While emerging risks like AI-generated malware capture headlines, the reality of today’s threat landscape is more straightforward. Most modern attacks, including ransomware, are backed by manual hacking operations. Attackers carefully navigate systems, using a “Living Off the Land” (LOTL) approach, to exploit legitimate system utilities.
To figure out exactly how common these LOTL binaries are, we analyzed 700,000 security incidents from our Bitdefender GravityZone platform along with telemetry data (legitimate usage) from the last 90 days. Security incidents were not simple alerts, but correlated events, and we analyzed the whole chain of commands to identify how frequently attackers are using LOTL binaries. The result? 84% of major attacks (incidents with high severity) involved the use of LOTL binaries. For validation, we also examined our MDR data and found a consistent trend: 85% of incidents involved LOTL techniques.
While this was our internal research to support the development of our GravityZone PHASR technology, we uncovered numerous insights in this data and decided to share some highlights while we are working on a more comprehensive report for all the data enthusiasts out there.
The Most Abused Tool? Netsh.exe
While LOTL tools are a well-covered topic (including our tech explainer), most prior analysis has been based on experience, not hard data. We based our analysis on the frequency of tools usage, instead of how much damage they could cause. We were hoping to discover binaries that are frequently abused yet rarely used for legitimate purposes.
What was quite visible immediately is that the tools popular with attackers are also very popular with administrators. Unsurprisingly, the usual suspects like powershell.exe, wscript.exe, and cscript.exe were all present. However, one of the more surprising findings was that netsh.exe was the most frequently abused tool, appearing in one-third of major attacks. While checking firewall configurations is a logical initial step for attackers, this clearly demonstrates how data analysis can spotlight trends that human operators might instinctively disregard.
As mentioned earlier, the popularity of tools among attackers often reflects their popularity with legitimate administrators. This general trend held true for the most part, but some notable exceptions did appear. Specifically, tools like mshta.exe, pwsh.exe, and bitsadmin.exe were used in attacks, but rarely seen in legitimate administrative tasks.
The Temptation of Simple Solutions
Our research revealed another unexpected observation: The widespread use of PowerShell.exe in business environments. While nearly 96% of organizations in our dataset legitimately utilize PowerShell, our initial expectation was that its execution would be limited primarily to administrators. To our surprise, we detected PowerShell activity on a staggering 73% of all endpoints. Further investigation revealed that PowerShell is frequently invoked not only by administrators (and their pesky logon/logoff scripts), but also by third-party applications running PowerShell code without a visible interface.
A similar pattern emerged with wmic.exe. This tool, popular around the year 2000, has largely been superseded by PowerShell for administrative purposes – and is slated for decommissioning by Microsoft. However, we were surprised to find its regular usage across many workstations. Analyzing the data, it became clear that wmic.exe is still commonly employed by a multitude of third-party applications to gather system information.
Geographical analysis revealed intriguing differences in tool usage. For example, PowerShell.exe showed a notably lower presence in APAC (Asia-Pacific), at just 53.3% of organizations in our dataset. This stands in sharp contrast to EMEA, where our analysis indicated a much higher adoption rate of 97.3%. Conversely, while PowerShell usage was lower in APAC, reg.exe was more frequently present in this region compared to all other geographical areas.
This underscores the importance of nuanced understanding, as even tools appearing outdated or unused can be critical for specific functions and disabling them can cause unforeseen disruptions.
You Can’t Live with Them, You Can’t Live Without Them
The LOTL reality that we “can’t live with them, and can’t live without them” directly informed the development of our Bitdefender GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology. Recognizing the inherent risks and potential for disruption in simply blocking these essential tools, PHASR adopts a more nuanced and intelligent approach: individualized endpoint hardening through action-based control.
PHASR goes beyond blocking entire tools, it also monitors and stops the specific actions attackers use within them. By analyzing the behavior of processes like powershell.exe, wmic.exe, or certutil.exe, PHASR can distinguish malicious intent from legitimate use. For instance, while allowing PowerShell to execute regular scripts, PHASR can proactively block its attempts to run encrypted commands or tamper with critical system configurations.
Consider WMIC.exe again. Instead of blocking the entire tool, which could disrupt legitimate operations, PHASR differentiates between its legitimate use for system information retrieval and its abuse for lateral movement or process manipulation. This action-level blocking, combined with the layered analysis of user and attacker behavior, enables tailored protection without business disruption.
PHASR’s effectiveness lies in its architecture, which incorporates hundreds of granular rules informed by known attacker playbooks and our extensive threat intelligence. The engine continuously learns by establishing a baseline of typical user and application behavior on each endpoint. This learned behavior is then constantly compared against known malicious patterns and emerging threats. Intelligent analysis allows PHASR to not only detect and report suspicious activity but also to proactively block access to specific tools or even parts of their functionality when their use deviates from the established baseline and aligns with malicious indicators. This proactive blocking occurs seamlessly, without requiring constant manual policy adjustments or fine-tuning, ensuring robust protection against even novel LOTL attacks.
Conclusion
The words of “gg,” the BlackBasta ransomware group leader, chillingly underscore the central challenge revealed by our analysis of 700,000 security incidents. “If we use standard utilities, we won’t be detected… We never drop tools on machines.“ The staggering 84% prevalence of Living off the Land (LOTL) techniques in major attacks directly validates this adversary perspective.
Attackers are demonstrably successful in evading traditional defenses by expertly manipulating the very system utilities we trust and rely on daily. This stark reality demands a fundamental shift towards security solutions like Bitdefender’s PHASR, which moves beyond blunt blocking to intelligently discern and neutralize malicious intent within these essential tools, effectively countering the attacker’s confident assertion of undetectability.
About the Author: Martin Zugec works as the Technical Solutions Director at Bitdefender, helping to protect the world from cybercrime. He has over 20 years of field experience, working as an architect on virtualization projects and traveling around the world. Combining his passion for storytelling with real-world experiences, Martin is a regular speaker at major industry conferences and a cybersecurity blogger. His talks span an array of subjects, encompassing everything from the tactics of threat actors and the evolving ransomware landscape to enhancing efficacy within security operations.
Martin Zugec — Technical Solutions Director at Bitdefender
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtB44Z82ub9HU2rEah-aXtgQGkW4OZuJ0s5IRVAowBMnUMaVqEW-_VEZ2vfUOwWGOdjEOx7JcFGnUH3wWDlLmNtFBGe74_nsso6EA1i2s7oeeia4yyMsNUAoTYZ3gifDG34HvV-Kx0v7VgHZTePReU1pzX92pIrm5z_gTEI9SLyZDZ6W4g5GuwYjEtbIo/s728-rw-e365/martin.png
