Living-off-the-Land Abuse Detection Using Natural Language Processing and Supervised Learning

Living-off-the-Land is an evasion technique used by attackers where native binaries are abused to achieve malicious intent. Since these binaries are often legitimate system files, detecting such abuse is difficult and often missed by modern anti-virus software. This paper proposes a novel abuse detection algorithm using raw command strings. First, natural language processing techniques such as regular expressions and one-hot encoding are utilized for encoding the command strings as numerical token vectors. Next, supervised learning techniques are employed to learn the malicious patterns in the token vectors and ultimately predict the command's label. Finally, the model is evaluated using statistics from the training phase and in a virtual environment to compare its effectiveness at detecting new commands to existing anti-virus products such as Windows Defender.