How to Recognize Computer Attacks Aimed at “living Off the Gifts of Nature”
I frequently write about the threat of malware and how attackers exploit it for a variety of purposes, from stealing personal information to completely taking over users’ devices or adding them to botnets . This malware is distributed through a variety of means, including phishing, ClickFix attacks, malvertising, and even apps verified and approved by Apple and Google.
However, as users (and security solutions) have become more recognizant of the signs of malware infection and sophisticated enough to avoid them, some cybercriminals have changed tactics: Living Off the Land (LOTL) attacks leverage built-in system utilities and tools that are less likely to arouse suspicion.
How Living Off the Land attacks work
As Huntress describes , LOTL (Local Technology Lotlight—using local resources rather than importing new ones from outside) refers to the use of local resources. Instead of silently injecting custom-designed malware onto a user’s computer, attackers exploit tools like PowerShell, Windows Management Instrumentation (WMI), built-in utilities, and trusted applications like Microsoft Teams for malicious purposes. Antivirus software is unlikely to detect these tools as suspicious—in most cases, they don’t—because they integrate into normal system processes and are designed to be there.
By hijacking legitimate tools, attackers gain access to systems and networks, can remotely execute code, escalate privileges, steal data, or even install other types of malware. The PowerShell command-line interface allows for file uploads and command execution, making it a popular tool for attackers, along with WMI, although Unix binaries and signed Windows drivers are also frequently used.
Attackers exploiting the LOTL vulnerability can use exploit kits that distribute fileless malware through phishing or other forms of social engineering, as well as stolen credentials and fileless ransomware to gain access to built-in tools. Recently, Malwarebytes Labs uncovered a campaign distributed through fake Google Meet updates, targeting a vulnerability in the legitimate Windows device enrollment feature—operating through an attack server hosted on a reputable mobile device management platform.
How to detect a LOTL attack
Many methods for identifying, remediating, and preventing LOTL-type attacks are aimed at organizations with large infrastructures that require protection, but individual users can (and should) also be vigilant against this type of threat. As always, be aware of signs of phishing and other forms of social engineering that attackers use to steal credentials and gain access to networks and devices. Beware of unsolicited messages containing links, software and security update notifications, and anything that arouses curiosity, anxiety, urgency, or fear. Install security updates as soon as they become available to prevent exploitation of vulnerabilities.
When detecting LOTL-type vulnerabilities, Huntress recommends paying attention not only to suspicious files or programs but also to unusual behavior—for example, tools operating outside their normal context or following unexpected patterns, as well as unusual network connections from system utilities. It’s essential to monitor and log the use of frequently used vulnerable tools, as well as audit any remote access tools and device registration.