In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Many security teams often spend time tuning their defences to catch malware. But think of what happens when bad actors no longer fancy the need to bring anything new into your system?
That’s the premise behind a growing trend known as living off the land (LOTL) attacks. Under this method, all bad actors need to do is use the tools already built into your system environment to carry out their objectives.
Recent reports show how widespread the technique has become. CrowdStrike found that about 79% of attackers now use malware-free methods. Bitdefender, in a recent research, suggests the shift is even more advanced, with LOTL techniques appearing in the majority of high-impact incidents they analyzed.
We examined how these attacks work, what the data reveals about their growing use, and the practical steps organizations can take to detect them early.
Key Takeaways
- Living off the land attacks exploit trusted system tools already installed, making detection difficult.
- Attackers use legitimate binaries such as PowerShell and netsh to blend in with normal activity.
- Recent reports reveal LOTL techniques are involved in the majority of significant cyber incidents.
- These tools are often combined in scripts to carry out reconnaissance, privilege escalation, lateral movement, and data theft.
- Reducing risk involves restricting access to these tools, enforcing the principle of least privilege, implementing network segmentation, and providing thorough staff training.
What the Latest Data Reveal About LOTL
Living off the land techniques have been around for over a decade, but only recently have security teams started to quantify their impact. Bitdefender’s 2025 report paints one of the clearest pictures yet.
Their analysis, based on over 700,000 global security incidents tracked over 90 days, shows that 84% of major incidents involved LOTL techniques. These attacks made use of trusted binaries such as netsh.exe, rundll32.exe, powershell.exe, wmic.exe, and others. Because these tools are signed and pre-installed, they often fly under the radar of endpoint security solutions.
Netsh.exe in particular appeared in one-third of all cases Bitdefender analyzed and was often used to disable firewalls, map networks, or open ports, all while looking like routine admin work.
Other tools, such as Csc.exe and Reg.exe, also played key roles and were not used in isolation.
The researchers found the attackers often chain them together in custom scripts that can move laterally and escalate privileges. These tools are used across the attack lifecycle, from initial access to data exfiltration.
LOTL is “Indispensable” Among Ransomware Gangs
Over time, cybercriminals have learned that operating inside a network’s trust zone is more effective than forcing their way in. That’s why living off the land attacks have become so widespread.
According to the endpoint security solution firm Threatdown, LOTL techniques are “indispensable” to ransomware groups. This is based on their 2025 State of Malware report, which shows that Windows Remote Desktop Protocol (RDP) is a dominant initial access vector.
In 2024, some of the most used LOTL techniques detected by ThreatDown EDR include:
- Scanning networks with tools like Advanced IP Scanner – 19%
- Modifying the hosts file to block updates or reroute traffic – 10%
- Creating local accounts to maintain access – 9%
- Executing suspicious PowerShell commands that resemble admin activity – 9%
- Getting users to launch attacks by clicking on malicious links – 9%
How Can Organizations Detect & Prevent LOTL Attacks?
LOTL attacks can be difficult to pinpoint because they rely on tools that administrators use every day. Blocking these tools could disrupt normal operations.
As noted by Bitdefender, detection depends on monitoring how these tools are used and identifying behavior that deviates from the norm. This means focusing on the actions performed within tools like PowerShell and WMIC, rather than just spotting their presence.
With this approach, organizations can reduce risk without interfering with essential system functions.
On a similar note, Kaspersky recommends the following to reduce the risk of LOTL-based activity:
Limit the use of known LOLBins
such as PowerShell, netsh, and rundll32, where possible.Apply application control policies
such as PowerShell, netsh, and rundll32, where possible.Harden scripting environments
to restrict the execution of unauthorized or obfuscated scripts.Use EDR
solutions that can monitor suspicious process chains.Apply least privilege principles
to reduce the number of users with administrative access.Segment the network
to limit how far an attacker can move.Train IT and security staff
to recognize the signs of LOTL-based behavior.
These steps won’t block every possible intrusion, but they reduce the available paths for stealthy movement and make it easier to detect when something doesn’t fit the pattern.
The Bottom Line
Living off the land attacks are a quiet threat, but they’re far from rare. What Bitdefender’s finding confirms is that trusted tools are now central to modern attack chains.
But it’s possible to stay ahead. With the right monitoring, stricter access controls, and hardened configurations, organizations can detect LOTL activity before attackers move too far. The key here is to stop assuming trusted tools are always safe.
FAQs
What is a LOTL attack?
What are the main characteristics of a living off the land (LOTL) attack?
What are some common tools used in LOTL attacks?
What are some real-world examples of LOTL attacks?
How do lotl attacks differ from traditional malware attacks?
References
- 2025 Global Threat Report | Latest Cybersecurity Trends & Insights (CrowdStrike)
- How Analyzing 700,000 Security Incidents Helped Our Understanding of Living Off the Land Tactics (Bitdefender)
- Why YOUR software is the new malware – ThreatDown by Malwarebytes (ThreatDown)
- How to prepare for Living Off the Land (LotL) attacks (Kaspersky)
