
Sign up to save your podcasts
Or


A living off the land attack is one of the sneakiest techniques in a ransomware operator's playbook — and in this episode, Dr. Mike Saylor breaks down exactly what it is, how it works, and what your organization can actually do about it.
Instead of bringing their own tools into your environment (which might trip your alarms), attackers just use what's already there. PowerShell. WMI. RDP. The same tools your admins run every single day. To your monitoring systems, it looks completely normal. That's the whole point.
Mike and Curtis cover why attackers prefer your tools over their own, how recon can quietly run for 30 to 90 days before the attack goes loud, and what defenders can actually do about it — removing admin privileges, system hardening, golden images, application whitelisting, and free tools like Nmap and Wireshark. There's also a match.com story involving organized crime and a wooden casket on someone's front porch that you really don't want to miss.
0:00 - Intro
1:21 - Welcome and Book Announcement
3:28 - What Is a Living Off the Land Attack?
5:38 - Real-World Example: Conti Ransomware and WMI
8:12 - Why Attackers Use Your Tools Instead of Their Own
13:05 - Admin Privileges: Best Practice vs. Reality
17:31 - The Louvre Heist Analogy
20:08 - Recon Phase: Low and Slow
24:16 - What Defenders Can Do
25:55 - RDP and Remote Access
29:48 - The Recon Timeline: 30-90 Days
30:48 - PowerShell and System Hardening
34:10 - Network Discovery Tools (Nmap and Wireshark)
37:37 - Application Whitelisting and Geo IP Blocking
42:08 - Action Items and Wrap-Up
By W. Curtis Preston (Mr. Backup)4.7
2626 ratings
A living off the land attack is one of the sneakiest techniques in a ransomware operator's playbook — and in this episode, Dr. Mike Saylor breaks down exactly what it is, how it works, and what your organization can actually do about it.
Instead of bringing their own tools into your environment (which might trip your alarms), attackers just use what's already there. PowerShell. WMI. RDP. The same tools your admins run every single day. To your monitoring systems, it looks completely normal. That's the whole point.
Mike and Curtis cover why attackers prefer your tools over their own, how recon can quietly run for 30 to 90 days before the attack goes loud, and what defenders can actually do about it — removing admin privileges, system hardening, golden images, application whitelisting, and free tools like Nmap and Wireshark. There's also a match.com story involving organized crime and a wooden casket on someone's front porch that you really don't want to miss.
0:00 - Intro
1:21 - Welcome and Book Announcement
3:28 - What Is a Living Off the Land Attack?
5:38 - Real-World Example: Conti Ransomware and WMI
8:12 - Why Attackers Use Your Tools Instead of Their Own
13:05 - Admin Privileges: Best Practice vs. Reality
17:31 - The Louvre Heist Analogy
20:08 - Recon Phase: Low and Slow
24:16 - What Defenders Can Do
25:55 - RDP and Remote Access
29:48 - The Recon Timeline: 30-90 Days
30:48 - PowerShell and System Hardening
34:10 - Network Discovery Tools (Nmap and Wireshark)
37:37 - Application Whitelisting and Geo IP Blocking
42:08 - Action Items and Wrap-Up

289 Listeners

375 Listeners

648 Listeners

201 Listeners

1,030 Listeners

317 Listeners

8,051 Listeners

178 Listeners

313 Listeners

72 Listeners

203 Listeners

136 Listeners

45 Listeners

167 Listeners

1,092 Listeners