© Canary Trap 2024 All Rights Reserved
Share

The Rise of Living-Off-the-Land Attacks

The Rise of Living-Off-the-Land Attacks

  • October 31, 2025

Introduction

Living-Off-the-Land (LOTL) attacks have become one of the most elusive threats in modern cybersecurity. Instead of relying on custom malware or external tools, adversaries are increasingly using legitimate software and built-in system utilities to infiltrate networks, execute commands, and evade detection. The tools they use, including: PowerShell, PsExec, Windows Management Instrumentation, or even trusted IT scripts, are the same ones administrators depend on every day to keep operations running.

This makes these attacks especially dangerous. Because the activity originates from approved applications and trusted processes, and ends up blending seamlessly into normal network behavior. Security systems designed to flag unfamiliar binaries or suspicious downloads often overlook these subtle intrusions. What looks like routine IT maintenance can actually be a carefully orchestrated breach in progress.

Unlike traditional malware campaigns, Living-Off-the-Land tactics minimize the attacker’s footprint. There’s no need to install files or communicate with obvious command-and-control servers. Instead, the attackers turn the organization’s own environment into their weapon, moving laterally, gathering data, and disabling defenses from within.

Over the past few years, this technique has grown increasingly popular among both nation-state actors and ransomware groups. It’s cheap, stealthy, and remarkably effective. The recent surge in fileless attacks and advanced persistent threats (APTs) across sectors like finance, manufacturing, and government underscores how pervasive this method has become.

Living-Off-the-Land attacks signal a shift in cybersecurity strategy. Detection alone is no longer enough; defenders must learn to distinguish between legitimate activity and malicious intent disguised as routine behavior. As organizations adapt, understanding how these attacks work is the first step toward stopping them before they blend too deeply into the system.

  1. What “Living-Off-the-Land” Really Means

At its core, Living-Off-the-Land (LOTL) is about turning the tools that make IT work into tools that make cyberattacks succeed. Instead of dropping new malware or foreign binaries, attackers use what’s already there: the native utilities, scripts, and trusted processes that keep an organization’s systems running smoothly.

Let’s think of it this way: rather than breaking in through a window, attackers borrow a spare key that’s been sitting under the doormat all along. Tools like PowerShell, Windows Management Instrumentation (WMI), and PsExec are built into most corporate networks for legitimate reasons, for example: system management, automation, and remote maintenance. But in the wrong hands, they become stealthy enablers of intrusion.

Unlike traditional malware attacks, which rely on malicious files that can be detected and quarantined, LOTL operations blend into normal activity. A command that moves files or queries system data can look exactly like something an administrator might do. For example, attackers can use PowerShell scripts to transfer sensitive data across the network without triggering alarms, or schedule tasks using legitimate Windows services to maintain persistence long after the initial compromise. According to The Cybersecurity and Infrastructure Security Agency (CISA) advisory on Interlock ransomware group, that actually happened when the group “executed a PowerShell command designed to establish persistence via a Windows Registry key.”

Even remote management tools that companies trust, such as RMM (Remote Monitoring and Management) software, can be co-opted to maintain unauthorized access under the guise of normal support activity. What makes Living-Off-the-Land attacks particularly dangerous isn’t just their technical ingenuity, but their philosophy. These operations exploit trust and routine. Essentially, they don’t introduce chaos from the outside, instead, they quietly repurpose what already exists inside the network.

In essence, more than creating new weapons, LOTL attacks are about mastering the environment so well that an attacker can operate within it without leaving fingerprints. That’s what makes detection so difficult and also the reason why this approach continues to challenge even the most mature security programs.

  1. Why These Attacks Are on the Rise

Living-Off-the-Land attacks have surged in recent years, and it’s not hard to see why. As cybersecurity tools continue to evolve, defenders have become exceptionally good at spotting traditional malware. Firewalls, antivirus software, and endpoint detection systems are now highly efficient at flagging suspicious code or identifying unusual downloads. In response, attackers have adapted by blending in with what’s already trusted: the operating system itself.

Instead of introducing something new, they turn to what’s already there. Tools such as: PowerShell, PsExec, or Windows Management Instrumentation (WMI). These utilities are vital for legitimate IT operations, but in the wrong hands, they offer stealth, persistence, and control. When an attacker runs commands through these built-in programs, they’re not just avoiding detection; they’re operating under the radar of every system that’s designed to protect against “foreign” threats.

Cloud adoption and remote work have also played a major role. Modern organizations rely on dozens, sometimes hundreds, of connected apps and services, each one expanding the surface area for potential exploitation. From remote admin utilities to automation scripts, the digital environment is full of opportunities for malicious use.

Research backs up this trend. Recent reports have highlighted a steep rise in attacks leveraging system-native tools. For example, in an article published earlier this year by Beta News, they highlighted that “new research from Bitdefender shows that 84 percent of high severity attacks are using Living-Off-the-Land (LOTL) techniques, exploiting legitimate tools used by administrators. The study also highlights the widespread use of PowerShell.exe in business environments. While nearly 96 percent of organizations in the dataset legitimately utilize PowerShell, the expectation was that its execution would be limited primarily to administrators. However, the research detected PowerShell activity on a staggering 73 percent of all endpoints.”

For threat actors, LOTL attacks are simply efficient: the fewer moving parts, the lower the risk of being caught. There’s also a very human side to this shift. In fast-moving IT and DevOps environments, teams prioritize performance and uptime. Routine actions and trusted processes often go unquestioned, making it easier for subtle malicious activity to blend in. What used to be a niche tactic reserved for advanced threat actors has now become mainstream. Living-Off-the-Land has quickly become a standard part of the attacker’s playbook, and nowadays, it’s one of the hardest to defend against.

  1. Real-World Examples

Real-world incidents make one thing clear: Living-Off-the-Land (LOTL) attacks aren’t edge-case curiosities; they’re active, high-consequence threats. Below are three recent cases that demonstrate how attackers exploited trusted tools, remained undetected, and raked in big wins.

  • Volt Typhoon: Stealth in Critical Infrastructure

This China-linked espionage group has repeatedly targeted U.S. and allied critical-infrastructure sectors using LOTL tactics. As noted in Microsoft’s security blog, Volt Typhoon leveraged built-in system utilities, such as PowerShell, WMIC and netsh, to move around networks, dump process memory and create proxies over legitimate channels. They explained that “To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence.”

  • Scattered Spider: Legitimate Tools Repurposed for Ransomware

This financially-motivated actor turned everyday remote-management tools into intrusion vehicles. A joint advisory from global agencies lists software like ScreenConnect, TeamViewer and AnyDesk, all allowed in many corporate environments, as key elements in the group’s chain of compromise. 

Further intelligence showed how Scattered Spider combined those tools with social engineering, MFA-fatigue tricks and “Living-Off-the-Land” binaries to gain access and exfiltrate data without raising alarms. As mentioned in a cybersecurity advisory by the Cybersecurity & Infrastructure Security Agency (CISA), “U.S. and international federal organizations identified new tactics, techniques, and procedures (TTPs) associated with the Scattered Spider cybercriminal group. In addition to new TTPs that include more sophisticated social engineering techniques, the advisory describes additional malware and ransomware variants used to exfiltrate data and encrypt targeted organizations’ systems. Per trusted third parties, Scattered Spider threat actors typically engage in data theft for extortion and also use several ransomware variants, most recently deploying DragonForce ransomware alongside their usual TTPs.”

  • Cloud-Focused Campaigns: LOTL Morphs for the Cloud

In the industrial sector, researchers documented 2025 intrusions where attackers gained access via assumed credentials, and then used PowerShell and WMI from within Azure and AWS environments to move laterally, set scheduled tasks and exfiltrate data. These campaigns illustrate how LOTL attacks aren’t confined to traditional datacenters, because they thrive in cloud-native settings too.

Across all cases, what stands out is timing, patience and trust exploitation. Attackers rely on approved tools and standard processes, counting on security teams to dismiss the activity as “normal.” Detection then becomes a matter of context, not just signature matching. The message is clear: LOTL tactics are not anomalies anymore; they’re effective.

  1. Why They’re So Hard to Detect

The biggest challenge with Living-Off-the-Land (LOTL) attacks isn’t stopping them; it’s even seeing them happen. Because these techniques rely on legitimate tools and trusted processes, what an attacker does inside a network often mirrors what an IT administrator might do in routine maintenance.

Many of the tools commonly abused are signed, authorized, and regularly used in corporate environments. Since they’re “allowed,” security systems are less likely to raise red flags when they are used. As a result, malicious activity hidden inside trusted utilities tends to fly under the radar. Security alerts often end up being ignored or mis-classified because they appear indistinguishable from normal admin behavior.

For example, an alert that says, “User ran PowerShell with network access” might be dismissed as routine, even though it could signal early lateral movement. In many cases, the real difference between legitimate and malicious activity is subtle pattern shifts or context, something that traditional signature-based tools weren’t built to catch.

Then there’s the issue of dwell time, or how long attackers stay in networks undetected. According to Google Cloud, a recent global study found that “the global median dwell time for intrusions rose to 11 days in 2024, up from 10 days in 2023. This extended dwell time provides attackers, particularly those using stealthy LOTL techniques, more opportunity to move laterally and achieve their objectives undetected.”

During this period, attackers can move laterally, escalate privileges, and establish persistence, all while evading detection. The stealth advantage is what makes LOTL tactics so potent. When adversaries use what looks like standard IT activity to navigate networks quietly, defenders are forced to sift through volumes of “normal” logs to identify the “abnormal.” In short, these attacks succeed not because they’re technically more complex, but because they are embedded in trust.

  1. How Organizations Can Defend Themselves

Defending against Living-Off-the-Land (LOTL) attacks starts with something deceptively simple: knowing what “normal” looks like inside your network. Since these attacks blend in with legitimate activity, visibility and behavioral awareness are far more valuable than simply adding new layers of tools or alerts.

The first step is establishing a clear baseline of normal administrative activity. Which users typically perform configuration changes? When and from where do they access management consoles or perform maintenance tasks? Having that context allows security teams to spot anomalies, like commands being executed at unusual hours, system changes coming from unexpected locations, or privileged accounts performing actions outside their usual scope.

Access control is another key layer. Not every user should have permission to run powerful utilities or modify configurations. Segmenting privileges and enforcing the principle of least privilege can greatly reduce the potential damage if an attacker compromises a single account. Organizations should also monitor administrative actions happening outside regular work hours or from unrecognized devices, as these are common signs of lateral movement or privilege escalation attempts.

Education remains one of the most effective defenses. IT staff and developers should be trained to recognize when routine activity feels off, such as unexpected configuration changes, repeated failed executions, or unfamiliar commands running under trusted accounts. Attackers rely on defenders assuming that familiarity equals safety and breaking that assumption is critical.

Preventing LOTL attacks isn’t just about blocking tools. It’s about disciplined visibility; centralized logging, endpoint detection, and user behavior analytics help identify small deviations that reveal larger compromises. Still, automated defenses can only go so far without validation. That’s where proactive testing comes in. Regular red-team exercises and simulated attacks expose blind spots before adversaries can exploit them. By mimicking LOTL tactics, using the same utilities and access paths attackers rely on, organizations can better understand how these threats operate and strengthen their detection and response processes.

Ultimately, resilience comes from awareness, not abundance. The goal isn’t to remove every potential attack surface, but to ensure every legitimate tool and action is accounted for, monitored, and controlled. In the modern threat landscape, visibility and discipline are the real differentiators between compromise and containment.

  1. Conclusion

Living-Off-the-Land attacks have redefined how modern cyber threats operate. Instead of relying on custom malware or external exploits, attackers now weaponize the trusted tools, processes, and permissions that already exist inside an organization. This quiet shift has changed the rules of defense, and too many companies still underestimate how dangerous familiarity can be.

The real challenge isn’t stopping these attacks; it’s recognizing them. When adversaries use legitimate administrative utilities or normal workflow commands, traditional antivirus and intrusion systems often see nothing unusual. The result is an illusion of safety that allows attackers to dwell in networks for weeks or even months before being discovered.

To stay ahead, organizations must evolve their mindset. Strong cybersecurity nowadays is about visibility, context, and behavioral awareness. Teams need to know what normal activity looks like, who performs it, and when. Any deviation, no matter how subtle, should raise a flag worth investigating.

Living-Off-the-Land attacks remind us that even the most advanced defenses can be undone by overlooked trust. Building a resilient security posture means combining technology with disciplined observation, cross-team communication, and a healthy skepticism toward the familiar. The future of cybersecurity will belong to those who can distinguish routine operations from silent intrusions, because the next major breach may not come from a new exploit, but from a tool you already use every day.

 

SOURCES:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a

https://betanews.com/2025/06/03/84-percent-of-attacks-now-use-legitimate-tools/

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025

Share post:

Take the next step to
engage with Canary Trap

If you require our cybersecurity services please share your details below and we will be in touch!

Popup Form

  • This field is for validation purposes and should be left unchanged.

MISSISSAUGA (CAN HQ)

  • 2425 Matheson Boulevard East
  • 8th Floor
  • Mississauga, Ontario
  • L4W 5K4

BUFFALO (USA HQ)

  • 50 Fountain Plaza
  • Suite 1400
  • Buffalo, New York
  • 14202

WINNIPEG

  • 201 Portage Avenue
  • 18th Floor
  • Winnipeg, Manitoba
  • R3B 3K6

TAMPA

  • 4830 West Kennedy Boulevard
  • Suite 600
  • Tampa, Florida
  • 33609

© 2025 Canary Trap. All rights reserved | Privacy Policy To Top