Adversaries are increasingly using legitimate tools also employed by the victim organization to stay better hidden by blending into the victim’s traffic, according to Jon Clay, Trend Micro’s vice president of threat intelligence. Legitimate tools can be harnessed to carry out every piece of the attack chain from initial access, asset discovery and lateral movement to data exfiltration and credential theft, Clay said.
Living-off-the-land attacks are a counter-forensic activity since they force businesses to have a mechanism for examining the use of tools like Cobalt Strike, Mimikatz and PS Exec to determine if a particular instance is legitimate or illegitimate, according to Clay. Similar to stealing admin credentials, Clay said adversaries pursuing living-off-the-land attacks can engage in lots of activities that fly under the radar.
Threat actors engage in asset discovery and app discovery when scoping out potential victims to ensure they’re able to blend in by using the same apps and OS as the intended target, Clay said. Trend Micro has documented between 20 and 30 legitimate tools that can also be used by ransomware actors for nefarious purposes, according to Clay.