Living-off-the-land (LotL)
Definition
An attack approach where the adversary uses tools and binaries already present on the target system, such as PowerShell, WMI, certutil, or mshta, rather than introducing new malware. LotL techniques are harder to detect because the executed binaries are legitimate and often whitelisted.
Related terms
- Lateral movement
- Attacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access...
- Anti-forensic technique
- Any action taken by an attacker to destroy, conceal, or alter evidence of their activity. Common examples include log clearing, timestomping, use...
- Credential dumping
- Extraction of authentication credentials from operating system memory, the Windows SAM database, Active Directory, or credential stores. Tools such as Mimikatz target...
- Credential stuffing
- An automated attack that replays username-password pairs from previous data breaches against new target services, exploiting the widespread reuse of passwords across...
- MITRE ATT&CK
- A publicly available knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. Maintained by the MITRE Corporation. Techniques...
- Privilege escalation
- A post-access technique in which an attacker who has gained low-level access to a system exploits a vulnerability or misconfiguration to obtain...
- Tactic
- The adversary's high-level objective at a given stage of the attack: for example, Initial Access, Execution, Persistence, Privilege Escalation, or Exfiltration. ATT&CK...
- Technique
- A specific method an adversary uses to achieve a tactic. Each technique has a unique identifier such as T1059 (Command and Scripting...
- Unauthorised access
- The act of accessing a computer, network, or data store without permission from the owner or without lawful authority. The core element...
Explained in these topics
- Common Attack Techniques and Tactics, Techniques and ProceduresAn attack approach where the adversary uses tools and binaries already present on the target system, such as PowerShell, WMI, certutil, or mshta, rather than i...
- Hacking and Unauthorised Access OffencesAn intrusion technique in which attackers use tools and executables already present on the victim system, such as PowerShell, WMI, or built-in scripting interp...