{ "id": "96d1a7b1-7a54-479d-b712-043ed1b7e374", "created_at": "2026-04-29T02:21:42.745335Z", "updated_at": "2026-04-29T08:21:17.119089Z", "deleted_at": null, "sha1_hash": "299bd190bf43d43c449b0d315ffebe5388306e3c", "title": "Living off the Land | Dell SecureWorks Security and Compliance Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 198794, "plain_text": "Living off the Land | Dell SecureWorks Security and Compliance\r\nBlog\r\nPublished: 2015-05-28 · Archived: 2026-04-29 02:07:13 UTC\r\nSummary\r\nIn over half of the targeted threat response engagements performed by the Dell SecureWorks Counter Threat\r\nUnit™ Special Operations (CTU-SO) team in the past year, the threat actors accessed the target environment\r\nusing compromised credentials and the companies’ own virtual private network (VPN) or other remote access\r\nsolutions. Detecting threat actors who are “living off the land,” using credentials, systems, and tools they collect\r\nalong the way instead of backdoors, can be challenging for organizations that focus their instrumentation and\r\ncontrols primarily on the detection of malware and indicators such as command and control IP addresses,\r\ndomains, and protocols. With their gaps in visibility, these organizations can have a very difficult time\r\ndistinguishing adversary activity from that of legitimate users, pushing detection times out to weeks, months, or\r\neven years.\r\nRecently, CTU researchers responded to an intrusion perpetrated by Threat Group-1314[1] (TG-1314), one of\r\nnumerous threat groups that employ the “living off the land” technique to conduct their intrusions. In this case, the\r\nthreat actors used compromised credentials to log into an Internet-facing Citrix server to gain access to the\r\nnetwork. CTU researchers discovered evidence that the threat actors were not only leveraging the company’s\r\nremote access infrastructure, but were also using the company’s endpoint management platform, Altiris, to move\r\nlaterally through the network (see Figure 1).\r\nFigure 1. TG-1314 actions on objective. (Source: Dell SecureWorks)\r\nAnalysis\r\nMemory collection and analysis can be an extremely valuable component of an incident response plan and in this\r\ncase proved crucial in identifying TG-1314’s actions on objective.\r\nMemory collected from systems involved in the intrusion was analyzed using the Volatility framework. First,\r\nVolatility’s pstree plugin, which lists running processes in a tree view, was executed. The result immediately\r\nrevealed signs of a suspicious cmd.exe process running as a child of the ACLIENT.EXE process (see Figure 2).\r\nhttps://web.archive.org/web/20150626073312/http://www.secureworks.com/resources/blog/living-off-the-land/\r\nPage 1 of 4\n\nFigure 2. Suspicious cmd.exe process. (Source: Dell SecureWorks)\r\nIn an attempt to recover commands that had been executed via this command prompt, Volatility’s cmdscan plugin\r\nwas run on the memory dump (see Figure 3).\r\nFigure 3. Suspicious commands recovered from memory. (Source: Dell SecureWorks)\r\nCTU researchers immediately recognized suspicious commands, such as changing the working directory to\r\nrecycler and executing commands from that location, that were unlikely to have been connected to legitimate\r\nsystem administrator operations. The results also revealed indications that PsExec, a popular system\r\nadministration tool for executing commands on remote systems, was run against several target hosts to spawn\r\nshells on them. To better understand how the adversary was operating and what other actions they had performed,\r\nCTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts.\r\nWhile cmd.exe is a console application, it still requires GUI-like functionality and other support to interact with\r\nthe operating system. On the Windows XP platform, this support is provided by the csrss.exe process. Because\r\ncommands run from cmd.exe are acted on by csrss.exe, additional evidence of command history and responses\r\nsent to the cmd console window are often discoverable by analyzing the csrss.exe process’s memory. The output\r\nin Figure 3 shows the Process ID (PID) of the csrss.exe process to be 716. Running Volatility’s vaddump plugin on\r\nthis process allowed CTU researchers to obtain the Virtual Address Descriptor (VAD) sections (see Figure 4).\r\nFigure 4. Output from vaddump. (Source: Dell SecureWorks)\r\nThe relevant strings inside the VAD sections were UTF-16 encoded and revealed additional insights once\r\nextracted. TG-1314 was mapping network drives using a compromised Altiris account to connect to additional\r\nsystems[2] (see Figure 5).\r\nhttps://web.archive.org/web/20150626073312/http://www.secureworks.com/resources/blog/living-off-the-land/\r\nPage 2 of 4\n\nFigure 5. Net use command. (Source: Dell SecureWorks)\r\nAfter identifying compromised credentials and executed commands, CTU researchers shifted focus to determine\r\nhow the threat actors were obtaining the shell and executing their commands on the compromised host. This\r\nexploration required a look at the suspect cmd.exe’s parent process, shown earlier in the investigation to be\r\nACLIENT.EXE. Volatility’s procdump command was used to dump the executable from memory (see Figure 6).\r\nFigure 6. Output from procdump plugin. (Source: Dell SecureWorks)\r\nAs shown in Figure 7, running the strings utility against the dumped ACLIENT.EXE binary revealed evidence that\r\nthe file was the Altiris agent.\r\nFigure 7. Output from strings plugin. (Source: Dell SecureWorks)\r\nThese results indicated that the threat actors leveraged the Altiris management platform installed at the client site,\r\nalong with compromised domain credentials associated with the Altiris system, to move laterally within the\r\ncompromised environment.\r\nConclusion\r\nThreat groups often follow a path of least resistance to achieve their objective. They will leverage legitimate\r\nremote access solutions for entry and valid system administrator tools for lateral movement, if possible. To help\r\ndisrupt this tactic, it is important that organizations implement two-factor authentication for all remote access\r\nsolutions and consider doing the same for internal, high-value assets like their internal system management\r\nconsoles. CTU researchers assess with high confidence that threat groups like TG-1314 will continue to live off of\r\nthe land to avoid detection and conduct their operations.\r\n[1] The Dell SecureWorks Counter Threat Unit™ (CTU) research team tracks threat groups by assigning them\r\nfour-digit randomized numbers (1314 in this case), and compiles information from external sources and from first-hand incident response observations.\r\n[2] One limitation of collecting strings from the VAD of the csrss.exe process is that there is no temporal\r\ninformation.\r\nhttps://web.archive.org/web/20150626073312/http://www.secureworks.com/resources/blog/living-off-the-land/\r\nPage 3 of 4\n\nSource: https://web.archive.org/web/20150626073312/http://www.secureworks.com/resources/blog/living-off-the-land/\r\nhttps://web.archive.org/web/20150626073312/http://www.secureworks.com/resources/blog/living-off-the-land/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20150626073312/http://www.secureworks.com/resources/blog/living-off-the-land/" ], "report_names": [ "living-off-the-land" ], "threat_actors": [ { "id": "76428972-4469-4024-9bd5-fa071d1a8e8d", "created_at": "2022-10-25T15:50:23.71838Z", "updated_at": "2026-04-29T06:58:57.780378Z", "deleted_at": null, "main_name": "Threat Group-1314", "aliases": [ "Threat Group-1314", "TG-1314" ], "source_name": "MITRE:Threat Group-1314", "tools": [ "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1777429302, "ts_updated_at": 1777450877, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/299bd190bf43d43c449b0d315ffebe5388306e3c.pdf", "text": "https://archive.orkl.eu/299bd190bf43d43c449b0d315ffebe5388306e3c.txt", "img": "https://archive.orkl.eu/299bd190bf43d43c449b0d315ffebe5388306e3c.jpg" } }