In May, a joint advisory from an international group of cybersecurity authorities indicated that a cyber actor known as Volt Typhoon was using a particularly pernicious technique called “living off the land” that employed code and tools already existing in the Microsoft operating system to attack victim organizations.
Living-off-the-land attacks are hard — but not impossible — to defend against. Because they exploit legitimate tools, they can often linger in networks, carrying out all sorts of malicious tasks for a long time before being discovered.
Fortunately, protection from such attacks can often be accomplished without employing additional software, tools, or third-party security software. Unfortunately, it often comes down to the one thing we frequently have little of: time to test on workstations and servers to determine the actual impact on our network.
This is yet another situation in which an ounce of prevention is worth a pound of cure. In the advisory, the coalition indicated that the attackers used wmic, ntdsutil, netsh, and PowerShell, among other tools, to gain access and launch attacks. The advisory recommended several actions to help proactively mitigate living-off-the-land attacks, including ensuring that firewall egress logs are thoroughly reviewed.
While that’s sound advice, in today’s environment very few networks are set up with a single exit point that would allow us to review everything that goes out of our networks. Thus, we need to think of other ways we can protect and defend from hidden attackers that may be hard to detect.
Attackers want to blend into the background
Microsoft has noted that the attackers’ goal is to blend into the background, using command line commands to collect data, grab credentials from local and network systems, and place them into archive file types so that the information can be exported for later use. Stolen credentials are then used to set up and maintain persistence in the network, disguised as normal traffic in the enterprise.