The cybersecurity threat landscape is quickly changing. Administrators have become more cautious when it comes to security and governing access, end users have become tech-savvy and security-aware, and attackers have also raised their game.

 Living-off-the-land attacks, or LOTL, is one clear trend today, with attackers exploiting preinstalled features and default tools built into system. Hackers no longer need to install malware or drop a single malicious file; they can remain invisible for longer periods of time and evade traditional defense countermeasures. Since these attacks weaponize genuine and authorized system and administrator tools to carry out attacks, malicious activities blend into a sea of legitimate activities making detecting and blocking attacks extremely challenging.

This three-part blog series is a preface to a live hands-on webinar where we will learn the different ways attackers can leverage living-off-the-land attack tactics to gain access to your critical data, privileged accounts, and servers.

In this part, we discuss two simple yet noteworthy attack techniques. We observe the tools abused, the execution method and, of course, the aftermath!

  • Office 365 password attack:

    • Tools misused: PowerShell, which is similar to the Command Prompt, the built-in administrator utility tool.

    • Method of execution: A simple script that targets the Office 365 login portal, and sprays a list of predictable and commonly used passwords to compromise a targeted victim account. It can be executed using PowerShell.

    • Aftermath:  Access to Office 365 account credentials.

  • Copying data from remote locations:
    • Tools misused: Command Prompt and expand.exe, the executable file that is part of the User Profile Hive Cleanup Service program developed by Microsoft.
    • Method of execution: Using Command Prompt, damage can be caused by a simple command with this syntax: “expand.exe <Path of source file in remote server> <Destination path in attackers system > “

    • Aftermath: Attackers can obtain malicious scripts or sensitive data from remote systems to conduct an attack.

You can check out a short video on the above mentioned attacks: 

Sign up for our free webinar and see a live demonstration off the living-off-the-land attacks to understand the attack patterns better, and learn how to build an effective defense strategy for your hybrid environment.

 If you need assistance to try these attacks in our own test environment, just drop an email to abi@manageengine.com.