What is living-off-the-land?
Threat actors employ a variety of techniques to compromise target networks, including exploiting unpatched vulnerabilities, abusing misconfigurations, deploying backdoors, and creating custom malware. However, these methods generate a lot of noise and are relatively easy for network and host-based monitoring tools to detect, especially once indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) are published by the cybersecurity community.
Living-off-the-Land (LOTL) techniques, however, allow attacks to remain nearly invisible to Endpoint Detection and Response (EDR) tools – leveraging trusted protocols, applications and native systems to carry out malicious activity. While mitigations exist, they are often poorly implemented. The Cybersecurity and Infrastructure Security Agency (CISA) found that some organizations “lacked security baselines, allowing [Living-off-the-Land binaries (LOLBins)] to execute and leaving analysts unable to identify anomalous activity” and “organizations did not appropriately tune their detection tools to reduce alert noise, leading to an unmanageable level of alerts to sift through and action" [1].
Darktrace / NETWORK addresses this challenge across Information Technology (IT), Operational Technology (OT), and cloud environments by continuously analyzing network traffic and identifying deviations from normal behavior with its multi-layered AI – helping organizations detect and respond to LOTL attacks in real time.
Darktrace’s detection of LOTL attacks
This blog will review two separate attacks detected by Darktrace that leveraged LOTL techniques at several stages of the intrusion.
Case A
Reconnaissance
In September 2024, a malicious actor gained access to a customer network via their Virtual Private Network (VPN) from two desktop devices that had no prior connection history. Over two days, the attacker conducted multiple network scans, targeting ports associated with Remote Desktop Protocol (RDP) and NTLM authentication. Darktrace detected this unusual activity, triggering multiple alerts for scanning and enumeration activity.
Unusual NTLM authentication attempts using default accounts like “Guest” and “Administrator” were detected. Two days after the initial intrusion, suspicious DRSGetNCChanges requests were observed on multiple domain controllers (DCs), targeting the Directory Replication Service RPC interface (i.e., drsuapi) – a technique used to extract account hashes from DCs. This process can be automated using tools like Mimikatz's DcSync and DCShadow
Around the same time, attacker-controlled devices were seen presenting an admin credential and another credential potentially granting access to Cisco Firewall systems, suggesting successful privilege escalation. Due to the severity of this activity, Darktrace’s Autonomous Response was triggered to prevent the device from further deviation from its normal behavior. However, because Autonomous Response was configured in Human Confirmation mode, the response actions had to be manually applied by the customer.
Lateral movement
Darktrace also detected anomalous RDP connections to domain controllers, originating from an attacker-controlled device using admin and service credentials. The attacker then successfully pivoted to a likely RDP server, leveraging the RDP protocol – one of the most commonly used for lateral movement in network compromises observed by Darktrace.
Tooling
Following an incoming RDP connection, one of the DCs made a successful GET request to the URI '/download/122.dll' on the 100% rare IP, 146.70.145[.]189. The request returned an executable file, which open-source intelligence (OSINT) suggests is likely a CobaltStrike C2 sever payload [2] [3]. Had Autonomous Response been enabled here, it would have blocked all outgoing traffic from the DC allowing the customer to investigate and remediate.
Additionally, Darktrace detected a suspicious CreateServiceW request to the Service Control (SVCCTL) RPC interface on a server. The request executed commands using ‘cmd.exe’ to perform the following actions
- Used ‘tasklist’ to filter processes named ”lsass.exe” (Local Security Authority Subsystem Service) to find its specific process ID.
- Used “rundll32.exe” to execute the MiniDump function from the “comsvcs.dll” library, creating a memory dump of the “lsass.exe” process.
- Saved the output to a PNG file in a temporary folder,
Notably, “cmd.exe” was referenced as “CMd.EXE” within the script, likely an attempt to evade detection by security tools monitoring for specific keywords and patterns.
Over the course of three days, this activity triggered around 125 Darktrace / NETWORK alerts across 11 internal devices. In addition, Cyber AI Analyst launched an autonomous investigation into the activity, analyzing and connecting 16 separate events spanning multiple stages of the cyber kill chain - from initial reconnaissance to payload retrieval and lateral movement.
Darktrace’s comprehensive detection enabled the customer’s security team to remediate the compromise before any further escalation was observed.
Case B
Between late 2023 and early 2024, Darktrace identified a widespread attack that combined insider and external threats, leveraging multiple LOTL tools for reconnaissance and lateral movement within a customer's network.
Reconnaissance
Initially, Darktrace detected the use of a new administrative credential by a device, which then made unusual RDP connections to multiple internal systems, including a 30-minute connection to a DC. Throughout the attack, multiple unusual RDP connections using the new administrative credential “%admin!!!” were observed, indicating that this protocol was leveraged for lateral movement.
The next day, a Microsoft Defender Security Integration alert was triggered on the device due to suspicious Windows Local Security Authority Subsystem Service (LSASS) credential dump behavior. Since the LSASS process memory can store operating system and domain admin credentials, obtaining this sensitive information can greatly facilitate lateral movement within a network using legitimate tools such as PsExec or Windows Management Instrumentation (WMI) [4]. Security integrations with other security vendors like this one can provide insights into host-based processes, which are typically outside of Darktrace’s coverage. Darktrace’s anomaly detection and network activity monitoring help prioritize the investigation of these alerts.
Three days later, the attacker was observed logging into the DC and querying tickets for the Lightweight Directory Access Protocol (LDAP) service using the default credential “Administrator.” This activity, considered new by Darktrace, triggered an Autonomous Response action that blocked further connections on Kerberos port 88 to the DC. LDAP provides a central location to access and manage data about computers, servers, users, groups, and policies within a network. LDAP enumeration can provide valuable Active Directory (AD) object information to an attacker, which can be used to identify critical attack paths or accounts with high privileges.
Lateral movement
Following the incoming RDP connection, the DC began scanning activities, including RDP and Server Block Message (SMB) services, suggesting the attacker was using remote access for additional reconnaissance. Outgoing RDP connection attempts to over 100 internal devices were observed, with around 5% being successful, highlighting the importance of this protocol for the threat actor’s lateral movement.
Around the same time, the DC made WMI, PsExec, and service control connections to two other DCs, indicating further lateral movement using native administrative protocols and tools. These functions can be leveraged by attackers to query system information, run malicious code, and maintain persistent access to compromised devices while avoiding traditional security tool alarms. In this case, requested services included the IWbemServices (used to access WMI services) and IWbemFetchSmartEnum (used to retrieve a network-optimized enumerator interface) interfaces, with ExecQuery operations detected for the former. This method returns an enumerable collection of IWbemClassObject interface objects based on a query.
Additionally, unusual Windows Remote Management (WinRM) connections to another domain controller were observed. WinRM is a Microsoft protocol that allows systems to exchange and access management information over HTTP(S) across a network, such as running executables or modifying the registry and services.
The DC was also detected writing the file “PSEXESVC.exe” to the “ADMIN$” share of another internal device over the SMB file transfer network protocol. This activity was flagged as highly unusual by Darktrace, as these two devices had not previously engaged in this type of SMB connectivity.
It is rare for an attacker to immediately find the information or systems they are after, making it likely they will need to move around the network before achieving their objectives. Tools such as PsExec enable attackers to do this while largely remaining under the radar. With PsExec, attackers who gain access to a single system can connect to and execute commands remotely on other internal systems, access sensitive information, and spread their attack further into the environment.
Darktrace further observed the DC connecting to the SVCCTL endpoint on a remote device and performing the CreateServiceW operation, which was flagged as highly unusual based on previous behavior patterns between the two devices. Additionally, new ChangeServiceConfigW operations were observed from another device.
Aside from IWbemServices requests seen on multiple devices, Darktrace also detected multiple internal devices connecting to the ITaskSchedulerService interface over DCE-RPC and performing new SchRpcRegisterTask operations, which register a task on the destination system. Attackers can exploit the task scheduler to facilitate the initial or recurring execution of malicious code by a trusted system process, often with elevated permissions. The creation of these tasks was considered new or highly unusual and triggered several anomalous ITaskScheduler activity alerts.
Conclusion
As pointed out by CISA, threat actors frequently exploit the lack of implemented controls on their target networks, as demonstrated in the incidents discussed here. In the first case, VPN access was granted to all domain users, providing the attacker with a point of entry. In the second case, there were no restrictions on the use of RDP within the targeted network segment, allowing the attackers to pivot from device to device.
Darktrace assists security teams in monitoring for unusual use of LOTL tools and protocols that can be leveraged by threat actors to achieve a wide range of objectives. Darktrace’s Self-Learning AI sifts through the network traffic noise generated by these trusted tools, which are essential to administrators and developers in their daily tasks, and highlights any anomalous and potentially unexpected use.
Credit to Alexandra Sentenac (Senior Cyber Analyst) and Ryan Traill (Analyst Content Lead)
References
[2] https://www.virustotal.com/gui/ip-address/146.70.145.189/community
[3] https://www.virustotal.com/gui/file/cc9a670b549d84084618267fdeea13f196e43ae5df0d88e2e18bf5aa91b97318
MITRE Mapping
INITIAL ACCESS - External Remote Services
DISCOVERY - Remote System Discovery
DISCOVERY - Network Service Discovery
DISCOVERY - File and Directory Discovery
CREDENTIAL ACCESS – OS Credential Dumping: LSASS Memory
LATERAL MOVEMENT - Remote Services: Remote Desktop Protocol
LATERAL MOVEMENT - Remote Services: SMB/Windows Admin Shares
EXECUTION - System Services: Service Execution
PERSISTENCE - Scheduled Task
COMMAND AND CONTROL - Ingress Tool Transfer
Darktrace Model Detections
Case A
Device / Suspicious Network Scan Activity
Device / Network Scan
Device / ICMP Address Scan
Device / Reverse DNS Sweep
Device / Suspicious SMB Scanning Activity
Device / Possible SMB/NTLM Reconnaissance
Anomalous Connection / Unusual Admin SMB Session
Device / SMB Session Brute Force (Admin)
Device / Possible SMB/NTLM Brute Force
Device / SMB Lateral Movement
Device / Anomalous NTLM Brute Force
Anomalous Connection / SMB Enumeration
Device / SMB Session Brute Force (Non-Admin)
Device / Anomalous SMB Followed By Multiple Model Breaches
Anomalous Connection / Possible Share Enumeration Activity
Device / RDP Scan
Device / Anomalous RDP Followed By Multiple Model Breaches
Anomalous Connection / Unusual Admin RDP Session
Anomalous Connection / Active Remote Desktop Tunnel
Anomalous Connection / Anomalous DRSGetNCChanges Operation
Anomalous Connection / High Priority DRSGetNCChanges
Compliance / Default Credential Usage
User / New Admin Credentials on Client
User / New Admin Credentials on Server
Device / Large Number of Model Breaches from Critical Network Device
User / New Admin Credential Ticket Request
Compromise / Unusual SVCCTL Activity
Anomalous Connection / New or Uncommon Service Control
Anomalous File / Script from Rare External Location
Anomalous Server Activity / Anomalous External Activity from Critical Network Device
Anomalous File / EXE from Rare External Location
Anomalous File / Numeric File Download
Device / Initial Breach Chain Compromise
Device / Multiple Lateral Movement Model Breaches
Device / Large Number of Model Breaches
Compromise / Multiple Kill Chain Indicators
Case B
User / New Admin Credentials on Client
Compliance / Default Credential Usage
Anomalous Connection / SMB Enumeration
Device / Suspicious SMB Scanning Activity
Device / RDP Scan
Device / New or Uncommon WMI Activity
Device / Anomaly Indicators / New or Uncommon WMI Activity Indicator
Device / New or Unusual Remote Command Execution
Anomalous Connection / New or Uncommon Service Control
Anomalous Connection / Active Remote Desktop Tunnel
Compliance / SMB Drive Write
Anomalous Connection / Anomalous DRSGetNCChanges Operation
Device / Multiple Lateral Movement Model Breaches
Device / Anomalous ITaskScheduler Activity
Anomalous Connection / Unusual Admin RDP Session
Device / Large Number of Model Breaches from Critical Network Device
Compliance / Default Credential Usage
IOC - Type - Description/Probability
146.70.145[.]189 - IP Address - Likely C2 Infrastructure
