A living off the land attack is one of the sneakiest techniques in a ransomware operator's playbook — and in this episode, Dr. Mike Saylor breaks down exactly what it is, how it works, and what your organization can actually do about it.
Instead of bringing their own tools into your environment (which might trip your alarms), attackers just use what's already there. PowerShell. WMI. RDP. The same tools your admins run every single day. To your monitoring systems, it looks completely normal. That's the whole point.
Mike and Curtis cover why attackers prefer your tools over their own, how recon can quietly run for 30 to 90 days before the attack goes loud, and what defenders can actually do about it — removing admin privileges, system hardening, golden images, application whitelisting, and free tools like Nmap and Wireshark. There's also a match.com story involving organized crime and a wooden casket on someone's front porch that you really don't want to miss.
0:00 - Intro
1:21 - Welcome and Book Announcement
3:28 - What Is a Living Off the Land Attack?
5:38 - Real-World Example: Conti Ransomware and WMI
8:12 - Why Attackers Use Your Tools Instead of Their Own
13:05 - Admin Privileges: Best Practice vs. Reality
17:31 - The Louvre Heist Analogy
20:08 - Recon Phase: Low and Slow
24:16 - What Defenders Can Do
25:55 - RDP and Remote Access
29:48 - The Recon Timeline: 30-90 Days
30:48 - PowerShell and System Hardening
34:10 - Network Discovery Tools (Nmap and Wireshark)
37:37 - Application Whitelisting and Geo IP Blocking
42:08 - Action Items and Wrap-Up
