Living Off the Land Attacks Writeup

Overview

Learn to detect and analyse Living Off the Land (LOL) attacks using trusted Windows tools. This TryHackMe room provides comprehensive coverage of attack techniques that leverage legitimate system tools and binaries to avoid detection, making them particularly dangerous in enterprise environments.

What is Living Off the Land?

Living Off the Land (LOL) attacks involve using legitimate, trusted tools and processes already present on a system to execute malicious activities. Instead of bringing custom malware, attackers repurpose built-in system tools for reconnaissance, lateral movement, data exfiltration, and persistence.

Why LOL Attacks are Effective:

• Stealth: Uses legitimate processes that blend with normal system activity
• Persistence: Difficult to detect and remove without affecting system stability
• Evasion: Bypasses traditional antivirus and EDR solutions
• Accessibility: No need to deploy custom malware or tools

Toolsets and Resources

Q1. Which public site lists Unix/Linux native binaries and how they can be abused?

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

Q2. Which Microsoft toolset includes PsExec and Autoruns, used for admin tasks and often misused by attackers?

Sysinternals Suite contains powerful Windows administration tools that are commonly abused by attackers for privilege escalation and persistence.

Real-World Examples

Q1. What MITRE technique ID covers WMI event subscriptions?

WMI (Windows Management Instrumentation) event subscriptions are commonly used for persistence and can execute code when specific system events occur.

Q2. Which abbreviated name refers to one of the services that C2s, like Cobalt Strike, use to start or listen for remote services?

SMB (Server Message Block) is frequently exploited by command and control frameworks for remote service creation and communication.

Common LOL Techniques

PowerShell Exploitation

• Invoke-Expression (IEX): Downloads and executes PowerShell code from remote sources
• DownloadString: Retrieves content from web servers for execution
• Encoded Commands: Base64 encoding to hide malicious payloads

WMIC (Windows Management Instrumentation Command-line)

• process create: Execute commands on local or remote systems
• service create: Install and manage Windows services
• useraccount create: Create new user accounts

Sysinternals Tools Abuse

• PsExec: Remote command execution and service creation
• Autoruns: Persistence through startup locations
• AccessChk: Permission enumeration for privilege escalation

Detecting LOL Activity

Q1. Which PowerShell switch is used to download text/strings and execute them?

Q2. Which WMIC keyword triggers the creation of a new process on a remote host?

Detection Strategies

Behavioral Indicators

• Unusual Process Chains: Trusted processes spawning unexpected children
• Network Connections: Known processes connecting to unusual destinations
• Registry Modifications: Persistence mechanisms in startup locations
• File System Changes: Creation of suspicious files in system directories

Command Line Analysis

• PowerShell Parameters: -ExecutionPolicy Bypass, -EncodedCommand
• WMIC Arguments: process create, useraccount create
• Certutil Usage: download commands and encoding operations
• Bitsadmin: Background transfer service for downloading files

MITRE ATT&CK Coverage

Execution Techniques (T1059-112)

• T1059.001: PowerShell
• T1059.003: Windows Command Shell
• T1059.005: Visual Basic

Defense Evasion (T1078-1564)

• T1070.004: File Deletion
• T1218: Signed Binary Proxy Execution
• T1548: Abuse Elevation Control Mechanism

Persistence (T1546-1659)

• T1546.003: WMI Event Subscription
• T1547: Boot or Logon Autostart Execution
• T1053: Scheduled Task/Job

Lateral Movement (T1078-1091)

• T1021.006: Windows Remote Management
• T1091: Replication Through Removable Media
• T1072: Software Deployment Tools

Investigation Methodology

Step 1: Initial Triage

• Collect system logs and process information
• Identify suspicious processes and connections
• Review recent system changes and installations

Step 2: Tool Analysis

• Examine command lines of suspicious processes
• Check for unusual usage of legitimate tools
• Analyze network connections from trusted processes

Step 3: Persistence Hunting

• Review startup folders and registry run keys
• Check scheduled tasks and WMI subscriptions
• Examine service configurations

Step 4: Timeline Reconstruction

• Correlate logs to build attack timeline
• Identify initial compromise vector
• Map lateral movement and privilege escalation

Popular LOL Tools and Techniques

Remote Access Tools

• PsExec: Remote command execution
• WMIC: Windows management interface
• PowerShell remoting: Enter-PSSession, Invoke-Command
• SCP/SMB: File transfer tools

Scripting and Automation

• PowerShell Empire: Post-exploitation using PowerShell
• Empire: Use of legitimate credentials
• Covenant: .NET command and control

Data Collection

• Get-ChildItem: Directory enumeration
• net user / net group: User enumeration
• query user: Session information
• netstat: Network connection enumeration

Detection and Response

Logging and Monitoring

• Process Creation Events: 4688 events in Windows Event Logs
• PowerShell Script Block Logging: Captures PowerShell script execution
• Command Line Auditing: Logs process command lines
• Sysmon: Enhanced process and network monitoring

Prevention Measures

• Application Whitelisting: Restrict execution of unauthorized binaries
• Script Block Logging: Log all PowerShell script execution
• Constrained Language Mode: Restrict PowerShell capabilities
• Network Segmentation: Limit lateral movement opportunities

Practical Analysis

What is the flag?

The final challenge requires completing all tasks and answering the questions correctly to obtain the completion flag.

LOL Attack Frameworks

Command and Control (C2)

• Cobalt Strike: Beacon uses SMB for communication
• Brute Ratel: Modern C2 with LOL techniques
• Sliver: Implant that blends with legitimate traffic

Post-Exploitation

• Mimikatz: Uses legitimate Windows APIs for credential dumping
• BloodHound: Uses LDAP queries for Active Directory enumeration
• Rubeus: Kerberos manipulation using legitimate Windows functions

Advanced Persistence Techniques

Registry Persistence

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\SYSTEM\CurrentControlSet\Services

WMI Event Subscriptions

• __EventFilter for trigger conditions
• __EventConsumer for action execution
• __FilterToConsumerBinding for linking filters to consumers

Scheduled Tasks

• Task Scheduler for recurring execution
• Custom triggers and conditions
• System startup and logon events

Real-World Case Studies

Notable LOL Attacks

• SolarWinds: Used legitimate software update mechanisms
• Fin7: Abused Windows LOLBins extensively
• APT29: Used legitimate Microsoft tools for data collection

Defensive Lessons

• Zero Trust: Never trust, always verify
• Behavioral Analytics: Focus on how tools are used, not just which tools
• Network Monitoring: Detect unusual internal traffic patterns
• Regular Auditing: Periodic review of system configurations

Challenges and Evasion

Detection Challenges

• Noise Reduction: Distinguishing malicious from legitimate tool usage
• Signature Evasion: Using variations of legitimate commands
• Obfuscation: Encoding and compression of malicious payloads
• Living Off Defended: Bypassing EDR and security controls

Modern Defenses

• EDR Solutions: Advanced threat detection and response
• Machine Learning: Behavioral anomaly detection
• Deception Technology: Honeypots and deception grids
• Attack Surface Reduction: Minimizing exposed attack vectors