Video | Agriculture | Confidence | Economy | Energy | Employment | Finance | Media | Property | RBNZ | Science | SOEs | Tax | Technology | Telecoms | Tourism | Transport | Search


Attackers are increasingly living off the land

Symantec Security Response - Attackers are increasingly living off the land

The use of fileless threats and dual-use tools by attackers is becoming more common

There is an increased discussion around threats that adopt so called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating less new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimises the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.

Living off the land tactics are increasingly being adopted by cyber criminals and are used in almost every targeted attack.

There are four main categories falling under the umbrella of living off the land:

• Dual-use tools, such as PsExec, which are used by the attacker

• Memory only threats, such as the Code Red worm

• Fileless persistence, such as VBS in the registry

• Non-PE file attacks, such as Office documents with macros or scripts

We also see slight variations on these tactics, such as using BITSAdmin in macros to download a malicious payload, or hiding a PowerShell script which triggered through a SCT file referenced in a registry run key. In some cases, stolen data is then exfiltrated through legitimate cloud services, hiding the event in normal traffic patterns.

Figure 1. Typical living off the land attack chain

Case study: June 27 Petya outbreak

The Ransom.Petya outbreak, which hit organisations in the Ukraine and many other countries on June 27, is a good example of an attack using living off the land tactics.

The ransomware was exhibiting some wiper characteristics and immediately gained the attention of both security experts and the media as it was, among other things, exploiting the SMB EternalBlue vulnerability just like the headline grabbing WannaCry (Ransom.WannaCry) did one month earlier. The threat made use of a clever supply chain attack as its initial infection vector by compromising the update process of a widely used accounting software program.

However, in addition Petya also made heavy use of system commands during the infection process. Once executed, Petya drops a recompiled version of LSADump from Mimikatz in a 32-bit and 64-bit variant, which is used to dump credentials from Windows memory. The account credentials are then used to copy the threat to the Admin$ share of any computers the threat finds on the network. Once the threat accesses a remote system it will execute itself remotely using a dropped instance of PsExec.exe and the Windows Management Instrumentation (WMI) command line tool wmic.exe:

wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1 60”

In order to hide its tracks on the compromised computer the threat deletes various system logs by using the wevtutil and fsutil commands:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

Petya then creates a scheduled task so that the computer restarts into the modified MBR and performs the final encryption task:

schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:42

This case is a classic example of system tools being used during an attack. Many system administrators are now looking into disabling remote PsExec execution or restricting WMI access in order to defend against the same attack pattern in the future.

Malware using WMI is not a new occurrence. Last year we observed an average of two percent of analysed malware samples making use of WMI for nefarious purpose, and the upward trend is clearly continuing.

Figure 2. Percentage of malware using WMI

System tools used for reconnaissance

Besides being used for lateral movement, it is also very common for targeted attack groups to use system tools for reconnaissance. Out of the 10 targeted attack groups that we looked at, all of them made use of system tools to explore compromised environments.

Table. The 10 attack groups Symantec looked at and the system tools they used


Preventing infection in the first place is by far the best strategy. Since email and infected websites are still the most common infection vectors for malware, adopting a robust defence against both of these will help reduce the risk of infection. In addition, best practices for segregation of networks, extensive logging including system tools, and a least privileges approach should be assessed for larger networks.

Symantec has various protection features in place in the network and on the endpoint to protect against fileless threats and living off the land attacks. For example, our memory exploit mitigation (MEM) techniques can proactively block remote code execution exploits (RCE), our heuristic based memory scanning can detect memory only threats, and Symantec’s behaviour based detection engine SONAR can detect malicious usage of dual-use tools and block them.

For more details, read our white paper: Living off the land and fileless attack techniques


© Scoop Media

Business Headlines | Sci-Tech Headlines


Water: Farming Leaders Pledge To Help Make Rivers Swimmable

In a first for the country, farming leaders have pledged to work together to help make New Zealand’s rivers swimmable for future generations. More>>


Unintended Consequences: Liquor Change For Grocery Stores On Tobacco Tax

Changes in the law made to enable grocery stores to continue holding liquor licences to sell alcohol despite increases in tobacco taxes will take effect on 15 September 2017. More>>

Back Again: Government Approves TPP11 Mandate

Trade Minister Todd McClay says New Zealand will be pushing for the minimal number of changes possible to the original TPP agreement, something that the remaining TPP11 countries have agreed on. More>>


By May 2018: Wider, Earlier Microbead Ban

The sale and manufacture of wash-off products containing plastic microbeads will be banned in New Zealand earlier than previously expected, Associate Environment Minister Scott Simpson announced today. More>>


Snail-ier Mail: NZ Post To Ditch FastPost

New Zealand Post customers will see a change to how they can send priority mail from 1 January 2018. The FastPost service will no longer be available from this date. More>>


Property Institute: English Backs Of Debt To Income Plan

Property Institute of New Zealand Chief Executive Ashley Church is applauding today’s decision, by Prime Minister Bill English, to take Debt-to-income ratios off the table as a tool available to the Reserve Bank. More>>