An Inside Look at the Living Off the Land Tactics
Table of Contents
- By David Lukic
- Published: Jan 03, 2022
- Last Updated: Mar 18, 2022
Living off the land tactics such as Cobalt Strike and additional red-team tools are legitimate threats to computer users of all types. Everyday computer users and those who own and manage businesses should be aware of these unique tactics.
What are Living Off the Land Tactics?
These digital attacks are carefully designed to look completely normal and harmless. The average business owner or manager is unaware that security software contains configurable file access and process control for tools similar to PowerShell that set the stage for successful living off the land attacks. Though such attacks are not novel, they are still causing significant problems for organizations of all types and sizes.
Why are Living Off the Land Tactics Such a Problem?
Digital attackers of all different skill levels use living off the land attack techniques centered upon manipulating tools and functions within an existing network to zero in on victims. These techniques will go unnoticed unless computer operators proactively block them. At the very least, computer operators should monitor for this nefarious activity. The challenge lies in identifying living off the land hacking tactics as they appear completely legitimate.
Who Implements Living Off the Land Tactics?
Cyber criminals and hackers who work on behalf of nation-states use living off the land hacking techniques.
What are Some Examples of Living off the Land Attacks?
As an example, digital attackers used Azure LoLBins earlier this March to attack organizations. This type of digital attack is considered a “living off the land binary” complete with hacker lulz, meaning the use of preinstalled, completely legitimate binaries that operate on both Windows and Linux operating systems.
The United States federal government warned of attacks using living off the land strategies earlier this fall. This most recent attack zeroed in on a Zoho vulnerability within a sign-on and password management tool.
Why is the Cobalt Strike Attack Such a Problem?
Foreign governments and criminal digital miscreants use Cobalt Strike to levy living off the land attacks. Cobalt Strike is a useful software tool used in the context of adversary simulations. Digital criminals have cracked Cobalt Strike to create botnets. Emotet malware uses Cobalt Strike beacons to transmit infections to endpoints, empowering hackers to analyze those endpoints and determine if it is prudent to escalate the attack, possibly with the use of ransomware to the endpoint.
Cobalt Strike is also used for lateral attacks in which the endpoint is used in expanded aggression that heightens privileges and accesses the Active Directory Domain Controller. The result of the attack is the stealing of data and the infection of systems with crypto-locking malware.
Cobalt Strike is centered on a client and server technique along with a beacon, meaning a payload implanted on target systems transmits information through a command-and-control server through HTTPS, HTTP, or DNS. An administrator controls these beacons in a remote manner with the use of a Cobalt Strike client, also known as the Aggressor, that connects to command-and-control servers running Linux OS. The connection to this server allows for management of specific endpoints through a beacon so the administrator can remotely configure beacons and receive data from compromised hosts.
