Living-off-the-Land: How Attackers Blend into Traffic

“Living off the land” is a strategy employed to discreetly achieve a dubious aim. Think about a couple of wedding crashers. Dressed impeccably, they blend in seamlessly with legitimate guests, indulging in the spread and avoiding direct contact with the newlyweds who might identify them as illegitimate guests. Similarly, a hiker in the wilderness becomes harder to trace when they utilize their surroundings for sustenance, compared to one reliant on carried provisions and a tent.

Living off the land is a common military tactic as well. Armies in the past have used it to move swiftly and undetected to surprise an opposing army camped some distance away. Today, terrorist forces and some military units will wear civilian clothing to blend in with the local citizens, thus making it difficult for enemy forces to distinguish between combatants and non-combatants.

It’s also used in cyberattacks as well. Like the wedding crashers, these attackers blend in with your network environment. They make use of the very tools found on your own systems that your IT staff use every day. They move about in common traffic patterns and make sure that they stay away from possible honeypots and security tools that might identify their risk potential.

No Calling Card of Breadcrumbs

Only in the movies does an arrogant thief leave their calling card behind for the authorities. In the real world, criminals want to work with anonymity. Traditional antivirus and anti-malware tools relied on signatures to detect malicious code. These signatures were a type of calling card that would identify the threat. To outflank these security tools, attackers are using fileless malware attacks that work completely within the process memory of a breached system. Unfortunately, traditional security controls that rely on prescribed metrics and systematic alerts are limited in their ability to identify and prioritize attacks.  

Without the breadcrumbs of files dropped on the hard drive, fileless attacks are far easier to evade detection. There are even fileless variants of ransomware today. These fileless attacks are one reason why the dwell time for threats increased by 36% between 2020 and 2021. The longer that attackers can mobilize within your network unabated, the more time they must learn about your network, and its defenses, thus increasing the odds of a successful mission.

Using Your Own Tools Against You

Another way that fileless attacks capitalize on the concept of “living off the land” is by leveraging native system tools to further their malicious objectives. Some frequently exploited tools include:

  • PowerShell can be used to download and execute payloads or move laterally within your network.
  • Windows Management Instrumentation can be used to automate administrative tasks for malicious purposes.
  • Scheduled tasks are used to automate tasks and trigger malicious activities at startup or logon as well as at specific time intervals to ensure persistence.
  • Microsoft Office Macros can be used to invoke scripting engines such as CMD.exe or PowerShell to run commands directly in memory, download additional payloads or interact with the system without dropping traditional files to the disk.

In addition to tools, attackers often employ native scripts and shellcode, eliminating the necessity to download external binaries. This approach allows them to discreetly navigate your network by leveraging pre-existing resources. For example, a support technician inspecting a computer or server’s system tools might come across scheduled tasks and, given their inherent nature, mistakenly consider them to be legitimate.

Blending in With the Environment

Many fileless attacks use valid credentials to move laterally within an environment. They may use the compromised account of an HR manager to access the employee database or the credentials of a server admin to access system backups to destroy them in advance of an attack. They also work within normal traffic patterns and flow. In the same way that a street criminal would use the crosswalks to navigate downtown streets rather than jaywalking and calling attention to themselves, fileless attackers communicate with command-and-control servers using standard web traffic ports such as 80 or 443. This helps them blend in with regular internet browsing traffic. They also use common protocols such as DNS to perform data exfiltration or make malicious requests. Fileless attacks are often designed to achieve their objective quickly and then quickly disappear without a trace.

How to Combat Fileless Attacks

Cybersecurity used to be simple. You only needed a single antivirus application to identify and mitigate signature-based virus attacks. Unfortunately, attacks are far more complex, and thus the necessary defensive measures are equally complicated. Some of the tools that can aid in fileless attack mitigation include the following:

  • Endpoint Detection and Response (EDR)

EDR solutions can be used to identify unusual patterns that might indicate a fileless attack such as suspicious memory usage or an unexpected PowerShell command. They can also leverage threat intelligence feeds to keep updated about the latest threat methodologies, including those used in fileless attacks.

  • Network Detection and Response (NDR)

NDR solutions can be used to analyze network traffic in real-time to properly identify patterns or behaviors that might indicate a fileless attack such as unusual lateral movement within the network. They can conduct deep packet inspections of packets, even for encrypted traffic, to detect malicious content.

  • User and Entity Behavior Analytics (UEBA)

UEBA tools work to continuously monitor and build profiles of user and entity behavior across an organization that allows their security teams to understand what “normal activity” looks like. This allows them to establish baselines that are then used to detect deviations or anomalies that may indicate a threat.

  • Security Information and Event Management (SIEM)

A SIEM is used to collect and aggregate logs and alerts from multiple sources across the network to analyze event data in real-time and correlate disparate events such as the continuance of failed logon attempts concerning user accounts.

In addition to these tools, organizations are turning to the MITRE ATT&CK framework to increase their resilience to fileless attacks by better understanding their methodologies as well as the attackers known to utilize them. It is not uncommon for security teams to integrate MITRE with their SIEM to increase its effectiveness. For instance, MITRE has extensive documentation on how attackers make use of Windows Scheduled Tasks to inconspicuously conduct a wide array of malicious activities.

Using a SOC to Combat Fileless Threats

As you can see, fileless attacks are hard to detect, identify and mitigate. To do so requires the right tools as well as extensive experience and training. That is why many businesses turn to a third-party solution such as SOC providers to attain the proper expertise to combat these stealthy threats. CYREBRO utilizes the right mix of monitoring tools, behavior analysis, and detection methods that have proven effective against fileless attacks.


You not only want to stop attackers from living off the land, but you also want to keep them off your land all together if possible. For those businesses that continue to rely on traditional security tools and reactionary countermeasures, the experience of a fileless attack is only a matter of time. Protecting your network estate from such modern attacks requires a modern approach.

Sign Up for Updates