{
	"id": "41c69680-b575-4063-b199-04eda86e4ffc",
	"created_at": "2026-04-06T03:36:06.510649Z",
	"updated_at": "2026-04-10T03:24:18.151487Z",
	"deleted_at": null,
	"sha1_hash": "990ed002f5233b3865a673e1309412f1c9c0e294",
	"title": "Living Off the Land: How threat actors use your system to steal your data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60569,
	"plain_text": "Living Off the Land: How threat actors use your system to steal\r\nyour data\r\nBy Barracuda Networks\r\nPublished: 2025-03-03 · Archived: 2026-04-06 03:15:29 UTC\r\nAlmost every advanced threat actor has added Living off the Land (LotL) techniques into their attacks. LotL is an\r\nattack strategy where threat actors conduct malicious activities by exploiting legitimate tools and features already\r\npresent in a target. The phrase \"living off the land\" means surviving on resources you find in an existing\r\nenvironment. If the environment is a physical ecosystem like a forest, it means sustaining yourself on what you\r\ncan forage, grow, etc. If the environment is a digital network, it means conducting an attack with the binaries,\r\nscripts, and other tools that are already at work in the victim’s digital environment. The term was applied to these\r\ntechniques in 2013.\r\nTraditional malware, fileless attacks, and LotL\r\nBefore we get into the details, we need to understand the difference between traditional malware, fileless attacks,\r\nand LotL techniques.\r\nTraditional malware relies on external malicious files to move through a computer or network and damage the\r\nsystems. Let’s use WannaCry ransomware as an example. WannaCry ransomware was the notorious cryptoworm\r\nthat infected over 230,000 computers in 150 countries in just one day. It accessed and took control of computers\r\nvulnerable to the EternalBlue exploit. Once established, WannaCry installed the ransomware and used the host\r\ncomputer to replicate and infect other vulnerable machines.  Technically, WannaCry installed three pieces of\r\nmalware to the machine.\r\nA fileless attack is one that executes malicious code directly from memory. It does not write any files to disk, and\r\nit often uses system tools and macros to carry out the attack. Fileless attacks may or may not be LotL attacks, and\r\nthis distinction comes down to a strict definition of LotL. A browser-based JavaScript attack like SocGholish is\r\nfileless because it runs in browser memory and doesn’t write to disk. However, JavaScript is not a system\r\nadministration tool, and the malicious commands are normally introduced from an external source like an infected\r\nwebsite. There are some grey areas around this, but it’s enough to know that some fileless attacks are not LotL.\r\nLotL attacks may combine these two types of attack by leveraging system tools like PowerShell with files that are\r\nwritten to the disk for delayed execution. For example, an LotL attack could be launched by someone opening a\r\nmalicious file that was previously downloaded or dropped in a previous attack.  \r\nLotL has been widely adopted by threat actors and is now included in most advanced attacks.\r\nA Brief History of LotL Techniques\r\nhttps://blog.barracuda.com/2025/03/03/living-off-the-land--how-threat-actors-use-your-system-to-steal-Page 1 of 4\n\nLiving-off-the-Land is nothing new. Although the LotL terminology did not exist at the time, the 1989 Disk\r\nOperating System (DOS) virus ‘Frodo’ is considered one of the first to use LotL techniques to remain stealth until\r\nthe payload was activated. Once launched, Frodo was memory-resident and intercepted DOS interrupt calls to\r\nhide its presence. The 2001 Code Red worm targeted Microsoft IIS servers with buffer overflow and denial-of-service (DoS) attacks. This malware exploited CVE-2001-0500 and operated entirely in memory with no writing\r\nto the disk. Code Red defaced websites and slowed sites and network electronics with excessive traffic.\r\nThe 2003 ‘SQL Slammer,’ also known as the Sapphire Virus, was a worm that spread via port 1434, commonly\r\nfound open on Microsoft SQL Server 2000, Microsoft SWL client-side applications,  and MSDE 2000 systems.\r\nOnce a system was infected, it replicated the worm to every vulnerable computer it could find. SQL slammer\r\ngenerated over 25,000 infection packets per second, and infected about 75,000 systems within the first hour. SQL\r\nSlammer was the first widespread fileless and LotL attack.  \r\nLotL attacks have grown rapidly since then. Almost every new capability added to operating systems led to new\r\nadvancements in cyberthreats. Eventually LotL techniques grew to the point that it earned its own terminology:\r\nLOO – Living off the Orchard: A reference to LotL attacks that target MacOS. The ‘orchard’ is a play on\r\nthe Apple logo.\r\nLOLBins – Living off the Land Binaries: This term was introduced by security researcher Oddvar Moe\r\nin 2018. LOLBins refers to legitimate system binaries that can be exploited for malicious purposes.\r\nCommon examples:\r\nMicrosoft Windows: PowerShell, Rundll32, Regsvr32, Certutil, Bitsadmin.\r\nMacOS: Curl, OpenSSL, Nscurl, Xattr, Launchctl\r\n*nix: Curl, OpenSSL, Bash, Python, Nc (Netcat)\r\nLOLScripts – Living off the Land Scripts: Like it sounds, this is term refers to the legitimate scripts and\r\nscripting languages. Examples:\r\nMicrosoft Windows: PubPrn.vbs, CL_LoadAssembly.ps1, CL_Mut3exverifiers.ps1, Pester.bat,\r\nwinrm.vbs\r\nMacOS: osascript, bash, python, ruby, perl\r\n*nix: bash, python, perl, awk, sed\r\nNow, let’s put this together with the top five ways that threat actors use LotL techniques:\r\nLotL Use Windows macOS Linux/Unix\r\nLateral Movement\r\n- PsExec\r\n- WinRM\r\n-\r\nPowerShell\r\n- WMI\r\n- SSH (Secure Shell)\r\n- Osascript\r\n- Bash scripts\r\n- SSH\r\n- Bash scripts\r\n- Python scripts\r\nhttps://blog.barracuda.com/2025/03/03/living-off-the-land--how-threat-actors-use-your-system-to-steal-Page 2 of 4\n\nPrivilege Escalation\r\n-\r\nPowerShell\r\n- Rundll32\r\n- Reg.exe\r\n- Sudo\r\n- Dscl\r\n- Osascript\r\n- Sudo\r\n- Setuid binaries\r\n- Cron jobs\r\nData Exfiltration\r\n- Bitsadmin\r\n- Certutil\r\n-\r\nPowerShell\r\n- Curl\r\n- Rsync\r\n- SCP (Secure Copy\r\nProtocol)\r\n- Curl\r\n- Rsync\r\n- SCP\r\n- Netcat\r\nPersistence\r\n- Schtasks\r\n- Reg.exe\r\n- WMIC\r\n- Launchctl\r\n- Cron jobs\r\n- Plist files\r\n- Cron jobs\r\n- Systemd services\r\n- Init scripts (Initialization\r\nscripts)\r\nExecution of Malicious\r\nPayloads\r\n-\r\nPowerShell\r\n- Mshta\r\n- Rundll32\r\n- Python\r\n- Perl\r\n- Bash\r\n- Python\r\n- Perl\r\n- Bash\r\n- Awk\r\nWhat kind of threat actor lives off the land?\r\nLotL attacks are common in ransomware and espionage, but you don’t typically find them in DDoS or phishing\r\nattacks. Infostealers and banking trojans both use LotL, while cryptocurrency wallet stealers do not.  LotL allows\r\nthreat actors to blend in with normal system activities, making the attack more difficult to detect, especially in the\r\nabsence of threat intelligence and other advanced security measures. However, LotL does have its drawbacks:\r\nLimited functionality: Custom malware can provide more flexibility and control over an attack than system\r\ntools designed for a specific purpose.\r\nEnvironmental variability: LotL techniques depend on the victim’s environment having the right set of\r\ntools. If the environment doesn’t have these tools, the attack will not be effective.\r\nAttacker expertise: LotL attacks require an understanding of system architecture and behavior.\r\nSpeed v stealth: LotL attacks may require patience, and many attackers prioritize speed and additional\r\nfunctionality over the stealth of LotL.\r\nImproved detection: Monitoring and anomaly detection techniques are advancing rapidly. Threat actors are\r\nwilling to mix techniques and try new things to stay ahead of defenders.\r\nLet’s go back to the cryptocurrency wallet stealer. This is malware designed to locate and extract the sensitive data\r\nneeded to access the digital assets. This data includes private keys, wallet files, and sometimes even passwords or\r\nhttps://blog.barracuda.com/2025/03/03/living-off-the-land--how-threat-actors-use-your-system-to-steal-Page 3 of 4\n\nseed phrases. The wallet stealer specifically scans for infected systems for wallet information and copies and\r\nexfiltrate this information back to the attacker’s system. The attacker will then attempt to access or transfer funds\r\nfrom the wallet. This malware has to work fast before a victim can disrupt the attack or transfer funds out of the\r\nwallet. This malware targets a broad range of systems and often follows a larger phishing or malware attack. For\r\nthese reasons, LotL techniques are not a good fit for wallet stealer malware.\r\nDefend yourself from LotL tactics\r\nDetecting LotL attacks is challenging because they exploit trusted tools, but a proactive defense is possible with\r\nsome planning. This should be part of the company cybersecurity strategy.\r\nUse solutions like Barracuda Managed XDR to monitor systems for behavioral anomalies and uncommon network\r\nactivity. Make sure your systems are logging script executions and unusual process creation. Limit the use of high-risk LOLBins and LOLScripts through whitelisting or other measures. \r\nMaintain a strong patch management system and conduct regular vulnerability assessments.\r\nSegment networks to isolate sensitive environments and limit possibilities for lateral movement. Determine the\r\nnormal traffic and network activity and configure security solutions to flag deviations. Maintain strong patch\r\nmanagement and conduct regular vulnerability and risk assessments.\r\nIt’s critical to use the principle of least privilege (PolP) and require multi-factor authentication (MFA) for all users.\r\nConfigure behavioral analytics and flag activity that may indicate abnormal user behavior.\r\nBarracuda can help\r\nBarracuda Managed XDR is an extended visibility, detection, and response (XDR) platform, backed by a 24×7\r\nsecurity operations center (SOC) that provides customers with round-the-clock human and AI-led threat detection,\r\nanalysis, incident response, and mitigation services. \r\nSource: https://blog.barracuda.com/2025/03/03/living-off-the-land--how-threat-actors-use-your-system-to-steal-https://blog.barracuda.com/2025/03/03/living-off-the-land--how-threat-actors-use-your-system-to-steal-Page 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.barracuda.com/2025/03/03/living-off-the-land--how-threat-actors-use-your-system-to-steal-"
	],
	"report_names": [
		"living-off-the-land--how-threat-actors-use-your-system-to-steal-"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446566,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/990ed002f5233b3865a673e1309412f1c9c0e294.pdf",
		"text": "https://archive.orkl.eu/990ed002f5233b3865a673e1309412f1c9c0e294.txt",
		"img": "https://archive.orkl.eu/990ed002f5233b3865a673e1309412f1c9c0e294.jpg"
	}
}