Experts Blog

Client Advisory: Living off the Land Attacks
June 9, 2023
Fortalice Solutions

Living off the Land Attack: The Basics

The primary tactics, techniques, and procedures (TTPs) of the People’s Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon has recently caught the attention of the United States and its international cybersecurity partners. The TTPs in question – Living off the Land (LOTL) – allows bad actors to “evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations,” according a recent joint Cybersecurity Advisory (CSA) from the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI, as well as their cybersecurity counterparts in Australia, New Zealand, and the United Kingdom. To aid network defenders in their hunt for this activity, the joint advisory provides examples of the actor’s commands along with detection signatures.

Increasingly, cyber actors are employing LOTL attack, which blend (and obscure) their nefarious activities with legitimate tools and infrastructure already found (and regularly used) in your environment to mask their presence while greatly minimizing their chances of detection and attribution. Typically, the introduction of a third-part application generates an alert to the host from an endpoint detection and response (EXR) product. Unfortunately, LOTL enables the actor to skirt detection more easily and effectively.

LOTL Attacks: How they Work

Actors who employ LOTL typically leverage "fileless" malware and memory-based attacks that adds to the difficulty of detection by leaving minimal trace of their movements because these fileless attacks do not require a bad actor to install code or scripts within the system they are targeting. By blending in with legitimate activities and evading traditional signature-based defenses, PRC actors employing LOTL ensure their operations remain covert for extended periods. In some LOTL cases, adversaries have been able to move around an organization stealthily for months and even users undetected.  

To launch a fileless malware attack, hackers can modify their targets native tools (e.g., exploit kits, fileless ransomware, memory-only malware, and stolen credentials) to gain access to your environments. LOTL involves exploiting trusted software, built-in network administration tools (e.g., wmic, ntdsutil, netsh, and PowerShell), and other network resources to infiltrate target systems, gather intelligence, and maintain long-term access.  

According to the joint CSA, private sector partners have reported that LOTL activity has negatively impacted networks across the critical infrastructure landscape in a range of disparate sectors. To that end, the federal and international authorities feel that Volt Typhoon “could apply the same techniques against these and other sectors worldwide,” including defense, transportation, and finance. Like other PRC-backed Advanced Persistent Threat (APT) groups, Volt Typhoon is likely motivated by a host of things, including intelligence gathering, economic espionage, political influence, and even disruption of critical infrastructures in rival nations.

LOTL Attacks: What You Can Do

To stay one step ahead of these well-funded, highly organized, state-funded attackers, companies, organizations, sectors, and ally nations must rely on some proven cybersecurity measures. The joint advisory is an excellent example of one such technique: robust threat intelligence, reporting, and information sharing. Cybersecurity is a team sport and the more accurate intelligence and actionable information that the “good guys” can share, the better (and safer) all of us will be.  

At an organizational level, it’s critical to ensure you have strong and tested endpoint protection and advanced detection technologies in place to help your analysts identify, root out, and mitigate the easily masked LOTL TTPs.  

There are four activities we highly recommend that your technology and security team prioritize in light of recent events. These activities will help protect and defend against this type of attack and future ones.

  1. Harden domain controllers and closely monitor event logs.  
  1. Limit the usage of port proxies within your network environment, enabling them only when necessary. This minimizes vulnerabilities and bolsters security.
  1. Assign someone to investigate command lines, registry entries, and firewall logs for unusual IP addresses and ports, identifying potentially compromised hosts involved in malicious activities.
  1. Audit and validate any usage of administrator privileges to ensure the legitimacy of executed commands, reducing the risk of unauthorized access.  

Additionally, if you aren’t already, it’s imperative to implement and leverage strategies that will make LOTL attacks more difficult, including:

  • practicing the Principle of Least Privilege in your credential management procedures;  
  • implementing proper network segmentation strategies;  
  • ensuring your software updates are all up-to-date; and
  • if you aren’t already doing so, be sure you have Multi-Factor Authentication in place for all externally-facing entry points into your system.

Embrace a proactive and diligent approach to network security, implementing these recommended practices to enhance resilience against emerging threats.

Implementing these concise recommendations will contribute to the fortification of your network infrastructure and enhance your ability to mitigate security risks effectively. Finally, as with any other evolving cybersecurity threat, organizations must continue to regularly conduct cybersecurity assessments, train all employees in identifying suspicious cybersecurity activities, and maintain the latest, most up-to-date software and patches.  

How Fortalice Can Help

LOTL attacks, as we have mentioned, are very difficult to detect, mitigate against, and recover from given the inherently stealthy nature of these types of fileless techniques. Fortalice stands ready to help you and your organization protect against these insidious attacks. Our team is here to help you continue to create operational efficiencies for your employees without providing would-be attackers with additional vectors to launch successful LOTL attacks. To that end, our team can, among other things:  

  • Review your incident response plans (IRPs) and ensure everyone on your IRP team has a paper copy of the playbook. Need help refreshing your IRP? Fortalice’s risk and compliance experts are ready to review your existing policies and procedures. We’ll advise you on necessary improvements to meet industry best practices, as well as steer you toward additional protections against increasingly popular attack strategies like LOTL.
  • Identify weaknesses in your security environment. Through the perspective of an attacker, our Offensive Cyber Operations team will mimic sophisticated cyber threats to test systems and produce action steps so your organization can stay ahead of the bad guys.  
  • Inventory your existing network landscape. Fortalice can work inventory the tools you are currently using in your environment to help you better understand how LOTL attackers may leverage them against you to allow you to reduce risk and more efficiently and safely manage your business.
  • Institute strategic, focused threat hunts designed to search for nefarious activities associated with fileless attacks like LOTL.  

If you need additional assistance, the Fortalice team stands ready to assist you in assessing your current risk and road mapping your organization’s future cybersecurity posture.

You can reach the Fortalice team at

Additional Resources

  • If you believe you are a victim and need assistance, contact your FBI Field Office 1-800-CALLFBI (1-800-225-5324) or write to the FBI’s Internet Crime Complaint Center website:
  • Advisory: We encourage to read the linked Joint CSA: “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.” This product is marked TLP: CLEAR. Subject to standard copyright rules, the information in this product may be shared without restriction.
Let's Talk
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.