How to detect,

mitigate and
harden systems
against LoTL
attacks?

www.thecyphere.com info@thecyphere.com
 Detection

www.thecyphere.com info@thecyphere.com
 Comprehensive and verbose
logging

Enable logging to cover events within the

system or network.
Configure logging to provide detailed
information, capturing as much context as
possible for each event.
Include shell activities, system calls, audit
trails on all platforms.
Aggregate logs in an out-of-band, centralised
location to avoid modifications.
Utilise aggregated logs to perform behaviour
analytics, identifying patterns and deviations
from normal behaviour.
Leverage centralised logs for anomaly
detection, automatically flagging unusual or
suspicious activities.

www.thecyphere.com info@thecyphere.com
 Use centralised logs to proactively hunt for
potential threats or vulnerabilities, enabling
defenders to stay ahead of adversaries.
Maintain extensive log histories, providing a
more comprehensive view of past events and
activities.
Prioritise logs and data sources to detect
malicious activity.
Default logging configurations may be
insufficient; consider enhanced logging
capabilities.
Encourage software manufacturers to provide
high-quality audit logs without additional
charges.
Gain visibility into tool usage within the
environment.

www.thecyphere.com info@thecyphere.com
 For cloud environments:

Enable logging for all control plane

operations, including API calls and end-user
logins, using services like AWS CloudTrail,
Azure Activity Log, and Google Cloud Audit
Logs.
Configure logging policies for all cloud
services, including unused ones, to prevent
evasion by cyber threat actors.
Enable verbose logging for security events,
covering command lines, PowerShell activity,
and WMI event tracing to enhance tool usage
visibility.
Consider leveraging EDR solutions for
centralised log collection and management.

www.thecyphere.com info@thecyphere.com
 For Microsoft environments:

Enable advanced logging features in specific

server roles like Microsoft IIS to detect
complex attack vectors such as web shells.
Enable detailed logging for network gateways
and load balancers in cloud configurations,
exporting logs to a SIEM or centralised
logging server.
Run regular checks (reg exp searches) to hunt
for any suspicious events to stay on top of any
suspicious events.

www.thecyphere.com info@thecyphere.com
 Establish Baseline for
Network Defense

Establish and maintain a baseline of installed

tools, software, account behaviour, and
network traffic.
Use aggregated logs or SIEM to baseline
account behaviour such as network traffic, and
system intercommunications.
Enhance network monitoring, log retention,
and threat hunting to detect prolonged
adversary presence.
Extend log storage, fine-tune anomaly
detection, and deepen threat-hunting tactics.
Select a minimal subset of administrative tools
for network use.
Configure them with extensive logging, and
block or alert all others.

www.thecyphere.com info@thecyphere.com
 Apply restrictions to network logins
accordingly to reduce noise and provide
detailed behaviour insights.
Clearly define the behaviour of privileged
accounts, including typical tool usage,
executed commands, active timeframes, and
device interactions.
Modify network login policies to limit
unnecessary access paths based on
legitimate activity profiles.
Baseline behavioural sequences of privileged
accounts to detect deviations, such as
unusual application calls
typical usage patterns.
Define systems and tools' behaviour
bounded by time, hosts, and user
accounts.
targets for threat actors due to
unnecessary privileges and lack of MFA.

www.thecyphere.com info@thecyphere.com
 Inventory existing configurations, policies, and
software:
Uninstall unnecessary software to limit
tools available to threat actors.
Utilise EDR tools for this role.
Scrutinise at-risk hosts, such as public-facing
servers:
Threat actors often rely on LOLBins for
initial attacks.
Track infrastructure sweeps, open issues, and
high-risk items:
Prioritise efforts proactively.
Establish a baseline for LOLBins and monitor
changes:
understand attackers' usage patterns.
create alerts for deviations and investigate
executions.

www.thecyphere.com info@thecyphere.com
 Automated Log Review and
Hunting

Employ automation to continuously review all

logs and optimise hunting activities.
Compare ongoing activities with established
behavioural baselines, prioritising scrutiny of
privileged accounts and critical assets like
domain controllers.
Ensure staff are trained in utilising automation
for hunting, incorporating new strategies as
they are identified.
Regularly audit cron jobs and systemd timers
in Linux environments for unexpected entries.
Implement file integrity monitoring on critical
configuration files and systemd unit files to
detect unauthorised modifications.

www.thecyphere.com info@thecyphere.com
 Perform routine checks of PLIST files and
macOS scheduled tasks for unauthorised or
modified entries in macOS environments.
Conduct regular audits of the Windows.
Registry for changes to auto-start locations in
Windows environments.
Implement file integrity monitoring on auto-
start keys and create detections for unusual
scheduled tasks.
Monitor for unusual API calls in cloud
environments, particularly those involving
security group changes and access to
sensitive data.
Investigate unusual account behaviour, such
as out-of-hours logins and concurrent sign-ins
from disparate locations.
Consider leveraging machine learning-based
anomaly detection capabilities in the cloud for
advanced log analysis.

www.thecyphere.com info@thecyphere.com
 Focus on detecting irregular API call patterns,
unusual cloud storage access, and atypical
network traffic.

Reduce alert noise

Enhance monitoring tools and alerting

mechanisms to discern typical administrative
actions and minimise false positives.
Analyse remote authentication activities to
pinpoint anomalies.
Prioritise alerts indicating suspicious
behaviour.
Avoid broad detection rules like
CommandLine=* or Filepath=C:...* to refine
alert accuracy.
Collaborate with IT teams to streamline
allowed administrative tools and login types
across the network.

www.thecyphere.com info@thecyphere.com
 Disable and issue alerts for the installation and
usage of unnecessary remote access tools.
Implement a threat detection maturity model
to refine and optimise alerting mechanisms in
IDS or SIEM.
Adopt a standardised alert naming convention,
incorporating maturity levels and MITRE
ATT&CK phases to streamline incident
response triage.

www.thecyphere.com info@thecyphere.com
 User and Entity Behavior
Analytics (UEBA)

Utilise User and Entity Behavior Analytics

(UEBA) to analyse and correlate activities from
various data sources.
Identify potential security incidents traditional
tools might overlook.
Profile and monitor user behavior to detect
insider threats and compromised accounts.

www.thecyphere.com info@thecyphere.com
 Hardening

www.thecyphere.com info@thecyphere.com
 Vendor-specific hardening
guidlines

Follow vendor-provided or industry-standard

hardening guidelines to strengthen software
and system configurations and reduce the
attack surface.
Apply Microsoft's security updates and
patches for Windows systems.
Verify binary permissions on Linux systems
based on CIS’s Benchmarks.
Keep macOS up to date with the latest
version.
Apply security patches regularly for enhanced
protection.
Utilise built-in macOS security features like
Gatekeeper, XProtect, and FileVault to bolster
security measures.

www.thecyphere.com info@thecyphere.com
 Use CISA's Microsoft 365 security baseline
guides for Microsoft cloud infrastructure.
Refer to CISA's Google Workspace security
baseline guides for Google cloud
infrastructure.
Minimise running services and apply least
privilege principles for universal hardening.
Secure critical assets with vendor-specific
hardening measures.
Avoid caching credentials on remote hosts
when using administrative tools.

www.thecyphere.com info@thecyphere.com
 Application allowlisting

Channel all activity through a narrow path for

streamlined monitoring.
Improve behavioral analytics to decrease alert
volume.
Configure Gatekeeper to block unsigned or
unauthorised apps and monitor for bypass
attempts.
Utilise AppLocker and Windows Defender for
effective allowlisting.
Regulate executable files, scripts, DLLs, etc.,
with rules based on attributes.

www.thecyphere.com info@thecyphere.com
 Network segmentation

Implement robust network segmentation.

Monitor for abnormal network behavior.
Utilise traffic analysis tools.
Focus on detecting unusual patterns.
Strategically deploy network sensors.
Ensure deep packet inspection capabilities.
Employ metadata parsers for efficient
analysis.
Integrate open-source NIDS like Snort or
Suricata.
Implement zero trust architectures for long-
term security.
Restrict and scrutinise the use of binaries and
associated accounts for trustworthy behavior.

www.thecyphere.com info@thecyphere.com
 Implement MFA

Deploy MFA on all systems to counter

phishing risks.
Utilise robust PAM for just-in-time access
control.
Implement time-based controls and RBAC to
tailor access.
Enforce strict ICAM policies in cloud
environments.
Audit ICAM configurations for role
permissions.
Regularly review sudoers file for
misconfigurations.
Adhere to the principle of least privilege.

www.thecyphere.com info@thecyphere.com
 Mitigation

www.thecyphere.com info@thecyphere.com
 Do the due deligince

Prioritise vendors with secure design

principles to limit LOLBin availability.
Hold vendors accountable for default
configurations and least privilege adherence.
Use caution with products requiring antivirus
disabling or broad firewall rules.
Follow best practices for managing supply
chain risks, source from reputable vendors.

Remote software and

configurations

Audit remote access software and

configurations for authorised usage.
Minimise remote access solutions for
simplified monitoring.

www.thecyphere.com info@thecyphere.com
 Limit defensive
configuration exposure

Conceal defensive configurations to deter

adversaries from adjusting tactics.
Audit attempts to access, disable, or tamper
with defensive configurations and log artifacts.

Limit outbound internet

connectivity
Restrict outbound internet access for critical
servers.
Monitor and control outbound connectivity to
essential destinations.
Exercise caution with cloud-connected
services, avoiding broad access.
Watch for raw connections to IP addresses
without DNS requests.

www.thecyphere.com info@thecyphere.com
 When there are no executables
or viruses to identify, many
security packages give the
green light. Because no trace is
left behind by these fileless
hazards, organisations must
regularly monitor and perform
threat-hunting exercises.

www.thecyphere.com info@thecyphere.com
 LIKE THIS?

Follow me @Harman Singh

for more similar content.

Get in touch to discuss your

security concerns:
info@thecyphere.com
www.thecyphere.com

www.thecyphere.com info@thecyphere.com