View Resource
Identifying and Mitigating Living Off the Land Techniques
Release Date: 02/08/2024
Organization: ASD's ACSC
Content Type: Guidance
Solution Provider Neutrality: Neutral
This joint guidance for network defenders focuses on how to mitigate gaps and to detect and hunt for LOTL activity. The information in this guide is derived from a previously published joint advisory; incident response engagements undertaken by several of the authoring agencies; red team assessments by several of the authoring agencies using LOTL for undetected, persistent access; and collaborative efforts with industry.
The authoring agencies have observed cyber threat actors, including the People’s Republic of China (PRC) and Russian Federation state-sponsored actors, leveraging LOTL techniques to compromise and maintain persistent access to critical infrastructure organizations. The authoring agencies are releasing this joint guide for network defenders (including threat hunters) as the malicious use of LOTL techniques is increasingly emerging in the broader cyber threat environment.
Cyber threat actors leveraging LOTL abuse native tools and processes on systems. They use LOTL in multiple IT environments, including on-premises, cloud, hybrid, Windows, Linux, and macOS environments. LOTL enables cyber threat actors to conduct their operations discreetly as they can camouflage activity with typical system and network behavior, potentially circumventing basic endpoint security capabilities. This is where a Zero Trust strategy can help.