used in Ukraine Electric Power Attacks
Technique ID | Mitigation ID | Mitigation | Description |
|---|---|---|---|
T1562.001: Impair Defenses: Disable or Modify Tools | Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. | ||
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services. | |||
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services. | |||
M1018 | User Account Management | Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services. | |
T1105: Ingress Tool Transfer | M1031 | Network Intrusion Prevention | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. |
T1040: Network Sniffing | M1041 | Encrypt Sensitive Information | Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
Use multi-factor authentication wherever possible. | |||
Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as LLMNR/NBT-NS Poisoning and SMB Relay | |||
In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required. | |||
T1055: Process Injection | M1040 | Behavior Prevention on Endpoint | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. |
T1218.011: System Binary Proxy Execution: Rundll32 | M1050 | Exploit Protection | Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control. |
T1078: Valid Accounts | Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges. | ||
Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead. | |||
Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). | |||
Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. When possible, applications that use SSH keys should be updated periodically and properly secured. Policies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources. | |||
Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. | |||
Regularly audit user accounts for activity and deactivate or remove any that are no longer needed. | |||
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. | |||
T1543.003: Create or Modify System Process: Windows Service | Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. | ||
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.[152] On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.[153] | |||
Enforce registration and execution of only legitimately signed service drivers where possible. | |||
Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed. | |||
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. | |||
T1036.005: Masquerading: Match Legitimate Name or Location | Require signed binaries and images. | ||
Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. | |||
Use file system access controls to protect folders such as C:\Windows\System32. | |||
T1003.001: OS Credential Dumping: LSASS Memory | On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. | ||
With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping. | |||
Consider disabling or restricting NTLM. Consider disabling WDigest authentication. | |||
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. | |||
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled. This is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for designing and administering an enterprise network to limit privileged account use across administrative tiers. | |||
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. | |||
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. | |||
T1059.001: Command and Scripting Interpreter: PowerShell | Anti-virus can be used to automatically quarantine suspicious files. | ||
Set PowerShell execution policy to execute only signed scripts. | |||
It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact on an environment since it could be used for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent the use of PowerShell for remote execution. | |||
M1038 | Execution Prevention | Use application control where appropriate. PowerShell Constrained Language mode can restrict access to sensitive or otherwise dangerous language elements, such as those used to execute arbitrary Windows APIs or files. | |
When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions. | |||
T1485: Data Destruction | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. | ||
T1053.005: Scheduled Task/Job: Scheduled Task | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. | ||
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. | |||
Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. | |||
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. |
Table 4 identifies the identical mitigation IDs and defensive measures for different LOTL techniques. However, the mitigations provided within MITRE ATT&CK for these LOTL techniques are uniquely tailored to each MITRE ATT&CK Technique ID and platform (e.g., Windows, Linux, Cloud, Mobile, ICS device). An asset owner can take the LOTL techniques identified in MITRE ATT&CK to identify more mitigations to harden and securely configure their OT/ICS environment. Further, the LOTL techniques identified by MITRE ATT&CK provide detection methods to assist asset owners in their threat monitoring operations, incident response plans, and playbook development.
Adversaries will continue to use LOTL techniques to compromise OT/ICS. By mapping LOTL techniques identified in the LOLBAS Project to the MITRE ATT&CK framework, we have shown how asset owners can leverage existing knowledge and resources to improve their security posture and resilience. We have also highlighted some common mitigations and detections to help prevent or identify LOTL attacks in OT/ICS environments.
Dan Ricci is founder of the ICS Advisory Project, an open-source project to provide DHS CISA ICS Advisories data visualized as a dashboard to support vulnerability analysis for the OT/ICS community. He retired from the U.S. Navy after serving 21 years in the information warfare community.
