LOTL Hunter Playbook: Detect Living-Off-The-Land Attacks in Air-Gapped Networks

By Jeff Gray — Federal CISA IR Training Lead, Air Force Veteran, 30+ Years OT/ICS Security

Published: June 10, 2026 • Last Updated: June 10, 2026

Executive Summary: Living-Off-The-Land (LOTL) attacks in OT environments use legitimate tools, protocols, and system functions to evade detection. This playbook provides practical, passive-only detection methods for air-gapped networks using Zeek, log analysis, and behavioral baselining.

1. What Are LOTL Attacks?

LOTL attacks leverage existing system tools and native OT protocols (DNP3, Modbus, IEC 60870-5-104, OPC-UA) rather than deploying custom malware. The attacker "lives off the land" using what is already present in the environment.

Common LOTL Techniques in OT:

Technique	Description	Detection Method
Legitimate engineering tools used maliciously	Attackers use official vendor software to program PLCs	Zeek protocol parsing + access control lists
Abuse of maintenance accounts	Stolen credentials for authorized OT tools	Behavioral anomaly detection on account activity
Protocol manipulation	Modified DNP3/Modbus commands using standard protocol	Deep protocol parsing with Zeek DNP3/Modbus modules
Supply chain implants	Backdoored engineering software or firmware updates	Integrity monitoring + hash verification

2. Passive Detection Architecture for Air-Gapped Networks

2.1 Data Sources (No Active Scanning)

Network TAP or SPAN port → Zeek sensor (100% passive)
Syslog from historians and engineering workstations (one-way forwarding)
OPC-UA subscription exports (read-only)
PLC audit logs (manually collected during maintenance windows)

2.2 Key Zeek Logs for LOTL Detection

Log File	What It Detects	Alert Trigger
`dnp3.log`	Unauthorized DNP3 command writes	Function code 21 (Direct Operate) from unknown IP
`modbus.log`	Malicious Modbus coil/register writes	Function code 5/15/6/16 from non-master device
`conn.log`	Unexpected connections to OT assets	New source IP communicating with PLC/RTU ranges
`http.log`	Web-based HMI/admin access	Access to engineering web interfaces from unauthorized hosts

3. Baseleline Establishment

Step 1: Map Normal Traffic (2-4 weeks)

Before detecting anomalies, you must know what normal looks like. Run Zeek passively for at least two weeks to capture normal polling intervals, typical command sequences, and authorized IP addresses.

Step 2: Document Authorized Change Windows

Coordinate with operations to identify all scheduled maintenance, firmware updates, and engineering work. Any activity outside these windows should be treated as suspicious.

4. Detection Rules (Passive-Only)

Rule 1: Unauthorized DNP3 Direct Operate

# Monitor Zeek dnp3.log for Direct Operate (FC=21) commands from non-master IPs
if (dnp3_fc == 21 && src_ip not in authorized_masters) {
  alert("CRITICAL: Unauthorized DNP3 Direct Operate from " + src_ip);
}

Rule 2: Modbus Write Functions Outside Maintenance Window

# Function codes 5 (Write Single Coil), 15 (Write Multiple Coils),
# 6 (Write Single Register), 16 (Write Multiple Registers)
if (modbus_fc in [5,6,15,16] && not maintenance_window) {
  alert("HIGH: Modbus write function outside maintenance window");
}

Rule 3: New IP Address Communicating with PLCs

# Check conn.log for new source addresses talking to known PLC ranges
if (new_connection_to_plc_range && src_ip not in whitelist) {
  alert("MEDIUM: New IP " + src_ip + " communicating with OT asset " + dst_ip);
}

5. Response Procedures

Immediate Actions (Passive Response Only)

Do NOT interact with the OT network — this could trigger safety devices
Document all observed indicators (source IP, timestamp, protocol, function codes)
Notify OT operations and security leadership
Preserve log evidence for forensic analysis
Follow site incident response plan

6. LOT-Squatch AI Agent Integration

The LOT-Squatch passive AI agent automates much of this analysis by:

Continuously parsing Zeek logs against known LOTL patterns
Running Socratic prompts to investigate anomalies conservatively
Generating daily intelligence summaries for OT engineers
Maintaining 100% passive operation (zero outbound traffic to OT systems)

Remember: Your detection system must NEVER initiate active probes, scans, or commands in an OT environment. Even a single improperly timed ping can cause protective devices to trip.

7. Further Reading & Standards

CISA ICS Security Resources
MITRE ATT&CK for ICS
NIST SP 800-82 Rev 3 — Guide to OT Security
IEC 62443 Series — Industrial Communication Networks Security
Zeek Project Documentation

Free Download

Download the OT Risk Management Guide v2.0 (Quantitative FAIR-based OT risk calculator, $24.99 — includes LOTL detection templates and checklists).