Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Living-off-the-land (LOL) is a method that enables attackers to evade defenses by running legitimate binary files or scripts for malicious purposes. An attacker must be familiar with LOL binaries or scripts (LOLBAS) to run commands like ntdsutil. If the attacker is able to launch a service that runs ntdsutil, all Active Directory (AD) accounts can be compromised.
Kill Chain
Risk Score
88
LOLBAS are tools that are signed by Microsoft and built into the Windows operating system. These tools enable helpful functionality for administrators, such as downloading, running, or compiling code. But attackers can take advantage of these tools for malicious purposes. For example, ntdsutil is a command-line tool that is built into domain controllers (DC) and is available in most AD environments. The tool can create a copy of the SYSTEM and SECURITY registry hives, or even create a copy of the AD database.
An attacker can run the ntdsutil.exe command and the install from media (ifm) subcommand to create an installation media file. The installation media file, which normally helps administrators migrate existing DC data to a new DC, contains usernames and password hashes for domain user accounts. After an attacker collects this file, they can crack the password hashes offline, giving them domain account credentials.
Disable or remove binary files listed in the LOLBAS project unless required
Strengthen the security on Windows devices by enforcing strong authentication policies and creating a list of approved applications
Implement network segmentation, security zones, and firewall policies that limit how devices communicate
Reduce the number of users who have administrator privileges
Harden domain controllers and monitor for suspicious activity involving ntdsutil.exe
