From a threat intelligence perspective, this post presents the Tactic, Technique and Procedure (TTP), which can be best described as Living Off The Land at Scale (LOTLS).
Traditionally, Living Off The Land has been used to describe the actions of a threat actor who wants to remain in an environment long-term and avoid detection. In an enterprise network, threat actors would “live off the land” using the tools available and allowed in the environment, such as Powershell, psexec, Windows Management Interface Command-Line (WMIC), and even Group Policy Objects (GPO) — a more recent addition to this mix. In short, threat actors infiltrate the target environment and discover which tools they can use, and which ones are not well monitored so they can just hang out. LOTLS takes this concept and expands it by using cost effective, if not free, offerings to support their campaigns.