Symantec researchers spotted attackers increasingly making use of tools already installed on targeted computers or running simple scripts and shellcode directly in memory in what researchers are calling “living off the land” tactics.
The researchers divided the techniques into four main categories — memory-only threats, fileless persistence, dual use tools, and non-PE file attack, according to the “ISTR Living off the land and fileless attack techniques” report.
These tactics allow threat actors to create fewer new files on the hard disk meaning they have less chance of being detected by traditional security tools and minimize their likelihood of being blocked.
The typical attack chain for these techniques are the incursion, persistence and payload. Incursions are achieved by exploiting remover code execution vulnerabilities to run shell code directly in memory, the report said.
“More commonly it is an email with a malicious script inside a document or hidden in another host file such as a LNK file,” the report said. “The threat may implement multiple stages with downloader or self-decrypting parts, each of which might follow living off the land techniques again.”
As firms beef up their security practices it becomes more difficult and cost intensive to find reliable exploit vulnerabilities and often spearphishing attacks combined with social engineering prove just as reliable in achieving the attacker’s goal, the report said.
Once compromised the attacker may or may not use the fileless payload in regards to the persistence method with researchers noting the threat may not be persistent at all depending on the goal of the hacker.
Finally the payload of these attacks often use dual use tools such as netsh PsExec.exe, Memory only payload such as Mirai DDoS or Non-PE file payload such as PowerShell script.
To combat these threats, researchers said the best protections include an advanced anti-virus engine, behavior analytics tools, email security, sandboxing, system hardening, network security, and visibility.