Full Report
But if you didn’t see a red-flag signal during a scan of the network, you’re not alone: Almost 7,500 organizations around the world were hit by ransomware last year—and there are lots of ways into even the most hardened systems. During a recent IT Brew event, an attendee asked: “What do early signs of intrusion actually look like in practice? What are the signals that teams most commonly miss before it escalates?” We posed the question to security pros, who shared the entry points you might be missing.
Analysis Summary
# Tool/Technique: Living-off-the-Land (LotL) and Early Ransomware Stage Indicators
## Overview
This technique involves threat actors utilizing legitimate system tools (PowerShell, Remote Management Tools) and compromising valid accounts to blend into normal network traffic. The purpose is to maintain persistence, conduct reconnaissance, and escalate privileges without triggering traditional signature-based security alerts before deploying ransomware.
## Technical Details
- **Type:** Technique / Infosealer & Commodity Malware
- **Platform:** Windows (primarily), Cloud (M365), VPN/Perimeter Gateways
- **Capabilities:** Credential theft, remote command execution, data exfiltration, lateral movement, and MFA manipulation.
- **First Seen:** Ongoing; specifically highlighted in trends from 2025-2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1078 - Valid Accounts]
- [T1133 - External Remote Services] (VPN, Cloud Access)
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- **[TA0003 - Persistence]**
- [T1556.006 - Modify Authentication Process: Multi-Factor Authentication] (Unauthorized device enrollment)
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information] (Encoded PowerShell)
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- **[TA0007 - Discovery]**
- [T1046 - Network Service Discovery] (Scanning perimeter devices)
- **[TA0010 - Exfiltration]**
- [T1020 - Automated Exfiltration] (Unusual data spikes)
## Functionality
### Core Capabilities
- **Scripted Execution:** Use of PowerShell to execute commands, often utilizing Base64 encoding to bypass static analysis.
- **Identity Exploitation:** Compromising administrative or "IT person" accounts to perform actions that look like legitimate maintenance.
- **Remote Management:** Use of legitimate RMM (Remote Monitoring and Management) tools to control systems externally.
### Advanced Features
- **MFA Manipulation:** Enrolling new rogue devices into a user's Multi-Factor Authentication profile to maintain persistent access.
- **Stealth Data Access:** Performing "mass file-access" during non-business hours to stage data for exfiltration.
- **Mailbox Rules:** Creating hidden rules in Microsoft 365 to intercept communications or hide activity.
## Indicators of Compromise
- **File Hashes:** N/A (Focus is on legitimate tool abuse / "Fileless" activity).
- **File Names:** Commonly abused RMM tools (e.g., AnyDesk, ScreenConnect, TeamViewer).
- **Registry Keys:** Changes to `HKCU\Software\Microsoft\Office\16.0\Outlook\Rules` (for mailbox rule manipulation).
- **Network Indicators:**
- Unusual IP addresses logging into VPN/Cloud portals.
- Large outbound data transfers to unauthorized cloud storage providers (e.g., Mega[.]nz, Dropbox).
- Scanning activity originating from internal hosts against perimeter firewalls.
- **Behavioral Indicators:**
- `powershell.exe` execution featuring `-EncodedCommand` or `-e`.
- Successful logins from unusual geographic locations or at "weird hours."
- Spikes in file access requests by a single service or user account.
## Associated Threat Actors
- **Ransomware Affiliates:** Various groups utilizing commodity malware (Infostealers/Loaders) as "initial access" preceding ransomware.
- **General Groups:** Actors targeting vulnerable perimeter devices (Firewalls/VPNs).
## Detection Methods
- **Behavioral detection:** Monitoring for PowerShell execution with high entropy or obfuscated strings.
- **Identity Analytics:** Tracking "Impossible Travel" and unauthorized MFA device registration in M365/Entra ID.
- **Network Traffic Analysis (NTA):** Detecting anomalies in data volume (egress spikes) and internal port scanning.
- **Log Correlation:** Connecting disparate signals like a "weird phone call" (social engineering) followed by a successful VPN login.
## Mitigation Strategies
- **Hardening Recommendations:** Enforce "Phishing-Resistant" MFA; disable PowerShell for non-administrative users.
- **Identity Security:** Audit MFA enrollment logs regularly and restrict administrative logins to specific management workstations.
- **Perimeter Security:** Patching firewalls and VPN gateways promptly to prevent vulnerability-based initial access.
- **Data Protection:** Implement File Integrity Monitoring (FIM) and alert on mass file modification/read events.
## Related Tools/Techniques
- **Living off the Land Binaries (LoLBins):** Utilizing native OS files for malicious purposes.
- **Infostealers:** Preliminary malware used to harvest the credentials required for these techniques.
- **RMM Tools:** Use of AnyDesk, ConnectWise, etc., for unauthorized remote control.