Video | Agriculture | Confidence | Economy | Energy | Employment | Finance | Media | Property | RBNZ | Science | SOEs | Tax | Technology | Telecoms | Tourism | Transport | Search


Attackers are increasingly living off the land

Symantec Security Response - Attackers are increasingly living off the land

The use of fileless threats and dual-use tools by attackers is becoming more common

There is an increased discussion around threats that adopt so called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating less new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimises the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.

Living off the land tactics are increasingly being adopted by cyber criminals and are used in almost every targeted attack.

There are four main categories falling under the umbrella of living off the land:

• Dual-use tools, such as PsExec, which are used by the attacker

• Memory only threats, such as the Code Red worm

• Fileless persistence, such as VBS in the registry

• Non-PE file attacks, such as Office documents with macros or scripts

We also see slight variations on these tactics, such as using BITSAdmin in macros to download a malicious payload, or hiding a PowerShell script which triggered through a SCT file referenced in a registry run key. In some cases, stolen data is then exfiltrated through legitimate cloud services, hiding the event in normal traffic patterns.

Figure 1. Typical living off the land attack chain

Case study: June 27 Petya outbreak

The Ransom.Petya outbreak, which hit organisations in the Ukraine and many other countries on June 27, is a good example of an attack using living off the land tactics.

The ransomware was exhibiting some wiper characteristics and immediately gained the attention of both security experts and the media as it was, among other things, exploiting the SMB EternalBlue vulnerability just like the headline grabbing WannaCry (Ransom.WannaCry) did one month earlier. The threat made use of a clever supply chain attack as its initial infection vector by compromising the update process of a widely used accounting software program.

However, in addition Petya also made heavy use of system commands during the infection process. Once executed, Petya drops a recompiled version of LSADump from Mimikatz in a 32-bit and 64-bit variant, which is used to dump credentials from Windows memory. The account credentials are then used to copy the threat to the Admin$ share of any computers the threat finds on the network. Once the threat accesses a remote system it will execute itself remotely using a dropped instance of PsExec.exe and the Windows Management Instrumentation (WMI) command line tool wmic.exe:

wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1 60”

In order to hide its tracks on the compromised computer the threat deletes various system logs by using the wevtutil and fsutil commands:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

Petya then creates a scheduled task so that the computer restarts into the modified MBR and performs the final encryption task:

schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:42

This case is a classic example of system tools being used during an attack. Many system administrators are now looking into disabling remote PsExec execution or restricting WMI access in order to defend against the same attack pattern in the future.

Malware using WMI is not a new occurrence. Last year we observed an average of two percent of analysed malware samples making use of WMI for nefarious purpose, and the upward trend is clearly continuing.

Figure 2. Percentage of malware using WMI

System tools used for reconnaissance

Besides being used for lateral movement, it is also very common for targeted attack groups to use system tools for reconnaissance. Out of the 10 targeted attack groups that we looked at, all of them made use of system tools to explore compromised environments.

Table. The 10 attack groups Symantec looked at and the system tools they used


Preventing infection in the first place is by far the best strategy. Since email and infected websites are still the most common infection vectors for malware, adopting a robust defence against both of these will help reduce the risk of infection. In addition, best practices for segregation of networks, extensive logging including system tools, and a least privileges approach should be assessed for larger networks.

Symantec has various protection features in place in the network and on the endpoint to protect against fileless threats and living off the land attacks. For example, our memory exploit mitigation (MEM) techniques can proactively block remote code execution exploits (RCE), our heuristic based memory scanning can detect memory only threats, and Symantec’s behaviour based detection engine SONAR can detect malicious usage of dual-use tools and block them.

For more details, read our white paper: Living off the land and fileless attack techniques


© Scoop Media

Business Headlines | Sci-Tech Headlines


SMC Expert Reaction: Record Dry Spells And Effects On Forests

With no rain forecast before Sunday, Auckland is about to break a record for the city's longest dry spell. Niwa says Auckland is likely to hit 40 consecutive days without rain this weekend . The upper North Island is seeing severe meterological ... More>>


Reserve Bank: Official Cash Rate Remains At 1.0 Percent

The Monetary Policy Committee has decided to keep the Official Cash Rate (OCR) at 1.0 percent. Employment is at or slightly above its maximum sustainable level while consumer price inflation is close to the 2 percent mid-point of our target range. ... More>>


Research: Climate Change Throws Tree Seeding Out Of Sync – New Study

Climate change is negatively affecting tree reproduction by throwing seed production systems out of synchronisation, according to a new international study co-authored by a University of Canterbury scientist. Many tree species worldwide produce large ... More>>


Science Media Centre: Novel Coronavirus Detected In China – Expert Reaction

The virus was detected after more than 40 people were hospitalised with pneumonia in Wuhan City, China and the outbreak traced to a large animal and seafood market. The Centers for Disease Control and Prevention reports that person-to-person transmission ... More>>


Science Media Centre: Flooding could release toxic gas – Expert Reaction

A chemical substance known as ouvea premix stored at an old paper mill in Mataura could release toxic ammonia gas if it comes in contact with water.More>>