ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > List all tools > List all groups using tool Living off the Land

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Living off the Land

NamesLiving off the Land
Description(Talos) Attackers' trends tend to come and go. But one popular technique we're seeing at this time is the use of living-off-the-land binaries — or 'LoLBins'. LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we're seeing, there are binaries supplied by the victim's operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers.

(LOLBAS Project) The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

A LOLBin/Lib/Script must:

• Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
• Have extra 'unexpected' functionality. It is not interesting to document intended use cases.
o Exceptions are application whitelisting bypasses
• Have functionality that would be useful to an APT or red team

Interesting functionality can include:

• Executing code
o Arbitrary code execution
o Pass-through execution of other programs (unsigned) or scripts (via a LOLBin)
• Compiling code
• File operations
o Downloading
o Upload
o Copy
• Persistence
o Pass-through persistence utilizing existing LOLBin
o Persistence (e.g. hide data in ADS, execute at logon)
• UAC bypass
• Credential theft
• Dumping process memory
• Surveillance (e.g. keylogger, network trace)
• Log evasion/modification
• DLL side-loading/hijacking without being relocated elsewhere in the filesystem.
AlienVault OTX<>

Last change to this tool card: 03 April 2022

Download this tool card in JSON format

All groups using tool Living off the Land


APT groups

 APT 20, Violin PandaChina2014-2017 
XAPT 29, Cozy Bear, The DukesRussia2008-Aug 2022 HOTX
 APT 33, Elfin, MagnalliumIran2013-Nov 2019 
XAPT 41China2012-Aug 2021X
 Berserk Bear, Dragonfly 2.0Russia2015-May 2017 
 BlackTech, Circuit Panda, Radio PandaChina2010-Oct 2020 
 CalypsoChina2016-Aug 2021 
 Chafer, APT 39Iran2014-Sep 2020X
 Comment Crew, APT 1China2006-May 2018X
 El Machete[Unknown]2010-Mar 2022 
XEmissary Panda, APT 27, LuckyMouse, Bronze UnionChina2010-Aug 2022 HOT 
 FIN6, Skeleton Spider[Unknown]2015-Oct 2021X
 Gangnam Industrial Style[Unknown]2019 
 Goblin Panda, Cycldek, ConimesChina2013-Jun 2020 
 Gorgon GroupPakistan2017-Jul 2020 
 Ke3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-May 2020 
XKimsuky, Velvet ChollimaNorth Korea2012-Early 2022X
XLazarus Group, Hidden Cobra, Labyrinth ChollimaNorth Korea2007-Aug 2022 HOTX
XLeviathan, APT 40, TEMP.PeriscopeChina2013-Jul 2021X
 Lotus Blossom, Spring Dragon, ThripChina2012-Jun 2018 
X    ↳ Subgroup: DEV-0270, Nemesis KittenIran2022 
 MuddyWater, Seedworm, TEMP.Zagros, Static KittenIran2017-Nov 2021X
 Naikon, Lotus PandaChina2010-Apr 2022 
 OilRig, APT 34, Helix Kitten, ChryseneIran2014-May 2022X
 Orangeworm[Unknown]2015-Jan 2020 
 PlatinumChina2009-Nov 2019 
 Silence, Contract Crew[Unknown]2016-Jan 2020 
 Sofacy, APT 28, Fancy Bear, SednitRussia2004-Jun 2022 HOTX
 Stone Panda, APT 10, menuPassChina2006-Feb 2022X
XTA505, Graceful Spider, Gold EvergreenRussia2006-Oct 2021X
 TeleBotsRussia2015-Oct 2020X
 Temper Panda, [email protected]China2014 
 Tonto Team, HartBeat, Karma PandaChina2009-Mar 2021 
 Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu KittensChina2010-Oct 2018X
 Turla, Waterbug, Venomous BearRussia1996-May 2022 
 Whitefly, Mofang[Unknown]2012-Jul 2018 
 WIRTE Group[Middle East]2018 

Other groups

XKarakurt[Unknown]2021-Sep 2022 HOT 

45 groups listed (43 APT, 2 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]