[aigoochamna]

"Living off the land" in the context of this document means using readily available command line tools and utilities on infected devices?

[ginko]

Kind of disappointing. I was hoping for a story about Chinese cells homesteading in Middle America to avoid detection between their cyber exploits.

[CrzyLngPwd]

Same. I felt clickbaited.

[red-iron-pine]

They're mostly in big cities like Vancouver and NYC. And more concerned with intimidating foreign nationals.

[tiahura]

Given the recent news about Chinese hacks of Guam, I was thinking sailboat live aboard spies.

[supriyo-biswas]

Yes, see for example [1].

[1] https://github.com/LOLBAS-Project/LOLBAS

[aigoochamna]

Thanks, that makes more sense. Reading the document as an outsider was confusing :p

For a minute, I was worried there were some crazy nationalistic Chinese dudes living in the woods behind my house.

[IIAOPSW]

There might be.

[malikNF]

This exactly what I thought as well. Glad I am not the only one.

[tiahura]

No, they’re at your local research university.

[ars]

On Linux servers I always uninstall the compiler and dev tools. I actually wrote a little script to dry-run uninstall every single package on the server one by one, and if uninstalling it doesn't remove anything important I'll go ahead an uninstall it.

I'm left with only a bare minimum of stuff, even things like man pages or simple utils I'll uninstall.

[SoftTalker]

If the intruder as gotten far enough to be in a position to run a compiler, he'll just upload it if it isn't there.

[ars]

Maybe, maybe not. Compilers are quite large, especially once you include dev versions of system libraries.

[red-iron-pine]

if you're uploading a compiler you could just upload a binary. unless it's a very specific system you can probably just put it together "at home" and slap it in there.

[ars]

I think you entirely missed my point. Because there is no compiler they have to upload something.

With a compiler they can compile something locally which is easier to do.

[rolph]

summary pgh 3 [One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic , ntdsutil , netsh , and PowerShell .]

[_8j50]

ntdsutil does not ship with windows by default

[senectus1]

yeah it seems to be a very hot term in cyber security atm.