Living-off-the-land attacks are hard, but not impossible, to protect against

In May, a joint advisory from an international group of cybersecurity authorities indicated that a cyber actor known as Volt Typhoon was using a particularly pernicious technique called "living off the land" that employed code and tools already existing in the Microsoft operating system to attack victim organizations.

Living-off-the-land attacks are hard -- but not impossible -- to defend against. Because they exploit legitimate tools, they can often linger in networks, carrying out all sorts of malicious tasks for a long time before being discovered.

Fortunately, protection from such attacks can often be accomplished without employing additional software, tools, or third-party security software. Unfortunately, it often comes down to the one thing we frequently have little of: time to test on workstations and servers to determine the actual impact on our network.

This is yet another situation in which an ounce of prevention is worth a pound of cure. In the advisory, the coalition indicated that the attackers used wmic, ntdsutil, netsh, and PowerShell, among other tools, to gain access and launch attacks. The advisory recommended several actions to help proactively mitigate living-off-the-land attacks, including ensuring that firewall egress logs are thoroughly reviewed.

While that's sound advice, in today's environment very few networks are set up with a single exit point that would allow us to review everything that goes out of our networks. Thus, we need to think of other ways we can protect and defend from hidden attackers that may be hard to detect.

Attackers want to blend into the background

Microsoft has noted that the attackers’ goal is to blend into the background, using command line commands to collect data, grab credentials from local and network systems, and place them into archive file types so that the information can be exported for later use. Stolen credentials are then used to set up and maintain persistence in the network, disguised as normal traffic in the enterprise.

It pays to closely monitor how firewalls and edge devices are set up. Volt Typhoon attackers would gain access primarily to Fortinet firewall appliances to gain access to additional credentials. In enterprise firewalls, active directory credentials are typically used to authenticate and provide tracking in the interface. It's unclear at this time exactly how the attackers were able to glean the credentials from firewalls, but once they gained access to them, they could access user roles on the network and from there use various techniques to elevate rights on the network.

Volt Typhoon uses "living off the land" techniques to dump credentials through the Local Security Authority Subsystem Service (LSASS). LSASS provides access hashes for the current user's credentials through the LSASS memory space. The attackers use a process with the actual commands hidden in Base64 commands to obfuscate the attack sequence.

How to protect Windows environments against living-off-the-land attacks

So, what can you do to better protect yourself? Sometimes you can use techniques similar to living off the land to better project a network. Those in the process of migrating to Windows 11 should proactively review additional protections of LSASS that are included in Windows 10 and Windows 11. Windows 11 -- in particular, new, enterprise-joined Windows 11 (22H2 update) installs -- has Protective Process Light enabled by default. If you have the appropriate licenses, you can also enable Windows Defender Credential Guard which is enabled if you have the Enterprise edition of Windows 11. LSA protections have impact on some applications so you may need to review and evaluate before deploying this in your network.

Next-use attack surface reduction rules included in every Windows platform are also useful, specifically those allowing users to "Block credential stealing from the Windows local security authority subsystem (lsass.exe)." As Microsoft notes: "This rule helps prevent credential stealing by locking down local security authority subsystem service. LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows normally prevents attempts to extract credentials from LSASS. Some organizations can’t enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA)."

Use Attack Surface Reduction Rules to your advantage

One Attack Surface Reduction (ASR) Rule you'll need to test for the impact on your network is "Block process creations originating from PSExec and WMI commands." You will need to test this rule as some organizations may experience compatibility issues with it on certain server systems, though it should be deployed on other systems to prevent lateral movement originating from PsExec and WMI.

Finally, you should enable the rule "Block execution of potentially obfuscated scripts," though it is important to note that the rule is currently not as effective as it once was. Microsoft has indicated that "PowerShell scripts have been temporarily excluded from the 'Block execution of potentially obfuscated scripts' rule due to a high number of false positives. We will provide an update when PowerShell scripts are included again in the scope of this rule."

You'll also want to enable multifactor authentication (MFA) to ensure that only those individuals gain access to key assets or workstations as you see fit. If budget constraints are an issue or older technologies in your network restrict your use of two-factor options, you can prioritize your protection effects to protect administrative credentials first and foremost.

Learning more about living-off-the-land attacks

Living-off-the-land attacks are not new and are tracked by many websites, but they remain stubbornly difficult to identify and defend against, given that they come from a Microsoft-signed file, either native to the OS or downloaded from Microsoft. These living-off-the-land attacks typically use files or scripts that have an extra "unexpected" functionality. In the listing on the Github website, you can see all the files and scripts that can be potentially used. Often applications that are used for normal functions such as updating are used by attackers because the traffic and CPU overhead triggered by these applications can be hidden or ignored. Case in point is the application Bitsadmin.exe or BITS. Used as a background Windows update tool, it can also be used by attackers to move data in and out of the network. For example, attackers have used BITS to download remote payloads, maintain persistence on host machines, and cover their tracks by deleting malicious code after the code has been run. You can block bitsadmin by customizing exploit protection by blocking Disable Win32k system calls, but as always, test before recommending deployment.