In OT and ICS cybersecurity, living off the land (LOTL) techniques refer to the practice of attackers using the existing tools and processes in a target system to carry out their malicious activities. This approach is particularly dangerous because it allows the attacker to blend in with everyday activities, making detection significantly more challenging.
Operational Technology
Cyber Resilience
Industrial

How Living-Off-The-Land Techniques Impact OT and ICS

Dan Ricci
/
Aug 12, 2024

In cybersecurity, living off the land (LOTL) techniques refer to the practice of attackers using the existing tools and processes in a target system to carry out their malicious activities (LOLBAS Project, 2024). This approach is particularly dangerous because it allows the attacker to blend in with everyday activities, making detection significantly more challenging. The term “living-off-the-land” is derived from a survival strategy in which one relies on one's environment for sustenance. Similarly, in a cyber context, attackers leverage the resources within the compromised system, reducing the need to deploy their easily detectable tools or malware.

Operational technology (OT) and industrial control systems (ICS) are integral components of critical infrastructure sectors, including energy, manufacturing, water, wastewater treatment, and transportation. These systems were traditionally isolated from IT networks and the Internet. Still, over the past two decades, they have become increasingly connected, leading to a significant increase in the risk of external exploitation and attack capabilities.

Integrating IT and OT has brought about increased exposure to living-off-the-land (LOTL) techniques. Tables 1 and 2 provide a few examples of legitimate system tools and processes that an attacker could leverage in reconnaissance and exploitation tactics and techniques against IT systems in OT environments.

Table 1. Exploitable System Tools

Tactic

Technique

Tool

Example

Discovery

Remote System Discovery

Ping

Ping to enumerate systems on a compromised network.

Persistence

Create Account

PsExec

Remotely create accounts on target systems.

Execution

Command and Scripting Interpreter

PowerShell

PowerShell scripts to run a credential harvesting tool in memory to evade defenses.

Privilege Escalation

Scheduled Task

Windows Task Scheduler

Windows Task Scheduler schedules tasks for the initial or recurring execution of malicious code. 

Table 2. Exploitable Processes

Technique

Processes

Example

Create or Modify System Process

services.exe

To evade detection analysis, attackers use these services and others to hide malicious payloads among legitimate services within the Windows OS or as benign software components.

Get-Service

sc.exe

sc.exe can be used to make service configuration settings or modify them using this system utility, such as modifying the Registry or interacting directly with the Windows API.


The stealthy nature of LOTL techniques allows them to infiltrate and manipulate OT/ICS systems undetected, potentially causing significant disruptions. Given that OT/ICS systems control physical processes, a successful LOTL attack can have severe real-world consequences, including physical damage and service interruptions. This new dimension of risk introduced by LOTL techniques underscores the critical need for robust security measures to counter these threats in OT/ICS contexts.

How LOTL Techniques Can Be Used to Exploit OT/ICS

LOTL techniques, the use of legitimate system binaries and scripts, can be exploited in various ways to compromise OT/ICS environments. For instance, an attacker could use a binary like cmd.exe or powershell.exe to execute malicious commands or a script like bitsadmin.exe to download additional malicious tools or exfiltrate data. These techniques can allow an attacker to gain control over critical infrastructure systems, disrupt operations, or steal sensitive information, all while blending in with legitimate system activity and evading detection.

While it’s challenging to provide specific real-world examples of these LOTL binaries and scripts being used in OT/ICS attacks due to the sensitive nature of these incidents and the confidentiality of the involved entities, it’s important to note that these techniques are commonly used in sophisticated cyber-attacks. 

For example, the use of legitimate system tools like cmd.exe and powershell.exe for command execution or bitsadmin.exe for file transfer has been documented in numerous cyber-attacks, including those targeting OT/ICS environments. These attacks often result in the execution of malicious commands, modification of system configurations, or exfiltration of sensitive data, demonstrating the potential impact and versatility of LOTL techniques. 

An example where LOTL was used in cyber-attacks against the Ukraine electric power grid      dating back to 2015 and as recent as 2022. In these attacks, the Russian advanced      persistent threat (APT) Group, Sandworm, leveraged several LOTL techniques to successfully exploit Ukrainian electrical companies’ business IT systems to gain access to OT devices and used BlackEnergy3 and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid (MITRE ATT&CK, C0028, Campaigns, 2023). 

In 2016, Sandworm again used LOTL techniques with Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid (MITRE ATT&CK, C0025, Campaigns, 2023). In 2022, Sandworm used a combination of GOGETTER, Neo-REGEORG, CaddyWiper, and LOTL techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system (MITRE ATT&CK, C0034, Campaigns, 2024).

Matching LOTL Binaries to MITRE ATT&CK for ICS Techniques and Tactics

The LOLBAS Project provides a comprehensive list of binaries and scripts used in cyberattacks. LOTL techniques have been mapped to the techniques in the MITRE ATT&CK for ICS framework. This mapping can help organizations understand potential threats and develop effective mitigation strategies. Taking Sandworm’s techniques identified by MITRE ATT&CK in the three campaigns against the Ukraine power grid, we can easily see the LOTL used in each attack in Tables 3-5.


Table 3. 2015 Ukraine Electric Power Attack

Domain

Technique ID

Name

LOTL

Binary

Functions

Type

Enterprise

T1562.001

Impair Defenses: Disable or Modify Tools

T1562.001: Disable or Modify Tools

fltMC.exe

Tamper

Binaries

Enterprise

T1105

Ingress Tool Transfer

T1105: Ingress Tool Transfer

AppInstaller.exe

Download (INetCache)

Binaries

Enterprise

T1040

Network Sniffing

T1040: Network Sniffing

Pktmon.exe

Reconnaissance

Binaries

Enterprise

T1055

Process Injection

T1055: Process Injection

coregen.exe

Execute (DLL)

OtherMSBinaries

Enterprise

T1218.011

System Binary Proxy Execution: Rundll32

T1218.011: Rundll32

Rundll32.exe

Execute (DLL)

Binaries

Enterprise

T1078

Valid Accounts

T1078: Valid Accounts

Cmdkey.exe

Credentials

Binaries


Table 4. 2016 Ukraine Electric Power Attack

Domain

Technique ID

Name

LOTL

Binary

Functions

Type

Enterprise

T1543.003

Create or Modify System Process: Windows Service

T1543.003: Windows Service

Dnscmd.exe

Execute (DLL)

Binaries

Enterprise

T1036.005

Masquerading: Match Legitimate Name or Location

T1036.005: Match Legitimate Name or Location

Colorcpl.exe

Copy

Binaries

Enterprise

T1003.001

OS Credential Dumping: LSASS Memory

T1003.001: LSASS Memory

rdrleakdiag.exe

Dump

Binaries


Table 5. 2022 Ukraine Electric Power Attack

Domain

Technique ID

Name

LOTL

Binary

Functions

Type

Enterprise

T1059.001

Command and Scripting Interpreter: PowerShell

T1059: Command and Scripting Interpreter

powershell.exe

Execute (DLL)

Binaries

Enterprise

T1485

Data Destruction

T1485: Data Destruction

Fsutil.exe

Tamper

Binaries

Enterprise

T1053.005

Scheduled Task/Job: Scheduled Task

T1053.005: Scheduled Task

Schtasks.exe

Execute

Binaries

Mitigations for LOTL Used in Ukraine Electric Power Attacks

Mitigations exist to address the LOTL techniques used in these three cyberattacks against the Ukraine electric power grid in 2015, 2016, and 2022. Table 6 lists the LOTL technique ID, the name of the executable or process that was abused or the action performed by the attacker, and the mitigation ID corresponding to the best practice or countermeasure to prevent or detect the technique. The mitigation IDs are explained in detail in the description provided.

Table 6. Mitigations for LOTL Techniques Used in Ukraine Electric Power Attacks

Technique ID

Mitigation ID

Mitigation

Description

T1562.001: Impair Defenses: Disable or Modify Tools

M1038

Execution Prevention

Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.

M1022

Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.

M1024

Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.

M1018

User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

T1105: Ingress Tool Transfer

M1031

Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.

T1040: Network Sniffing

M1041

Encrypt Sensitive Information

Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.

M1032

Multi-factor Authentication

Use multi-factor authentication wherever possible.

M1030

Network Segmentation

Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as LLMNR/NBT-NS Poisoning and SMB Relay

M1018

User Account Management

In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required.

T1055: Process Injection

M1040

Behavior Prevention on Endpoint

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection.  

T1218.011: System Binary Proxy Execution: Rundll32

M1050

Exploit Protection

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.

T1078: Valid Accounts

M1036

Account Use Policies

Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges. 

M1015

Active Directory Configuration

Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.

M1013

Application Developer Guidance

Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).

M1027

Password Policies

Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. When possible, applications that use SSH keys should be updated periodically and properly secured.

Policies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources.

M1026

Privileged Account Management

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. 

M1018

User Account Management

Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.

M1017

User Training

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

T1543.003: Create or Modify System Process: Windows Service

M1047

Audit

Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.

M1040

Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.[152] On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.[153]

M1045

Code Signing

Enforce registration and execution of only legitimately signed service drivers where possible.

M1028

Operating System Configuration

Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.

M1018

User Account Management

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

T1036.005: Masquerading: Match Legitimate Name or Location

M1045

Code Signing

Require signed binaries and images.

M1038

Execution Prevention

Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.

M1022

Restrict File and Directory Permissions

Use file system access controls to protect folders such as C:\Windows\System32.

T1003.001: OS Credential Dumping: LSASS Memory

M1040

Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. 

M1043

Credential Access Protection

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping. 

M1028

Operating System Configuration

Consider disabling or restricting NTLM. Consider disabling WDigest authentication. 

M1027

Password Policies

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

M1026

Privileged Account Management

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled. This is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for designing and administering an enterprise network to limit privileged account use across administrative tiers.

M1025

Privileged Process Integrity

On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. 

M1017

User Training

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

T1059.001: Command and Scripting Interpreter: PowerShell

M1049

Antivirus/Antimalware

Anti-virus can be used to automatically quarantine suspicious files.

M1045

Code Signing

Set PowerShell execution policy to execute only signed scripts.

M1042

Disable or Remove Feature or Program

It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact on an environment since it could be used for many legitimate purposes and administrative functions.

Disable/restrict the WinRM Service to help prevent the use of PowerShell for remote execution.

M1038

Execution Prevention

Use application control where appropriate. PowerShell Constrained Language mode can restrict access to sensitive or otherwise dangerous language elements, such as those used to execute arbitrary Windows APIs or files. 

M1026

Privileged Account Management

When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. 

PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.

T1485: Data Destruction

M1053

Data Backup

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

T1053.005: Scheduled Task/Job: Scheduled Task

M1047

Audit

Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. 

M1028

Operating System Configuration

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at:


HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. 

M1026

Privileged Account Management

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. 

M1018

User Account Management

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

Table 4 identifies the identical mitigation IDs and defensive measures for different LOTL techniques. However, the mitigations provided within MITRE ATT&CK for these LOTL techniques are uniquely tailored to each MITRE ATT&CK Technique ID and platform (e.g., Windows, Linux, Cloud, Mobile, ICS device). An asset owner can take the LOTL techniques identified in MITRE ATT&CK to identify more mitigations to harden and securely configure their OT/ICS environment. Further, the LOTL techniques identified by MITRE ATT&CK provide detection methods to assist asset owners in their threat monitoring operations, incident response plans, and playbook development.

Closing Thoughts

Adversaries will continue to use LOTL techniques to compromise OT/ICS. By mapping LOTL techniques identified in the LOLBAS Project to the MITRE ATT&CK framework, we have shown how asset owners can leverage existing knowledge and resources to improve their security posture and resilience. We have also highlighted some common mitigations and detections to help prevent or identify LOTL attacks in OT/ICS environments.

Operational Technology
Cyber Resilience
Industrial
Dan Ricci
Founder, ICS Advisory Project

Dan Ricci is founder of the ICS Advisory Project, an open-source project to provide DHS CISA ICS Advisories data visualized as a dashboard to support vulnerability analysis for the OT/ICS community. He retired from the U.S. Navy after serving 21 years in the information warfare community.

Stay in the know Get the Nexus Connect Newsletter
You might also like… Read more
Latest on Nexus Podcast