Reclaiming Lost Ground: LOTL Attack Recovery
When an organization detects a compromise, especially involving Living Off the Land (LOTL) tactics, it is critical to implement immediate defensive countermeasures. The Joint Guidance on Identifying and Mitigating LOTL Techniques outlines a comprehensive remediation strategy that organizations should follow to mitigate the impact of such incidents.
Immediate Response Actions
📌Reset credentials for both privileged and non-privileged accounts within the trust boundary of each compromised account.
📌Force password resets and revoke and issue new certificates for all accounts and devices.
Windows Environment Specific Actions:
📌If access to the Domain Controller (DC) or Active Directory (AD) is suspected, reset all local account passwords, including Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. The krbtgt account, which handles Kerberos ticket requests, should be reset twice to ensure security due to its two-password history.
📌If the ntds.dit file is suspected to have been exfiltrated, reset all domain user passwords.
📌Review and adjust access policies, temporarily revoking or reducing privileges to contain affected accounts and devices.
📌 Reset Non-Elevated Account Credentials: If the threat actor’s access is limited to non-elevated permissions, reset the relevant account credentials or access keys and monitor for further signs of unauthorized access, especially for administrative accounts.
Network and Device Configuration Audit
📌 Audit Network Appliances and Edge Devices: Check for signs of unauthorized or malicious configuration changes. If changes are found:
📌Change all credentials used to manage network devices, including keys and strings securing network device functions.
📌Update all firmware and software to the latest versions.
Remote Access Tool Usage
📌 Minimize and Control Remote Access: Follow best practices for securing remote access tools and protocols, including guidance on securing remote access software and using PowerShell securely.