In most cyberattacks, malware infects the victim’s computer and acts as the attacker’s docking station. Finding and removing this docking station is relatively easy with antimalware. But there is another attack method where the cybercriminal doesn’t need to install malware.

Instead, an attacker executes a script that uses the resources on the device for the cyberattack. And worst of all, a Living off the Land (LotL) attack can go undetected for a long time. However, preventing, finding, and neutralizing these attacks is possible.

What Is a LotL Attack?

A LotL attack is a kind of fileless attack where a hacker uses the programs already on a device instead of using malware. This method of using native programs is more subtle and makes discovering the attack less likely.

Some native programs hackers often use for LotL attacks include the command line console, PowerShell, the Windows registry console, and the Windows Management Instrumentation command line. Hackers also use Windows-Based and Console-Based Script hosts (WScript.exe and CScript.exe). The tools come with every Windows computer and are necessary for executing normal administrative tasks.

How Do LotL Attacks Happen?

Photo of the Command Line Interface

Although LotL attacks are fileless, hackers still rely on familiar social engineering tricks to find who to target. Many attacks happen when a user visits an unsafe website, opens a phishing email, or uses an infected USB drive. These websites, emails, or media devices contain the attack kit carrying the fileless script.

In the next stage of hacking, the kit scans system programs for vulnerabilities and executes the script to compromise vulnerable programs. From here on, the attacker can remotely access the computer and steal data or create vulnerability backdoors using only system programs.

What to Do if You’re a Victim of a Living Off the Land Attack

Because LotL attacks use native programs, your antivirus may not detect the attack. If you are a Windows power user or are tech-savvy, you may use command-line auditing to sniff out attackers and remove them. In this case, you will be looking for process logs that seem suspicious. Start with auditing processes with random letters and numbers; user management commands in odd places; suspicious script executions; connections to suspicious URLs or IP addresses; and vulnerable, open ports.

Turn off the Wi-Fi

If you rely on antimalware for your device protection like most people, you may not notice harm has been done until much later. If you have evidence that you’ve been hacked, the first thing to do is disconnect your computer from the internet. This way, the hacker can’t communicate with the device. You must also disconnect the infected device from other devices if it’s part of a wider network.

However, turning off your Wi-Fi and isolating the infected device is not enough. So try turning off the router and disconnecting the ethernet cables. You may also need to power down the device while you do the next thing to manage the attack.

Reset Account Passwords

You’ll need to assume that your online accounts have been compromised and change them. Doing this is important to prevent or stop identity theft before the hacker does serious damage.

Photo of Person Using a Computer

Start with changing the password to the accounts that hold your financial assets. Then, move on to work and social media accounts, especially if these accounts do not have two-factor authentication enabled. You could use a password manager to create secure passwords too. Also, consider enabling 2FA on your account if the platform supports it.

Remove Your Drive and Back Up Your Files

If you have the right knowledge, remove the hard drive from the infected computer and connect it as an external hard drive to a different computer. Perform an in-depth scan of the hard drive to find and remove anything malicious from the old computer. Then, proceed to copy your important files to a different clean, removable drive. If you need technical help, don't be afraid to get assistance.

Wipe the Old Drive

Now that you have a backup of your important files, it is time to wipe the old drive clean. Return the old drive to the infected computer and perform a deep wipe.

Do a Clean Install of Windows

A clean install wipes everything on your computer. It sounds like an over-the-top measure, but it’s necessary due to the nature of LotL attacks. There’s no way to tell how many native programs an attacker has compromised or hidden backdoors in. The safest bet is to wipe everything clean and clean install the operating system.

Install Security Patches

Odds are the installation file will be behind when it comes to security updates. So, after installing a clean operating system, scan for and install updates. Also, consider removing bloatware—they are not bad, but it’s easy to forget about them until you notice something’s hogging your system resources.

How to Prevent LotL Attacks

Unless they have direct access to your computer, hackers still need a way to deliver their payload. Phishing is the most common way hackers find whom to hack. Other ways include Bluetooth hacks and man-in-the-middle attacks. In any way, the payload is disguised in legitimate files, such as a Microsoft Office file containing short, executable scripts to avoid detection. So, how do you prevent these attacks?

Keep Your Software Updated

installing an os update

The payload in LotL attacks still relies on vulnerabilities in a program or your operating system to execute. Setting your device and programs to download and install security updates as soon as they become available can turn the payload into a dud.

Set Software Restriction Policies

Keeping your software updated is a good start, but the cybersecurity landscape changes quickly. You may miss an update window to quell vulnerabilities before attackers exploit them. As such, it is better to restrict how programs can execute commands or use system resources in the first place.

You have two options here: to blacklist or whitelist programs. Whitelisting is when you grant a list of programs access to system resources by default. Other existing and new programs are restricted by default. Conversely, blacklisting is when you make a list of programs that cannot access system resources. This way, other existing and new programs can access system resources by default. Both options have their pros and cons, so you’ll have to decide which is best for you.

There Is No Silver Bullet for Cyberattacks

The nature of Living off the Land attacks means most people will not know they’ve been hacked until something goes seriously wrong. And even if you are technically savvy, there is no one way to tell if an adversary has infiltrated your network. It's better to avoid cyberattacks in the first place by taking sensible precautions.