Anatomy of a Living off the Land (LotL) Attack

What is an LOTL attack?

Living off the Land (LOTL) attacks are a stealthy cyberattack strategy where attackers exploit legitimate tools and processes already present in your environment to carry out malicious activities. Instead of relying on traditional malware or suspicious files, attackers use trusted native binaries, scripts, or administrative tools — ones that are part of your operating system or software environment — making the attack harder to detect.

Who uses LOTL attacks?

LOTL attacks are often used by ransomware groups, such as Black Basta, for one reason: They’re difficult to detect. Because attackers use existing tools, actions aren’t flagged by endpoint detection and response (EDR) and other prevention tools. There’s no malicious code and no malware, making it easy for the attacker to blend in — and hard for you to spot unusual patterns. The use of everyday tools means LotL attacks often look like normal user activities.

How do LOTL attacks work?

LOTL attacks thrive at hiding and can move across data center, cloud, and identity surfaces for long periods of time. A typical LOTL attack looks something like this:

1. Gain access: Attackers gain initial access by phishing, exploiting vulnerabilities, or other means.

2. Use built-in tools: Once inside, the attacker uses legitimate system tools like PowerShell, Windows Management Instrumentation (WMI), or Unix/Linux shell commands. These tools are trusted and not typically flagged by security measures.

3. Execute malicious commands: The attacker then uses targeted systems to execute malicious commands. For example, PowerShell can be used to download and execute malicious scripts directly from memory, bypassing disk-based detection mechanisms.

4. Move laterally: Undetected, the attacker uses LOTL techniques to move laterally within your network, access sensitive data, and either exfiltrate it or prepare the environment for destructive attacks like ransomware.

Examples of common LotL tools include:

• PowerShell: This powerful scripting language and shell framework in Windows can be exploited to run scripts for various attack stages.
• Windows Management Instrumentation (WMI): Often used for remote management, this infrastructure can be leveraged for lateral movement or executing commands remotely.
• PsExec: This legitimate command-line tool, used to execute processes on other systems, is often leveraged by LOTL attackers for lateral movement.
• MSHTA: A Windows tool that executes HTML Application (HTA) files, it can be abused to run malicious scripts.
• CertUtil: A Windows command-line tool for managing certificates, which can be misused to download files.

How to counter LOTL attacks

LOTL attacks won’t be detected by traditional prevention tools — your security team needs an advanced threat hunting strategy to uncover stealthy attacks that blend in with the noise of everyday activities.

Vectra AI uses behavioral analytics to separate everyday alerts from real security events — and to identify easy-to-miss behaviors that are characteristic of LotL attacks. Advanced AI-driven detections hone in on common LOTL tactics, including:

• Hidden TTPS Tunnel
• RPC Targeted Recon
• Suspicious Remote Execution
• Entra ID Unusual Scripting Engine Usage
• Entra ID Successful Brute-Force‍

For example, in a simulated attack initiated through a compromised home office:

• The attacker attempted to gather local drive and credential information to help stay unnoticed. 
  

• Moving across multiple surfaces, the attacker gathered additional information to advance and hide their tracks.
  

• Even with these stealthy techniques, Vectra AI detected, analyzed, triaged, correlated and validated attack activity — before the attacker was able to execute.

See how Vectra AI stopped an LOTL attack

How do you catch up to a highly skilled threat actor using stealthy LOTL techniques? We simulated a Volt Typhoon attack to find out. Download the attack anatomy to see how defenders can stop a state-sponsored LOTL attack other tech missed.