Living off the Land Detection

@ran2 @ducklah

Living off the Land (LOTL) refers to fileless attack. Instead of developing malicious binaries, adversary utilizes signed native built-in tools such as PowerShell, Windows Management Instrumentation (WMI), and Windows Installer (MSIEXEC) etc. to carry out attack.

Using native tools makes LOTL attacks difficult to detect especially when an organization is leveraging traditional security tools such as signature-based Endpoint Protection. As such adversary’s dwell time can remained undetected for ages.

A cybersecurity researcher in Hong Kong - ran2; based on the Florian Roth's Sigma rules and other resources, has developed a set of microsoftdefender kql to detect possible living-off-the-land and post-exploitation rules for everyone.

Last updated