How would you compare the Windows and macOS operating systems? In what ways are they similar? Why do they each take different approaches to solving the same problem? For the last 19 years I've developed security software for Windows. Recently, I’ve started implementing similar features on macOS. Since then, people have asked me questions like this. The more experience I gained on these two operating systems, the more I realized they’re very different.

This is the final blog of our three-part blog series on living-off-the-land (LOTL) attacks. If you missed last week’s blog, you can read it here. LOTL attacks are also known as “malware-free” attacks because your own tools are used against you, either to hide malicious activities under a legitimate system process, or to leverage genuine system activities for malicious purposes.

PowerShell had its beginnings as a way to enable administrators to perform their tasks both locally and remotely with unprecedented access to underlying Windows components, such as COM objects and WMI. Since being included in every major Windows Operating System since Windows 7, PowerShell based tooling is well proliferated for both legitimate and malicious use and includes common tooling such as SharpSploit, PowerSploit, PowerShell Empire, Nishang and Invoke-Obfuscation.

We’re back with part two of our three-part blog series on living-off-the-land attacks. If you missed part one, you can read it here. In a nutshell, living-off-the-land (LOTL) refers to a type of attack where the attacker uses the tools and features that already exist in the target environment to carry out malicious activities. The concept of LOTL is not new, but LOTL and file-less attacks have been gaining popularity over the last few months.

The cybersecurity threat landscape is quickly changing. Administrators have become more cautious when it comes to security and governing access, end users have become tech-savvy and security-aware, and attackers have also raised their game. Living-off-the-land attacks, or LOTL, is one clear trend today, with attackers exploiting preinstalled features and default tools built into system.

Windows Server 2019 ships and installs with an existing level of hardening that is significantly more secure compared to previous Windows Server operating systems. Gone are the bloat of Xbox integration and services and the need for third-party security solutions to fill security gaps. Operating System (OS) hardening provides additional layers of security and preventative measures against both unauthorized changes and access.

In our last release of the PowerShell security series, we talked about how PowerShell could be leveraged by malicious actors to gain unprecedented access to your organization’s critical assets. From enumerating sensitive domain information and carrying out credential-based attacks to running malicious executables in memory (file-less malware), we shined a light on the potential of PowerShell and why it’s an ideal weapon for cyber attackers today.

Tools and features introduced with the intention of benefiting and empowering an organization can sometimes end up being misused. PowerShell is a classic example.

When analyzing malware and adversary activity in Windows environments, DLL injection techniques are commonly used, and there are plenty of resources on how to detect these activities. When it comes to Linux, this is less commonly seen in the wild. I recently came across a great blog from TrustedSec that describes a few techniques and tools that can be used to do library injection in Linux.