Living Off the Land as a Defender: Detecting Attacks with Flexible Baselines

Attackers often “live off the land” by using tools built into Windows (and other operating systems) to accomplish their goals. These OS-native tools are particularly effective because they offer a range of powerful capabilities, are rarely blocked, and are difficult to monitor. While evidence is available in the Windows event logs, defenders often struggle to detect these attacks because these tools have many legitimate uses, creating a high volume of potential false positives. However, defenders can also live off the land using some of these same built-in tools to gain visibility into these attacks. PowerShell can use regular expressions to flexibly define a baseline of normal activity. Because regular expressions can be applied to any combination of fields extracted from event logs (such as process name, parent process, and command arguments), they enable defenders to filter out noise with surgical precision. Any remaining activity is considered abnormal and can be recorded for further analysis. This method of anomaly-based detection enables defenders to build highly customizable baselines to minimize false positives efficiently. Furthermore, this method can be expanded beyond process monitoring to other Windows event types and nearly any structured log or tool output data.