Establishing a baseline for detecting LOTL attacks in Windows operating systems

Author

Ashlyn Martin Phillips, Mississippi State UniversityFollow

Advisor

Mittal, Sudip

Committee Member

Trawick, George

Committee Member

Perkins, Andy

Date of Degree

5-16-2025

Original embargo terms

Immediate Worldwide Access

Document Type

Graduate Thesis - Open Access

Major

Cyber Security and Operations

Degree Name

Master of Science (M.S.)

College

James Worth Bagley College of Engineering

Department

Department of Computer Science and Engineering

Abstract

There has been an increasing realization of the rise in living off the land (LOTL) attacks where adversaries misuse legitimate system tools, particularly with state-sponsored actors targeting critical infrastructure in the United States. These attacks are difficult to detect because they allow attackers to remain present in a system without the user’s knowledge for an extended period. This thesis establishes an initial baseline specifically for Windows operating systems to measure normal system activity, focusing on CPU usage, memory utilization, and process activity. It particularly examines the use of PowerShell alongside other applications. The findings from this baseline are used to develop detection rules that security tools can integrate to identify anomalies deviating from normal system metrics. Finally, recommendations are made to expand this research by analyzing additional system tools and incorporating network activity into baselines to enhance the detection of these increasingly sophisticated and damaging attacks.

Recommended Citation

Phillips, Ashlyn Martin, "Establishing a baseline for detecting LOTL attacks in Windows operating systems" (2025). Theses and Dissertations. 6554.
https://scholarsjunction.msstate.edu/td/6554