Anatomy of a Living off the Land (LOTL) Attack

Vectra AI vs.
Volt Typhoon

How do you catch up to a highly skilled threat actor after they use stealthy living off the land techniques to evade traditional detection tools? We simulated a Volt Typhoon attack to find out.

How Vectra AI stopped a stealthy attacker from maintaining access

In this Volt Typhoon simulation, defenders were put to the test when the threat actor used everything within their power — command and control techniques, password spray techniques, brute force attempts — to avoid detection and live off the land across multiple hybrid attack surfaces. Armed with the highest threat signal efficacy, security analysts knew exactly where to focus efforts.

The attacker:

Thrives at hiding among normal activity
Leverages crafty tactics to go undetected
Moves across data center, cloud and identity surfaces

Defenders know:

Which activities are a real threat
When and where the actor moves
How to respond quickly to stop the attack

Response time

First Vectra Alert

5:02 A.M

Attack Stopped

5:22 A.M

Anatomy of a Living off the Land (LOTL) Attack

Stop living off the land techniques before any damage is done

The secret to stopping LOTL attacks? Attack Signal Intelligence™. Vectra AI’s patented AI-driven signal empowers defenders leveraging the Vectra AI Platform to move at the speed and scale of hybrid attackers — including state-sponsored actors like Volt Typhoon.

References in MITRE D3FEND

90%

MITRE ATT&CK coverage

AI threat detection patents

Sharpen your investigation and threat hunting skills

Join our ensemble of security researchers, data scientists and analysts as we share over 11+ years of security-AI research and expertise with the global cybersecurity community. Through our webinars and hands-on labs, you’ll learn how to effectively leverage AI for threat detection and response and expose sophisticated attacks hiding in your environment.

Explore Upcoming Sessions

With Vectra AI, living off the land techniques don't work

Once access is achieved, Volt Typhoon makes quick use of difficult-to-detect LOTL techniques to blend in with normal network activity. With 11 references in the MITRE D3FEND framework — more than any other vendor — only Vectra AI correlates behavioral detections across each attack surface so defenders know exactly where to focus efforts. Attack Signal Intelligence detects and prioritizes:

Hidden HTTPS Tunnel

RPC Targeted Recon

Suspicious Remote Execution

Azure AD Unusual Scripting Engine Usage

Azure AD Brute Force Attempt

Privilege Anomaly: Unusual Account on Host

Prioritizing tactics for Volt Typhoon

This simulated attack was initiated through a compromised home office.
The threat actor attempted to gather local drive info and credential information to help go unnoticed.
Moving across multiple surfaces, the actor gathered info along the way to advance and hide their tracks.
Even with a stealthy attack, defenders were able to prioritize threat actor activity before data was exfiltrated.

Keep LOTL attacks from becoming data breaches

Download the full attack anatomy report to learn how you can move at the speed and scale of modern attackers.

Download the overview

Gain an unfair advantage over modern attacks

Explore the Platform

Explore more attack anatomies

Explore more cyberattack resources

See how Vectra AI helps you move at the speed and scale of modern attackers.

Ebook

A Breakdown of Emerging Hybrid Attacker Methods

All modern attacks are hybrid attacks. Learn how today’s cyber attackers infiltrate, escalate privileges, move laterally and progress their attacks.

Download Ebook

Datasheet

Attack Signal Intelligence vs. Volt Typhoon

See why AI-driven prioritization is key to successful defense when a state-sponsored cyberactor evades traditional detection tools.

Read Report

Blog

Volt Typhoon: LOLBins get serious

Get Vectra AI’s perspective on the Microsoft announcement of Volt Typhoon — and how it brings the reality of persistent threat actors back into the spotlight.

Read Blog

Vectra AI vs.Volt Typhoon