We had a weird incident last week. Security kept saying the machine was clean. No malware, no alerts, nothing. But someone was clearly messing around on it. Later I hear this term living-off-the-land attack and now I’m wondering how we even missed it.
18 Views
Replies (5)
Marked SolutionPending Review
Participant
9 months ago
Mar 19, 2025
Marked SolutionPending Review
Because there was probably nothing “new” to detect. No sketchy files, no random EXEs. They just used whatever was already on the system. PowerShell, schedulers, built-in tools. To most security tools, it looks like normal admin activity.
Marked SolutionPending Review
Participant
9 months ago
Mar 20, 2025
Marked SolutionPending Review
Hold on, is that basically the same as fileless malware then? Or is living-off-the-land something different?
Marked SolutionPending Review
Participant
9 months ago
Mar 21, 2025
Marked SolutionPending Review
Related, but not the same thing. Fileless just means nothing malicious gets written to disk. Living-off-the-land is more about how they operate. They abuse legit tools the OS already trusts. Most LOTL attacks end up being fileless, but not every fileless attack is living-off-the-land.
Marked SolutionPending Review
Participant
9 months ago
Mar 24, 2025
Marked SolutionPending Review
That actually explains a lot. Our logs showed tons of normal commands running, just at really odd hours. We assumed it was automation or someone on-call doing maintenance.
Marked SolutionPending Review
Participant
9 months ago
Mar 29, 2025
Marked SolutionPending Review
That’s the scary part. Everything looks fine until you step back and look at behaviour over time. Makes you realize “no alerts” doesn’t really mean “no attack” anymore.
Save
