A look at how attackers abuse built-in system tools for stealthy compromises.
Living off the Land (LotL) attacks (also referred to as “fileless attacks”) have been a persistent threat in cybersecurity for over a decade. These attacks involve malicious actors leveraging legitimate applications, system tools, and processes to conduct malicious activities, thereby evading traditional security measures. The term “Living off the Land” was coined around 2013, but the concept has been in practice for much longer. Over the years, the prevalence of LotL attacks has drastically increased. In recent years, for example, CrowdStrike reported in 2023 that 62% of detections involved LotL techniques. This continued into 2024, with a notable rise in cyberattacks employing LotL methods, particularly by nation-state actors targeting critical infrastructure. The increasing sophistication and frequency of these attacks underscore the importance of robust security measures and continuous monitoring to detect and mitigate these kinds of threats.
According to the Center for Internet Security, fileless malware and LotL techniques were projected to account for 50% of total attacks against enterprise environments in 2022, matching the frequency of file-based attacks for the first time. Furthermore, ReliaQuest reported that in 2023, 86.2% of critical customer incidents involved fileless malware, with many utilizing LotL techniques by abusing legitimate Windows binaries such as Rundll32, Msiexec, and Mshta.
One of the primary reasons LotL attacks are so effective is that they rely on commonly available system binaries and scripts that administrators and users legitimately require for day-to-day operations or are available by default. By blending in with genuine processes, the attacks often go unnoticed and mixed with regular system activities. PowerShell and Windows Management Instrumentation (WMI) are two of the most frequently abused tools: both are extremely powerful for configuration and automation, typically allowed in enterprise environments, and can operate without producing obvious file-based artifacts. For example, malicious actors can encode PowerShell commands using encoding such as Base64 or simple obfuscation techniques to conceal the script from security tools that rely on string detection or command-line scanning. Similarly, WMI can launch processes remotely, pulling malicious payloads directly in or out of memory and leaving minimal forensic evidence on disk. Malicious actors also exploit native Windows binaries, often collected in resources such as GTFOBins (for Unix-like systems) and LOLBAS (Living Off the Land Binaries and Scripts) for Windows, where executables like mshta.exe, rundll32.exe, and regsvr32.exe are repurposed to run malicious code. Even in highly locked-down environments with application whitelisting, these binaries frequently remain trusted and permitted, making them a valuable vector for privilege escalation, lateral movement, and persistence.
Real-world examples illustrate just how damaging such stealthy attacks can be. In the high-profile SolarWinds attack of 2020, adversaries injected malicious code into legitimate software updates for SolarWinds Orion, effectively disguising the initial infection route. Once inside, they leveraged trusted Windows processes to escalate privileges and pivot through networks. Similarly, the FIN7 cybercrime group, known for sophisticated banking and point-of-sale intrusions, used mshta.exe to execute JavaScript payloads. By taking advantage of a benign Windows binary, the malicious actors bypassed strict security policies that would have blocked a typical malware executable. Another group, APT29 (aka Cozy Bear), demonstrated how threat actors could rely on PowerShell and WMI to issue commands on compromised machines without ever dropping a traditional piece of malware onto the disk. In each case, the overarching theme was a reliance on the tools already installed and accepted by the target environment, avoiding classic indicators of compromise and making threat hunting much more challenging for defenders.
Defending against LotL attacks requires a multi-pronged approach. Endpoint Detection and Response solutions still serve as a foundation, though they must be fine-tuned to recognize suspicious patterns within the legitimate processes. Modern EDR tools monitor script executions, interprocess communication, and unusual command-line arguments rather than depending on simple file-based scanning, which is further extended into behavioral or heuristic analysis. Organizations can layer additional defenses, such as Sysmon logging, to spot abnormal usage of PowerShell or built-in Windows binaries like rundll32.exe. Implementing an effective logging strategy, where security teams or managed security providers proactively parse and correlate events in near-real-time, helps identify anomalies indicative of malicious behavior. The MITRE ATT&CK framework provides an excellent reference for mapping known LotL techniques (often categorized under T1218 – System Binary Proxy Execution and T1059 – Command and Scripting Interpreter) to detection rules, ensuring that defenders systematically look for red flags across different phases of an attack.
Another critical measure is application control, sometimes achieved via solutions like AppLocker or Windows Defender Application Control (WDAC). While it can be challenging to block tools such as PowerShell and wmic.exe fully, organizations can enforce stricter policies or “constrained language mode” to limit script capabilities. For example, disabling PowerShell v2, which is outdated and often lacks certain security improvements, can significantly reduce an attacker’s options. However, it is crucial for security teams and system administrators to maintain an informed balance. Locking down or entirely removing tools that administrators genuinely need can be disruptive and cause friction with operations teams. Therefore, a carefully curated allowlist with continuous monitoring can enhance security without crippling day-to-day workflow.
Even with these measures in place, threat actors skilled in evasion techniques can still find cracks to exploit. Strict network segmentation, regular patching, and the principle of least privilege help reduce the blast radius when an attacker does succeed in abusing built-in tools. Compartmentalizing access to administrative utilities on a need-to-use basis can prevent threat actors from having free rein across the environment once they have compromised an initial endpoint. Likewise, logging suspicious command lines or high-risk processes in security information and event management (SIEM) platforms ensures that unusual spikes in usage, like an end-user suddenly running wmic.exe for remote process calls, stand out in routine security reviews or automated alerts.
Professional, manual (not AI-driven or automated) penetration testing and red teaming services can be instrumental in discovering gaps and fine-tuning defenses against LotL methods. Through real-world adversary simulation, expert red teams replicate the same tactics used by threat actors, identifying potential weaknesses in an organization’s defenses. For instance, Redbot Security (https://redbotsecurity.com), a firm specializing in manual penetration testing and red teaming, often examines how effectively an organization’s monitoring and restrictions respond to PowerShell-based attacks or LoLBin abuse. By emulating these techniques in a controlled environment, clients gain visibility into their detection and response capabilities before a real adversary tests them. This kind of proactive assessment is invaluable given the tricky nature of attacks that rely on legitimate processes, where advanced behavioral analytics and well-tuned rulesets are the primary means of detection.
Ultimately, LotL attack techniques are a constant game of cat and mouse between defenders and adversaries. As traditional malware detection becomes more effective, threat actors pivot to less conspicuous tactics to slip under the radar. Their success depends on blending into normal operations by hijacking tools with legitimate, day-to-day utility. EDR solutions, PowerShell security enhancements, restricted permissions, and robust logging will remain at the heart of any effective defense. However, it is equally critical that organizations regularly update their detection signatures and heuristics to keep pace with the latest attacker tradecraft. The growing catalog of GTFOBins and LOLBAS techniques should serve as a living checklist for defenders, reminding them that every system utility from archiving commands like tar, to .NET binaries capable of loading custom DLLs, might provide a foothold for a skilled adversary. Although no single security measure can completely thwart every fileless attack, a coordinated defensive strategy that layers detection, containment, and active threat hunting across all endpoints can dramatically reduce the likelihood of a successful breach. By staying vigilant, adopting best practices from frameworks like MITRE ATT&CK, and partnering with specialized penetration testing companies to test defenses, organizations can substantially mitigate the risk posed by this evolving and persistent threat.
Morgan Habecker is a results-driven cybersecurity executive and current COO at Redbot Security with a solid background in penetration testing and IT leadership. He has effectively managed cross-functional teams and refined security operations, leveraging hands-on vulnerability assessments alongside strategic oversight to enhance organizational defenses. His blend of technical expertise and leadership acumen has consistently delivered improved security postures and operational excellence throughout his career.
https://www.linkedin.com/in/morganhabecker/
Suggested Links:
Senior Level Hands-on-Keyboard
Manual Testing
Get a Project Quote
Should an Employee Report Security Incidents Involving Family Members? Is your business or job at risk if a bad actor gets access to your family. Will they gain access to you?
The likelihood of a cyber attack on a mobile platform is significantly high, but how difficult is it for a malicious actor to generate malware? You might be surprised.
Insecure Direct Object Reference (IDOR) vulnerabilities pose a significant risk to the security of web applications, allowing attackers unauthorized access to sensitive data and functionalities. By understanding the implications of IDOR and adopting secure coding practices, web developers can protect their applications and users from potential exploitation.
Mass Assignment Vulnerability occurs when a web application allows users to submit a more extensive set of data than is intended or safe. The potential consequences of this vulnerability can be severe
Attackers can manipulate the serialized data to execute malicious code, compromise the application, or gain unauthorized access.
Kerberos Authentication Service Response (AS-REP) Roasting, a technique similar to Kerberoasting, has gained prominence as a method for attackers to compromise Active Directory (AD) authentication systems.
Becoming proficient in Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) network testing can appear daunting as there are fewer learning resources.
Machine Learning (ML) is a subset of AI, and, more than likely, closely aligns with what we consider to be AI in the media.
Recent reports of significant cybersecurity layoffs in the United States have raised concerns about the nation’s preparedness to defend against cyber threats
The FBI released its FY 2024 IC3 Annual Report on April 24, 2025, detailing 859,532 complaints and a record $16.6 billion in losses. In this post, we highlight how phishing, BEC, and cryptocurrency fraud continue to surge, why ransomware remains a top threat to critical infrastructure, and which demographics are most at risk. Plus, discover Redbot Security’s proven strategies,from manual penetration testing to red teaming, that can help you turn IC3 data into actionable defenses.
From API-server exploits to supply-chain threats, this checklist shows how the best penetration testing companies harden Kubernetes. Boost resilience now.
Cybercriminals are ditching malware and exploiting trusted tools already inside your systems. Learn how Living off the Land (LotL) attacks work, and how to stop them.
From pipelines and water systems to power grids and transit networks, U.S. critical infrastructure is under siege. With CISA budget slashed, is a national cyber disaster inevitable?
Understanding NIST 800 and Its Impact on Penetration Testing Requirements.
Internal network penetration testing is essential for identifying security gaps within an organization’s infrastructure. Attackers exploit misconfigured permissions, weak credentials, and unpatched vulnerabilities to escalate privileges and move laterally within networks. A thorough penetration test helps uncover these risks before they are exploited, ensuring stronger security controls, improved access management, and compliance with industry standards. Redbot Security’s expert-led penetration testing provides in-depth assessments to fortify your internal network against evolving threats.
Redbot Security’s senior-level cloud security team brings years of expertise in AWS, GCP, and Azure security. Our approach is rooted in manual-controlled testing and deep-dive security analysis, ensuring that we uncover hidden vulnerabilities that automated tools often miss.
Cymbiotic Hive: The Simple, Rapid-Deployment Solution to Access Management
With data breaches surging by 68% last year alone, cybersecurity has evolved from a low-key technical matter into a defining issue demanding top-level attention.
Increasingly, investors see proactive cybersecurity spending as a hallmark of strong corporate governance. It can be factored into how they value a company’s resilience and risk profile
Our nation is under attack and overwhelmed. Modern Security teams face numerous challenges in managing network and application security effectively.
Our nation is under attack and overwhelmed. Modern Security teams face numerous challenges in managing network and application security effectively.
Is your security team sharing sensitive data unknowingly?
Through repeated random sampling, allows us to simulate a wide array of social engineering attacks with a depth and breadth previously unimaginable.
While penetration testing is valuable in identifying technical vulnerabilities, red teaming provides a more holistic assessment by simulating realistic threat scenarios. By embracing red teaming, organizations can bolster their defenses, uncover weaknesses, and stay one step ahead of sophisticated adversaries.
Malicious actors leveraging OSINT to uncover confidential and sensitive information that is publicly available online. Learn how to prevent risks.
Client-side desyncs are a class of browser-powered HTTP smuggling attacks. What you need to know and how to prevent a malicious actor from taking advantage of this vulnerability.
Active Directory Certificate Services (AD CS) presents various security risks for organizations. This article will help you understand a Relay Attack.
What is an API? APIs, including local and remote, come in various forms and are fundamental to modern software development. They serve as the bridge between different software components, enabling them to work together seamlessly.
While plenty of articles cover the Modbus protocol with varying degrees of detail and usage, this article aims to examine the Modbus protocol with an offensive security lens.
Malicious actors prey on weak configurations like locusts. Microsoft, despite knowing that their operating systems, have inherent weaknesses have done little to enhance their initial security outside of remediation for publicly known vulnerabilities.
The following article is a discussion about helping you to best utilize your military skills to successfully transition into the commercial space.
The following article is a discussion that explores JavaScript Web Tokens
The following article is a discussion that explores Wave Behaviors to Locate Wireless Access Points and Devices
Today, cybercriminals have plenty of entry points to exploit. Therefore, it has become crucial for organizations to improve their attack surface visibility to have more effective protection. This is where attack surface management (ASM) comes into play. This article will explore all about attack surface management (ASM), including its importance, working principle, and benefits.
Our expert team will help scope your project and provide a fast and accurate project estimate.
Contact Redbot Security
