Read more: Boosty | Sponsr | TG

A. Main keypoints
• Authoring Agencies: The guide is authored by major
cybersecurity and national security agencies from the
U.S., Australia, Canada, the United Kingdom, and New
Zealand, focusing on common LOTL techniques and
gaps in cyber defense capabilities.
• LOTL Techniques: Cyber threat actors use LOTL
techniques to compromise and maintain access to
critical infrastructure, leveraging legitimate system tools
and processes to blend in with normal activities and
evade detection.
• Challenges in Detection: Many organizations struggle
to detect malicious LOTL activity due to inadequate
security and network management practices, lack of
conventional indicators of compromise, and the
difficulty of distinguishing malicious activity from
legitimate behavior.
• Detection Best Practices: Recommendations include
implementing detailed logging, establishing activity
baselines, utilizing automation for continuous review,
reducing alert noise, and leveraging user and entity
Abstract – This document provides an in-depth analysis of the behavior analytics (UEBA).
National Security Agency's (NSA) advisory on combatting cyber
threat actors who perpetrate Living Off the Land (LOTL) intrusions. • Hardening Best Practices: Suggestions involve
The analysis encompasses a thorough examination of the advisory's applying vendor-recommended security hardening
multifaceted approach to addressing LOTL tactics, which are guidance, implementing application allowlisting,
increasingly leveraged by adversaries to exploit legitimate tools enhancing network segmentation and monitoring, and
within a target's environment for malicious purposes. enforcing authentication and authorization controls.
The analysis offers a high-quality summary of the NSA's advisory, • Software Manufacturer Recommendations: The
distilling its key points into actionable insights. It serves as a valuable guide urges software manufacturers to adopt secure by
resource for security professionals, IT personnel, policymakers, and design principles to reduce exploitable flaws that enable
stakeholders across various industries, providing them with the LOTL techniques. This includes disabling unnecessary
knowledge to enhance their defensive capabilities against protocols, limiting network reachability, restricting
sophisticated LOTL cyber threats. By implementing the advisory's elevated privileges, enabling phishing-resistant MFA by
recommendations, these professionals can improve their situational default, providing secure logging, eliminating default
awareness, refine their security posture, and develop more robust passwords, and limiting dynamic code execution.
defense mechanisms to protect against the subtle and stealthy nature
of LOTL intrusions. B. Secondary keypoints
• The guidance is aimed at helping organizations mitigate
I. INTRODUCTION Living Off The Land (LOTL) techniques, where threat
The document titled "Joint Guidance: Identifying and actors use legitimate tools within the environment for
Mitigating LOTL Techniques" provides guidance on how malicious purposes.
organizations can better protect themselves against Living Off
the Land (LOTL) techniques. These techniques involve cyber • Organizations are advised to exercise due diligence
threat actors leveraging legitimate tools and software present when selecting software, devices, cloud service
within the target's environment to conduct malicious activities, providers, and managed service providers, choosing
making detection more challenging. This approach aims to those with secure by design principles.
reduce the availability of legitimate operating system and • Vendors should be held accountable for their software's
application tools (LOLBins) that threat actors can exploit. default configurations and adherence to the principle of
The guidance is based on insights from a joint advisory, red least privilege.
team assessments by the authoring agencies, authoring agency • Software manufacturers are encouraged to reduce
incident response engagements and collaborative efforts with exploitable flaws and take ownership of their customers'
the industry. It stresses the importance of establishing and security outcomes.
maintaining an infrastructure that collects and organizes data to
help defenders detect LOTL techniques, tailored to each • Network defense strategies include monitoring for
organization's risk landscape and resource capabilities. unusual system interactions, privilege escalations, and
deviations from normal administrative actions.
 Read more: Boosty | Sponsr | TG
• Organizations should establish and maintain an organizations may find it challenging to allocate the
infrastructure for collecting and organizing data to necessary resources.
detect LOTL techniques, tailored to their specific risk
landscape and resource capabilities • Complexity of Implementation: Establishing and
maintaining the infrastructure for comprehensive
II. BENEFITS AND DRAWBACKS logging and analysis can be complex. Organizations
may face challenges in configuring and managing these
The analyzed document outlines a comprehensive approach systems effectively, especially in diverse and dynamic
to enhance cybersecurity defenses against LOTL tactics. This IT environments.
approach includes recommendations for detection and logging,
centralized logging, behavior analytics, anomaly detection, and • Potential for Alert Fatigue: While reducing alert noise
proactive hunting. is a goal of the proposed solutions, the sheer volume of
logs and alerts generated by comprehensive logging and
While the proposed solutions offer significant benefits in
anomaly detection systems can lead to alert fatigue
enhancing cybersecurity defenses against LOTL tactics,
among security personnel, potentially causing critical
organizations must also consider the potential drawbacks and
alerts to be overlooked.
limitations. Effective implementation requires careful planning,
resource allocation, and continuous adjustment to address the • False Positives and Negatives: Behavior analytics and
evolving threat landscape. anomaly detection systems may generate false positives
and negatives, leading to unnecessary investigations or
A. Benefits
missed threats. Fine-tuning these systems to minimize
• Enhanced Detection Capabilities: Implementing inaccuracies requires ongoing effort and expertise.
comprehensive and verbose logging, along with
centralized logging, significantly enhances an • Dependence on Vendor Support: The effectiveness of
organization's ability to detect malicious activities. This hardening measures and secure configurations often
approach enables behavior analytics, anomaly detection, depends on the support and guidance provided by
and proactive hunting, providing a robust defense software vendors. Organizations may face limitations if
against LOTL techniques. vendors do not prioritize security or provide adequate
hardening guidelines.
• Improved Security Posture: The guidance
recommends hardening measures such as applying III. LIVING OFF THE LAND
vendor-provided or industry-standard hardening Living Off the Land (LOTL) techniques represent a
guidance, minimizing running services, and securing sophisticated cyber threat strategy where attackers exploit native
network communications. These measures reduce the tools and processes already present within a target's
attack surface and improve the overall security posture environment. This approach allows them to blend seamlessly
of organizations. with normal system activities, significantly reducing the
• Increased Visibility: Centralized logging allows for the likelihood of detection. The effectiveness of LOTL lies in its
maintenance of longer log histories, which is crucial for ability to utilize tools that are not only already deployed but are
identifying patterns and anomalies over time. This also trusted within the environment, thereby circumventing
increased visibility into network and system activities traditional security measures that might block or flag unfamiliar
aids in the early detection of potential threats. or malicious software.

• Efficient Use of Resources: Automation of log review LOTL techniques are not confined to a single type of
and hunting activities increases the efficiency of these environment; they are effectively used across on-premises,
processes, enabling organizations to better utilize their cloud, hybrid, Windows, Linux, and macOS environments. This
resources. Automated systems can compare current versatility is partly due to the attackers' preference to avoid the
activities against established behavioral baselines, costs and efforts associated with developing and deploying
focusing on privileged accounts and critical assets. custom tools. Instead, they leverage the ubiquity and inherent
trust of native tools to carry out their operations.
• Strategic Network Segmentation: Enhancing network
segmentation and monitoring limits lateral movement A. Windows Environments
possibilities for threat actors, reducing the "blast radius" In Windows environments, which are prevalent in corporate
of accessible systems in the event of a compromise. This and enterprise settings, LOTL techniques are particularly
strategic approach helps contain threats and minimizes observed due to the widespread use and trust in the operating
potential damage. system's native tools, services, and features. Attackers exploit
these components, knowing they are ubiquitous and generally
B. Drawbacks/Limitations trusted, making their malicious activities less likely to be
• Resource Intensiveness: Implementing the detected.
recommended detection and hardening measures can be
B. macOS and Hybrid Environments
resource-intensive, requiring significant investment in
technology and personnel training. Smaller In macOS environments, the concept of LOTL is often
referred to as "living off the orchard." Here, attackers exploit
native scripting environments, built-in tools, system
 Read more: Boosty | Sponsr | TG
configurations, and binaries, known as "LOOBins." The strategy B. Siloed Operations and Untuned EDR Systems
is similar to that in Windows environments but tailored to the The red team and incident response teams have frequently
unique aspects of macOS. In hybrid environments, which observed that network defenders:
combine physical and cloud-based systems, attackers are
increasingly leveraging sophisticated LOTL techniques to • Operate in silos, separate from IT teams, hindering the
exploit both types of systems. creation of user behavior baselines and delaying
vulnerability remediation and abnormal behavior
C. Resources and Known Exploits investigations.
There are several resources provide comprehensive lists and
information to understand the specific tools and binaries • Rely on untuned endpoint detection and response
exploited by attackers: (EDR) systems and discrete indicators of compromise
(IOCs), which may not trigger alerts for LOTL activity
• The LOLBAS project’s GitHub repository offers and can be easily altered by attackers to avoid
insights into Living Off The Land Binaries, Scripts, and detection.
Libraries.
C. Logging Configurations and Allowlisting Policies
• Websites like gtfobins.github.io, loobins.io, and Deficiencies in logging configurations and allowlisting
loldrivers.io provide lists of Unix, macOS, and policies further complicate the detection of LOTL activities:
Windows binaries, respectively, known to be used in
LOTL techniques. • Default logging configurations often fail to capture all
relevant activity, and logs from many applications
D. Third-Party Remote Access Software require additional processing to be useful for network
Beyond native tools, cyber threat actors also exploit third- defense.
party remote access software, such as remote monitoring and
management, endpoint configuration management, EDR, patch • Broad allowlisting policies for IP address ranges
management, mobile device management systems, and database owned by hosting and cloud providers can
management tools. These tools, designed to administer and inadvertently provide cover for malicious actors.
protect domains, possess built-in functionality that can execute D. macOS Device Protections
commands across all client hosts in a network, including critical
hosts like domain controllers. The high privileges these tools Network defenders must also ensure adequate protections for
require for system administration make them attractive targets macOS devices, which are often mistakenly considered
for attackers looking to exploit them for LOTL techniques. inherently secure:
• macOS lacks standardized system hardening guidance,
IV. SECURITY BASELINES AND ALERT NOISE leading to deployments with default settings that may
One of the primary issues identified is the lack of security not be secure.
baselines within organizations, which permits the execution of
living off the land binaries (LOLBins) without detection of • The presumption of macOS safety can result in the
anomalous activity. Additionally, organizations often fail to deprioritization of standard security measures, such as
fine-tune their detection tools, resulting in an overwhelming security assessments and application allowlisting.
number of alerts that are difficult to manage and act upon. This • In mixed-OS environments, the lower representation of
is compounded by automated systems performing highly macOS devices can lead to a lack of attention to their
privileged actions that can flood analysts with log events if not security, making them more vulnerable to intrusions.
properly categorized.
V. DETECTION OPPORTUNITIES
A. Challenges in Distinguishing Malicious Activity
Even organizations with mature cyber postures and best A. Comprehensive and Detailed Logging
practices in place find it difficult to distinguish between • Implementation of Comprehensive Logging:
malicious LOTL activity and legitimate behavior: Establishing extensive and detailed logging mechanisms
is crucial. This includes enabling logging for all
• LOLBins are commonly used by IT administrators and
security-related events across platforms and ensuring
are therefore trusted, which can mislead network
that logs are aggregated in a secure, centralized location
defenders into assuming they are safe for all users.
to prevent tampering by adversaries.
• There is a misconception that legitimate IT
• Cloud Environment Logging: For cloud
administrative tools are globally safe, leading to
environments, it's essential to enable logging for control
blanket "allow" policies that expand the attack surface.
plane operations and configure logging policies for all
• Overly broad exceptions for tools like PsExec, due to cloud services, even those not actively used, to detect
their regular use by administrators, can be exploited by potential unauthorized activities.
malicious actors to move laterally without detection.
• Verbose Logging for Security Events: Enabling
verbose logging for events such as command lines,
PowerShell activities, and WMI event tracing provides
 Read more: Boosty | Sponsr | TG
deeper visibility into tool usage within the environment, services like SMB and RDP, and disable unnecessary
aiding in the detection of malicious LOTL activities. services and features.
B. Establishing Behavioral Baselines • Linux: Check binary permissions and adhere to CIS’s
• Maintaining Baselines: Continuously maintaining a Red Hat Enterprise Linux Benchmarks.
baseline of installed tools, software, account behavior, • macOS: Regularly update and patch the system, use
and network traffic allows defenders to identify built-in security features like Gatekeeper, XProtect,
deviations that may indicate malicious activity. and FileVault, and follow the macOS Security
• Network Monitoring and Threat Hunting: Enhancing Compliance Project's guidelines.
network monitoring, extending log storage, and 2) Cloud Infrastructure Hardening:
deepening threat hunting tactics are vital for uncovering • Microsoft Cloud: Refer to CISA’s Microsoft 365
prolonged adversary presence leveraging LOTL security configuration baseline guides for secure
techniques. configuration baselines across various Microsoft cloud
C. Automation and Efficiency services.
• Leveraging Automation: Using automation to review • Google Cloud: Consult CISA’s Google Workspace
logs continually and compare current activities against security configuration baseline guides for secure
established behavioral baselines increases the efficiency configuration baselines across Google cloud services.
of hunting activities, especially focusing on privileged
accounts and critical assets. • Universal Hardening Measures: Minimize running
services, apply the principle of least privilege, and
D. Reducing Alert Noise secure network communications.
• Refining Monitoring Tools: It's important to refine • Critical Asset Security: Apply vendor hardening
monitoring tools and alerting mechanisms to measures for critical assets like ADFS and ADCS and
differentiate between typical administrative actions and limit the applications and services that can be used or
potential threat behavior, thus focusing on alerts that accessed by them.
most likely indicate suspicious activities.
• Administrative Tools: Use tools that do not cache
E. Leveraging UEBA credentials on the remote host to prevent threat actors
• User and Entity Behavior Analytics (UEBA): from reusing compromised credentials.
Employing UEBA to analyze and correlate activities
across multiple data sources helps identify potential B. Application Allowlisting
security incidents that may be missed by traditional tools Constrain Execution Environment: Implement
and profiles user behavior to detect insider threats or application allowlisting to channel user and administrative
compromised accounts. activity through a narrow path, enhancing monitoring and
reducing alert volume.
F. Cloud-Specific Considerations
• Cloud Environment Architecting: Architecting 1) Platform-Specific Allowlisting:
cloud environments to ensure proper separation of • macOS: Configure Gatekeeper settings to prevent
enclaves and enabling additional logs within the execution of unsigned or unauthorized applications.
environment provide more insight into potential LOTL • Windows: Use AppLocker and Windows Defender
activities. Application Control to regulate executable files, scripts,
MSI files, DLLs, and packaged app formats.
VI. HARDENING STRATEGIES
These strategies are aimed at reducing the attack surface and C. Network Segmentation and Monitoring
enhancing the security posture of organizations and their critical • Limit Lateral Movement: Implement network
infrastructure. segmentation to limit the access of users to the minimum
necessary applications and services, reducing the impact
A. Hardening Guidance
of compromised credentials.
Vendor and Industry Hardening Guidance:
Organizations should strengthen software and system • Network Traffic Analysis: Use tools to monitor traffic
configurations based on vendor-provided or industry, sector, or between segments and place network sensors at critical
government hardening guidance, such as those from NIST, to points for comprehensive traffic analysis.
reduce the attack surface. • Network Traffic Metadata Parsing: Utilize parsers
1) Platform-Specific Hardening: like Zeek and integrate NIDS like Snort or Suricata to
• Windows: Apply security updates and patches from detect LOTL activities.
Microsoft, follow Windows Security Baselines Guide D. Authentication Controls
or CIS Benchmarks, harden commonly exploited
• Phishing-Resistant MFA: Enforce MFA across all
systems, especially for privileged accounts.
 Read more: Boosty | Sponsr | TG
• Privileged Access Management (PAM): Deploy • Reviewing Firewall Logs: Blocked access attempts in
robust PAM solutions with just-in-time access and time- firewall logs can signal compromise, especially in a
based controls, complemented by role-based access properly segmented network. Network discovery and
control (RBAC). mapping attempts from within the network can also be
indicative of LOTL activity. It is crucial to differentiate
• Cloud Identity and Credential Access Management between normal network management tool behavior and
(ICAM): Enforce strict ICAM policies, audit abnormal traffic patterns.
configurations, and rotate access keys.
• Investigating Unusual Traffic Patterns: Specific
• Sudoers File Review: For macOS and Unix, regularly types of traffic should be scrutinized, such as LDAP
review the sudoers file for misconfigurations and adhere requests from non-domain joined Linux hosts, SMB
to the principle of least privilege. requests across different network segments, or database
E. Zero Trust Architecture access requests from user workstations that should only
be made by frontend servers. Establishing baseline noise
As a long-term strategy, the guidance recommends
levels can help in distinguishing between legitimate
implementing zero trust architectures to ensure that binaries and
applications and malicious requests.
accounts are not automatically trusted and their use is restricted
and examined for trustworthy behavior. • Examining Logs from Network Services on Host
Machines: Logs from services like Sysmon and IIS on
F. Additional Recommendations
host machines can provide insights into web server
• Due Diligence in Vendor Selection: Choose vendors interactions, FTP transactions, and other network
with secure by design principles and hold them activities. These logs can offer valuable context and
accountable for their software’s default configurations. details that may not be captured by traditional network
• Audit Remote Access Software: Identify authorized devices.
remote access software and apply best practices for • Combining Network Traffic Logs with Host-based
securing remote access. Logs: This approach allows for the inclusion of
• Restrict Outbound Internet Connectivity: Limit additional information such as user account and process
internet access for back-end servers and monitor details. Discrepancies between the destination and on-
outbound connectivity for essential services. network artifacts could indicate malicious traffic.
C. Application, Security, and System Event Logs
VII. DETECTION AND HUNTING RECOMMENDATIONS
Default logging configurations often fail to capture all
It advocates for regular system inventory audits to catch necessary events, potentially leaving gaps in the visibility of
adversary behavior that might be missed by event logs due to malicious activities. Prioritizing logs and data sources that are
inadequate logging configurations or activities occurring before more likely to reveal malicious LOTL activities is crucial for
logging enhancements are deployed. Organizations are effective detection and response.
encouraged to enable comprehensive logging for all security-
related events, including shell activities, system calls, and audit D. Authentication Logs
trails across all platforms, to improve the detection of malicious Authentication logs play a vital role in identifying
LOTL activity. unauthorized access attempts and tracking user activities across
A. Network Logs the network. The guidance recommends ensuring that logging is
enabled for all control plane operations, including API calls and
The detection of LOTL techniques through network logs end-user logins, through services like Amazon Web Services
presents unique challenges due to the transient nature of network CloudTrail, Azure Activity Log, and Google Cloud Audit Logs.
artifacts and the complexity of distinguishing malicious activity These logs can provide valuable insights into potential LOTL
from legitimate behavior. Network defenders must be vigilant activities by highlighting unusual access patterns or attempts to
and proactive in configuring and setting up logs to capture the exploit authentication mechanisms.
necessary data for identifying LOTL activities. Unlike host
artifacts, which can often be found unless deliberately deleted A robust strategy for the separation of privileges is essential
by a threat actor, network artifacts are derived from network for identifying LOTL techniques through authentication logs.
traffic and are inherently more difficult to detect and capture. Practices such as restricting domain administrator accounts to
Network artifacts are significantly harder to detect than host only log into domain controllers and using Privileged Access
artifacts because they are largely transient and require proper Workstations (PAWs) in conjunction with bastion hosts can
configuration of logging systems to be captured. Without the minimize credential exposure and reinforce network
right sensors in place to record network traffic, there is no way segmentation. Multifactor authentication adds an additional
to observe LOTL activity from a network perspective. layer of security.
B. Indicators of LOTL Activity E. Host-based Logs
Detecting LOTL activity involves looking for a collection of Sysmon and other host-based logging tools offer granular
possible indicators that, together, paint a picture of the behavior visibility into system activities that can indicate LOTL
of network traffic. exploitation. By capturing detailed information about process
 Read more: Boosty | Sponsr | TG
creations, network connections, and file system changes, these On Linux machines, enabling Auditd or Sysmon for Linux
tools can help organizations detect and investigate suspicious logging and integrating these logs with an SIEM platform can
behavior that might otherwise go unnoticed. greatly improve the detection of anomalous activities. For
macOS, utilizing tools like Santa, an open-source binary
1) Establishing Baselines and Secure Logging authorization system, can help monitor process executions and
A foundational step in detecting abnormal or potentially detect abnormal behavior by productivity applications
malicious behavior is the establishment of baselines for running
tools and activities. This involves understanding the normal F. Review Configurations
operational patterns of a system to identify deviations that may Regularly reviewing and updating system configurations is
indicate a security threat. It's also essential to rely on secure logs essential to ensure that security measures remain effective
that are less susceptible to tampering by adversaries. For against evolving threats. This includes verifying that logging
instance, while Linux .bash_history files can be modified by settings are appropriately configured to capture relevant data and
nonprivileged users, system-level auditd logs are more secure that security controls are aligned with current best practices.
and provide a reliable record of activities. Organizations should also assess the use of allowlists and other
2) Leveraging Sysmon in Windows Environments access control mechanisms to prevent the misuse of legitimate
Sysmon, a Windows system monitoring tool, offers granular tools by malicious actors.
insights into activities such as process creations, network Regular reviews of host configurations against established
connections, and registry modifications. This detailed logging is baselines are essential for catching indicators of compromise
invaluable for security teams in hunting for and detecting the (IOCs) that may not be reverted through regular group policy
misuse of legitimate tools and utilities. Key strategies include: updates. This includes changes to installed software, firewall
configurations, and updates to core files such as the Hosts file,
• Using the OriginalFileName property to identify
which is used for DNS resolution. Such reviews can reveal
renamed files, which may indicate malicious activity.
discrepancies that signal unauthorized modifications or the
For most Microsoft utilities, the original filenames are
presence of malicious software.
stored in the PE header, providing a method to detect file
tampering. • Bypassing Standard Event Logs: Cyber threat actors
have been known to bypass standard event logs by
• Implementing detection techniques to identify the
directly writing to the registry to register services and
malicious use of command-line and scripting utilities,
scheduled tasks. This method does not create standard
especially those exploiting Alternate Data Streams
system events, making it a stealthy way to establish
(ADS). Monitoring specific command-line arguments or
persistence or execute tasks without triggering alerts.
syntax used to interact with ADS can reveal attempts to
execute or interact with hidden payloads. • System Inventory Audits: Conducting regular system
inventory audits is a proactive measure to catch
3) Targeted Detection Strategies
adversary behavior that may have been missed by event
Enhancing Sysmon configurations to log and scrutinize
logs, whether due to incorrect event capture or activities
command-line executions, with a focus on patterns indicative of
that occurred before logging enhancements were
obfuscation, can help identify attempts by cyber threat actors to
deployed. These audits help ensure that any changes to
bypass security monitoring tools. Examples include the
the system are authorized and accounted for.
extensive use of escape characters, concatenation of commands,
and the employment of Base64 encoding. G. Behavioral Analysis
4) Monitoring Suspicious Process Chains Comparing activity against normal user behavior is key to
Monitoring for suspicious process chains, such as Microsoft detecting anomalies. Unusual behaviors to look out for include
Office documents initiating scripting processes, is a key odd login hours, access outside of expected work schedules or
indicator of LOTL activity. It's uncommon for Office holiday breaks, rapid succession or high volume of access
applications to launch scripting processes like cmd.exe, attempts, unusual access paths, concurrent sign-ins from
PowerShell, wscript.exe, or cscript.exe. Tracking these process multiple locations, and instances of impossible time travel.
creations and the execution of unusual commands from Office H. NTDSUtil.exe and PSExec.exe
applications can signal a red flag and warrants further
investigation. Specific attention is given to detecting misuse of
NTDSUtil.exe and PSExec.exe, tools that, while legitimate, are
5) Integrating Logs with SIEM Systems often leveraged by attackers for malicious purposes, such as
Integrating Sysmon logs with Security Information and attempts to dump credentials or move laterally across the
Event Management (SIEM) systems and applying correlation network. By focusing on the behavioral context of these tools'
rules can significantly enhance the detection of advanced attack usage, organizations can more effectively distinguish between
scenarios. This integration allows for the automation of the legitimate and malicious activities.
detection process and the application of analytics to identify
complex patterns of malicious activity. 1) The Exploitation Process
A common tactic involves creating a volume shadow copy
6) Linux and macOS Considerations of the system drive, typically using vssadmin.exe with
commands like Create Shadow /for=C:. This action captures a
 Read more: Boosty | Sponsr | TG
snapshot of the system's current state, including the Active • Command-line and Process Creation Logs: Security
Directory database. Following this, ntdsutil.exe is employed to logs (Event ID 4688) and Sysmon logs (Event ID 1) are
interact with this shadow copy through a specific command invaluable for tracking the execution of PSExec.exe and
sequence (ntdsutil snapshot “activate instance ntds” create quit associated commands. These logs detail the command
quit). The attackers then access the shadow copy to extract the line used, shedding light on the process's nature and
ntds.dit file from a specified directory. This sequence aims to intent.
retrieve sensitive credentials, such as hashed passwords, from
the Active Directory, enabling full domain compromise. • Privilege Use and Explicit Credential Logs: Security
logs (Event ID 4672) document instances where special
2) Detection and Response privileges are assigned to new logons, crucial when
To detect and respond to such exploitation, it's crucial to PSExec is executed with the -s switch for SYSTEM
understand the context of ntdsutil.exe activities and differentiate privileges. Event ID 4648 captures explicit credential
between legitimate administrative use and potential malicious use, indicating when PSExec is run with specific user
exploitation. Key log sources and monitoring strategies include: credentials.
• Command-line and Process Creation Logs: Security • Sysmon Logs for Network Connections and Registry
logs (Event ID 4688) and Sysmon logs (Event ID 1) Changes: Sysmon's Event ID 3 logs network
provide insights into the execution of ntdsutil.exe connections, central to PSExec’s remote execution
commands. Unusual or infrequent use of ntdsutil.exe for functionality. Event IDs 12, 13, and 14 track registry
snapshot creation might indicate suspicious activity. changes, including deletions (Event ID 14) of registry
keys associated with the executed Netsh command,
• File Creation and Access Logs: Monitoring file providing evidence of modifications to the system's
creation events (Sysmon’s Event ID 11) and attempts to configuration.
access sensitive files like NTDS.dit (security logs with
Event ID 4663) can offer additional context to the • Windows Registry Audit Logs: If enabled, these logs
snapshot creation and access process. record modifications to registry keys, offering detailed
information such as the timestamp of changes, the
• Privilege Use Logs: Event ID 4673 in security logs, account under which changes were made (often the
indicating the use of privileged services, can signal SYSTEM account due to PSExec's -s switch), and the
potential misuse when correlated with the execution of specific registry values altered or deleted.
ntdsutil.exe commands.
• Network and Firewall Logs: Analysis of network
• Network Activity and Authentication Logs: These traffic, especially SMB traffic characteristic of PSExec
logs can provide context about concurrent remote use, and firewall logs on the target system can reveal
connections or data transfers, potentially indicating data connections to administrative shares and changes to the
exfiltration attempts. Authentication logs are also system's network configuration. These logs can
crucial for identifying the executor of the ntdsutil.exe correlate with the timing of command execution,
command and assessing whether the usage aligns with providing further context to the activity.
typical administrative behavior.
3) Comprehensive Analysis of PSExec.exe in LOTL Tactics VIII. REMEDIATION STRATEGIES FOR COMPROMISED
PSExec.exe, a component of the Microsoft PsTools suite, is NETWORKS
a powerful utility for system administrators, offering the When an organization detects a compromise, especially
capability to remotely execute commands across networked involving Living Off the Land (LOTL) tactics, it is critical to
systems, often with elevated SYSTEM privileges. Its versatility, implement immediate defensive countermeasures. The Joint
however, also makes it a favored tool in Living Off the Land Guidance on Identifying and Mitigating LOTL Techniques
(LOTL) tactics employed by cyber threat actors. outlines a comprehensive remediation strategy that
organizations should follow to mitigate the impact of such
4) The Role of PSExec.exe in Cyber Threats incidents.
PSExec.exe is commonly utilized for remote administration
and the execution of processes across systems, such as execute A. Immediate Response Actions
one-off commands aimed at modifying system configurations, • Reset credentials for both privileged and non-privileged
such as removing port proxy configurations on a remote host accounts within the trust boundary of each compromised
with commands like: account.
"C:\pstools\psexec.exe" {REDACTED} -s cmd /c "cmd.exe • Force password resets and revoke and issue new
/c netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 certificates for all accounts and devices.
listenport=9999"
B. Windows Environment Specific Actions:
5) Detection and Contextualization Strategies
To effectively counter the malicious use of PSExec.exe, • If access to the Domain Controller (DC) or Active
network defenders must leverage a variety of logs that provide Directory (AD) is suspected, reset all local account
insights into the execution of commands and the broader context passwords, including Guest, HelpAssistant,
of the operation: DefaultAccount, System, Administrator, and krbtgt. The
 Read more: Boosty | Sponsr | TG
krbtgt account, which handles Kerberos ticket requests, This proactive integration ensures that security considerations
should be reset twice to ensure security due to its two- are not an afterthought but a fundamental component of the
password history. product from inception to deployment.
• If the ntds.dit file is suspected to have been exfiltrated, C. Mandating Multi-Factor Authentication (MFA)
reset all domain user passwords. Manufacturers should mandate MFA, ideally phishing-
• Review and adjust access policies, temporarily revoking resistant MFA, for privileged users and make it a default feature
or reducing privileges to contain affected accounts and rather than an optional one. This step significantly enhances the
devices. security of user accounts, particularly those with elevated
access.
• Reset Non-Elevated Account Credentials: If the threat
actor's access is limited to non-elevated permissions, D. Reducing Hardening Guide Size
reset the relevant account credentials or access keys and The size of hardening guides that accompany products
monitor for further signs of unauthorized access, should be tracked and reduced. As new versions of the software
especially for administrative accounts. are released, the aim should be to shrink the size of these guides
over time by integrating their components as the default
C. Network and Device Configuration Audit configuration of the product.
• Audit Network Appliances and Edge Devices: Check
for signs of unauthorized or malicious configuration E. Considering User Experience
changes. If changes are found: The user experience consequences of security settings must
be considered. Ideally, the most secure setting should be
o Change all credentials used to manage network integrated into the product by default, and when configuration is
devices, including keys and strings securing necessary, the default option should be secure against common
network device functions. threats. This approach reduces the cognitive burden on end users
o Update all firmware and software to the latest and ensures broad protection.
versions. F. Removing Default Passwords
D. Remote Access Tool Usage Default passwords should be eliminated entirely or, where
Minimize and Control Remote Access: Follow best necessary, be generated or set upon first install and then rotated
practices for securing remote access tools and protocols, periodically. This practice prevents the use of default passwords
including guidance on securing remote access software and as an easy entry point for malicious actors.
using PowerShell securely. G. Limiting Dynamic Code Execution
IX. RECOMMENDATIONS FOR SOFTWARE MANUFACTURERS Dynamic code execution, while offering versatility, presents
a vulnerable attack surface. Manufacturers should limit or
These recommendations is crucial in reducing the prevalence
remove the capability for dynamic code execution due to the
of exploitable flaws that enable LOTL tactics.
high risk and the challenge of detecting associated indicators of
A. Minimizing Attack Surfaces compromise (IOCs).
Software manufacturers are urged to minimize attack H. Removing Hard-Coded Credentials
surfaces that can be exploited by cyber threat actors using LOTL
Applications and scripts containing hard-coded plaintext
techniques. This includes disabling unnecessary protocols by
credentials pose a significant security risk. Removing such
default, limiting the number of processes and programs running
credentials is essential to prevent malicious actors from using
with escalated privileges, and taking proactive steps to limit the
them to access resources and expand their presence within a
ability for actors to leverage native functionality for intrusions.
network.
B. Embedding Security in the SDLC
Security should be embedded into the product architecture
throughout the entire software development lifecycle (SDLC).