Skip to content
Threat Feed
medium advisory

Living Off The Land Activity Detection

This correlation search identifies multiple risk events associated with 'Living Off The Land' activity, leveraging the Risk data model to aggregate events, focusing on systems with a high count of distinct sources, potentially enabling attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities.

This correlation search is designed to detect Living Off The Land (LOTL) activity within an environment. LOTL techniques involve the use of legitimate system tools and binaries to perform malicious actions, making detection challenging. This search aggregates risk events tagged under the “Living Off The Land” analytic story, focusing on systems with a high count (5 or more) of distinct sources generating these risk events. This approach allows defenders to identify potentially suspicious behavior that might otherwise be missed when looking at individual events. The search was last modified on 2026-05-13, and leverages the Splunk Risk data model.

Attack Chain

  1. Initial compromise of a system through unspecified means (e.g., phishing, exploit).
  2. Attacker leverages legitimate system tools, such as PowerShell or cmd.exe, to execute malicious commands.
  3. Multiple risk events are generated by different sources due to the various LOTL techniques being employed.
  4. These risk events are tagged with the “Living Off The Land” analytic story within the SIEM.
  5. The correlation search aggregates these risk events, focusing on systems with multiple distinct sources (source_count >= 5).
  6. The search identifies systems exhibiting a high count of distinct sources associated with LOTL risk events.
  7. The attacker may escalate privileges, move laterally, or exfiltrate data using trusted system utilities.
  8. The final objective is achieved, such as data theft, system compromise, or ransomware deployment.

Impact

Successful exploitation using LOTL techniques can lead to a variety of negative consequences, including data breaches, system compromise, and financial loss. By using trusted system utilities, attackers can evade traditional security measures and remain undetected for extended periods. The number of victims and the specific sectors targeted will vary depending on the attacker’s goals and the vulnerabilities of the targeted systems.

Recommendation

  • Enable all detections in the Living Off The Land Analytic Story in Splunk and confirm they are generating risk events as described in the “how_to_implement” section.
  • Tune analytics tagged to the Living Off The Land Analytic Story to reduce false positives, per the “known_false_positives” section.
  • Deploy the provided correlation search in your Splunk environment and tune the source_count threshold based on your environment’s baseline as described in “known_false_positives”.
  • Investigate systems identified by this search for signs of malicious activity, focusing on the specific risk events and sources contributing to the high source_count.

Detection coverage 2

Detect LOLBins Executing via Suspicious Parent Processes

high

Detects the execution of LOLBins such as certutil, mshta, or powershell from uncommon parent processes like msiexec or wscript, indicating potential Living Off The Land attacks.

sigma tactics: execution techniques: T1059.001, T1218 sources: process_creation, windows

Detect LOLBins Spawning Network Connections

medium

Detects LOLBins such as certutil, bitsadmin, or powershell making network connections, which is often indicative of malicious activity such as downloading payloads or communicating with C2 servers.

sigma tactics: command_and_control techniques: T1071.001, T1105, T1133 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →