Reclaiming Lost Ground: LOTL Attack Recovery

When ‎an‏ ‎organization ‎detects ‎a ‎compromise, ‎especially‏ ‎involving ‎Living‏ ‎Off‏ ‎the ‎Land ‎(LOTL)‏ ‎tactics, ‎it‏ ‎is ‎critical ‎to ‎implement‏ ‎immediate‏ ‎defensive ‎countermeasures.‏ ‎The ‎Joint‏ ‎Guidance ‎on ‎Identifying ‎and ‎Mitigating‏ ‎LOTL‏ ‎Techniques ‎outlines‏ ‎a ‎comprehensive‏ ‎remediation ‎strategy ‎that ‎organizations ‎should‏ ‎follow‏ ‎to‏ ‎mitigate ‎the‏ ‎impact ‎of‏ ‎such ‎incidents.

Immediate‏ ‎Response‏ ‎Actions

📌Reset ‎credentials‏ ‎for ‎both ‎privileged ‎and ‎non-privileged‏ ‎accounts ‎within‏ ‎the‏ ‎trust ‎boundary ‎of‏ ‎each ‎compromised‏ ‎account.

📌Force ‎password ‎resets ‎and‏ ‎revoke‏ ‎and ‎issue‏ ‎new ‎certificates‏ ‎for ‎all ‎accounts ‎and ‎devices.

Windows‏ ‎Environment‏ ‎Specific ‎Actions:

📌If‏ ‎access ‎to‏ ‎the ‎Domain ‎Controller ‎(DC) ‎or‏ ‎Active‏ ‎Directory‏ ‎(AD) ‎is‏ ‎suspected, ‎reset‏ ‎all ‎local‏ ‎account‏ ‎passwords, ‎including‏ ‎Guest, ‎HelpAssistant, ‎DefaultAccount, ‎System, ‎Administrator,‏ ‎and ‎krbtgt.‏ ‎The‏ ‎krbtgt ‎account, ‎which‏ ‎handles ‎Kerberos‏ ‎ticket ‎requests, ‎should ‎be‏ ‎reset‏ ‎twice ‎to‏ ‎ensure ‎security‏ ‎due ‎to ‎its ‎two-password ‎history.

📌If‏ ‎the‏ ‎ntds.dit ‎file‏ ‎is ‎suspected‏ ‎to ‎have ‎been ‎exfiltrated, ‎reset‏ ‎all‏ ‎domain‏ ‎user ‎passwords.

📌Review‏ ‎and ‎adjust‏ ‎access ‎policies,‏ ‎temporarily‏ ‎revoking ‎or‏ ‎reducing ‎privileges ‎to ‎contain ‎affected‏ ‎accounts ‎and‏ ‎devices.

📌 Reset‏ ‎Non-Elevated ‎Account ‎Credentials:‏ ‎If ‎the‏ ‎threat ‎actor’s ‎access ‎is‏ ‎limited‏ ‎to ‎non-elevated‏ ‎permissions, ‎reset‏ ‎the ‎relevant ‎account ‎credentials ‎or‏ ‎access‏ ‎keys ‎and‏ ‎monitor ‎for‏ ‎further ‎signs ‎of ‎unauthorized ‎access,‏ ‎especially‏ ‎for‏ ‎administrative ‎accounts.

Network‏ ‎and ‎Device‏ ‎Configuration ‎Audit

📌 Audit‏ ‎Network‏ ‎Appliances ‎and‏ ‎Edge ‎Devices: ‎Check ‎for ‎signs‏ ‎of ‎unauthorized‏ ‎or‏ ‎malicious ‎configuration ‎changes.‏ ‎If ‎changes‏ ‎are ‎found:

📌Change ‎all ‎credentials‏ ‎used‏ ‎to ‎manage‏ ‎network ‎devices,‏ ‎including ‎keys ‎and ‎strings ‎securing‏ ‎network‏ ‎device ‎functions.

📌Update‏ ‎all ‎firmware‏ ‎and ‎software ‎to ‎the ‎latest‏ ‎versions.

Remote‏ ‎Access‏ ‎Tool ‎Usage

📌 Minimize‏ ‎and ‎Control‏ ‎Remote ‎Access:‏ ‎Follow‏ ‎best ‎practices‏ ‎for ‎securing ‎remote ‎access ‎tools‏ ‎and ‎protocols,‏ ‎including‏ ‎guidance ‎on ‎securing‏ ‎remote ‎access‏ ‎software ‎and ‎using ‎PowerShell‏ ‎securely.