When attackers wield your own tools against you, traditional defenses go blind. Here is how threat hunters find adversaries hiding in plain sight—using nothing but the operating system’s own utilities.
Imagine an intruder who breaks into your building not by forcing the locks, but by borrowing a security badge from an unsuspecting employee. They walk the hallways, access sensitive rooms, and leave… all while appearing on every camera as an authorized person doing authorized things. That is the essential logic of a Living-off-the-Land attack, and it is why it remains one of the most difficult detection challenges in modern security operations.
Living-off-the-land (LOTL) is a technique in which adversaries use tools already present and trusted within a target environment. This includes native operating system binaries, built-in scripting engines, and legitimate administrative utilities to carry out their objectives without introducing foreign malware. Because these tools are signed, pre-approved, and routinely used by IT teams, signature-based defenses see nothing alarming. The threat is entirely behavioral, defined by context and intent, rather than by the presence of any malicious file.
The scale and sophistication of LOTL adoption has grown dramatically. In 2024, approximately 84% of high-severity cyberattacks leveraged legitimate system tools rather than custom malware. This is a fundamental shift in attacker methodology that has made LOTL the dominant technique for both nation-state actors and criminal hacking groups alike. The Volt Typhoon campaign, attributed to the People’s Republic of China and disclosed in CISA advisories in 2023 and 2024, demonstrated just how far these techniques can be taken: the group maintained undetected access to U.S. critical infrastructure networks for over five years using only built-in Windows tools.
For threat hunters, LOTL represents one of the most demanding hunting challenges, and one of the most important to solve.
Understanding the Toolbox
To hunt effectively for LOTL activity, you first need a working understanding of which tools adversaries most commonly abuse and why. These are referred to as LOLBins (Living-off-the-Land Binaries) and they are well-documented in community resources like the LOLBAS Project, which catalogs hundreds of WIndows binaries with known abuse potential and maps them to MITRE ATT&CK techniques.
| Binary | Common Abuse | ATT&CK Technique |
| PowerShell | Encoded commands, in-memory execution, remote downloads, credential harvesting | T1059.001 - Command & Scripting Interpreter |
| WMI/WMIC | Lateral movement, remote process execution, persistence via WMI subscriptions | T1047 - Windows Management Instrumentation |
| CertUtil | Downloading files from the Internet, decoding Base64-encoded payloads | T1105 - Ingress Tool Transfer |
| Mshta | Executing remote scripts, bypassing application controls, registry modifications | T1218.005 - System Binary Proxy Execution |
| Rundll32 | Loading malicious DLLs, bypassing defenses, executing arbitrary code | T1218.011 - Rundll32 |
| Netsh | Firewall manipulation, port proxying, network pivoting (as seen in Volt Typhoon) | T1090.001 - Internal Proxy |
| Schtasks / At | Scheduled task creation for persistence and delayed execution | T1053.005 - Scheduled Task |
| MSBuild | Compiling and executing arbitrary C# code without touching the disk | T1127.001 - Trusted Developer Utilities |
CrowdStrike’s Falcon Overwatch team has documented all of these binaries being abused in real-world intrusion campaigns—noting state-nexus and eCrime adversaries leveraging them for reconnaissance, configuration modification, data destruction, and code execution. In one documented instance, a ransomware actor used Mshta with a 0x2-pixel invisible window to make registry changes completely invisible on screen. The creativity with which adversaries weaponize these tools should not be underestimated.
Why Traditional Defenses Fail
The core problem with LOTL detection is that the tools themselves are not malicious. PowerShell.exe is not a threat, it is an essential administrative utility. WMI is not an intrusion, it is how Windows Management works. Antivirus and signature-based detection engines are designed to look for bad files; they have no framework for evaluating whether a legitimate binary is being used legitimately or maliciously.
This is why LOTL attacks so reliably bypass conventional defenses. Security logs often fail to capture privilege escalations or unauthorized commands, especially when default logging configurations are in place. Many EDR tools have begun building behavioral detection rules for LOLBin abuse, but coverage remains inconsistent and adversaries actively test their techniques against deployed security tools before deploying them in target environments.
Building a Hunting Strategy
Step 1 - Establish Baselines
Effective LOTL hunting is impossible without behavorial baselines. Before you can identify anomalous use of PowerShell, you need to know what normal PowerShell usage looks like in your environment: which accounts run it, from which parent processes, at what frequency, with what typical command-line patterns. The same applies to every high-value LOLBin in your environment.
Baselining is unglamorous, time-consuming work—and it is the foundation on which everything else rests. Hunters who skip this step find themselves unable to distinguish a domain administrator’s legitimate WMI query from an attacker’s lateral movement, and the resulting alert fatigue makes the hunt functionally worthless.
Step 2 - Enable the Right Logging
LOTL hunting requires telemetry that many organizations do not have enabled by default. The minimum viable logging stack for meaningful LOTL hunting includes PowerShell Script Blog Logging and Module Logging (which captures full script content rather than just process invocations), Sysmon with a well-tuned configuration, Windows Event ID 4688 with full command-line auditing enabled, and WMI activity logging.
Step 3 - Form Targeted Hypotheses
LOTL hunting should be hypothesis-driven rather than exploratory. Rather than ingesting all process creation events and hoping something stands out, structure your hunts around specific, testable propositions grounded in threat intelligence.
Examples:
# Hypothesis: Adversary using PowerShell with encoded commands to evade logging
index=windows EventCode=4688 New_Process_Name="*powershell*"
| search Process_Command_Line="*-enc*" OR Process_Command_Line="*-EncodedCommand*"
| stats count by Account_Name, Parent_Process_Name, Computer
| where count < 3 # Low frequency = less likely to be admin tooling
# Hypothesis: CertUtil used for file download (common LOLBin abuse)
index=windows EventCode=4688 New_Process_Name="*certutil*"
| search Process_Command_Line="*urlcache*" OR Process_Command_Line="*-decode*"
| table _time, Account_Name, Computer, Process_Command_Line
# Hypothesis: WMI spawning unusual child processes (lateral movement indicator)
index=windows EventCode=4688
| search Parent_Process_Name="*WmiPrvSE*"
| search NOT New_Process_Name IN ("*svchost*", "*msiexec*") # filter known-good children
| stats count by New_Process_Name, Computer | sort -count
Step 4 - Investigate Anomalous Context
When a query surfaces a hit, the next question is always: is this contextually anomalous? A key principle from threat hunters at Intel 471 is to evaluate suspicious usage based on user roles, abnormal behavior patterns, and the relationship between the tool and the account running it. A help desk analyst running WMIC to enumerate domain controllers at 2AM is worth investigating. A domain administrator doing the same during business hours probably is not.
Context questions to drive the investigation: Does this account normally use this tool? Does this parent-child process relationship make sense? Was this execution preceded or followed by other anomalous activity? Does the command-line argument pattern match know attacker tradecraft documented in MITRE ATT&CK or threat intelligence reports?
The Volt Typhoon Benchmark
The Volt Typhoon campaign provides the clearest real-world illustration of what mature LOTL hunting must be able to detect. According to the joint CISA/NSA/FBI advisory, the group used wmic, ntdsutil, netsh, and PowerShell to conduct reconnaissance, extract credentials, create port proxies for C2 communication, and maintain persistence—all using tools that exist on every Windows domain controller in the world. They tailored their TTPs to each victim environment, operated within normal working hours to avoid anomaly detection, and maintained access in some environments for five years before discovery.
The lesson is not that LOTL attacks are undetectable. They are not, as the eventual discovery of Volt Typhoon demonstrates. The lesson is that detecting them requires deliberate investment in behavioral visibility, well-constructed hunting hypotheses, and analysts who understand attacker tradecraft deeply enough to know what normal looks like well enough to recognize what isn’t.
Living-off-the-Land attacks will not become easier to detect as time passes. If anythiong, the trend toward LOLBin abuse will continue as attackers discover that it is simply the most effective way to operate in environments with mature endpoint security. The defenders who will be best positioned to find these attacks are those who have invested in the visibility infrastructure, behavioral baselines, and analytical discipline that make anomaly detection possible.
The tools are already inside your network. So, in all likelihood, are some of the adversaries using them. The question is whether your hunting program is built to tell the difference.
Sources & Further Reading
- Vectra AI. Living off the land: How attackers hide in legitimate tools. Vectra AI Research, 2025. https://www.vectra.ai/topics/living-off-the-land
- CISA, NSA, FBI et al. PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Joint Cybersecurity Advisory AA24-038A. February 7, 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- The LOLBAS Project. Living Off The Land Binaries, Scripts and Libraries. Community-maintained catalog of Windows LOLBins mapped to MITRE ATT&CK. https://lolbas-project.github.io
- CrowdStrike Falcon OverWatch Elite. 8 LOLBins Every Threat Hunter Should Know. CrowdStrike Research Paper, 2025. https://www.crowdstrike.com/en-us/blog/8-lolbins-every-threat-hunter-should-know/
- Redbot Security. Living Off the Land (LotL) Attacks Explained. June 2025. https://redbotsecurity.com/living-off-the-land-lotl-attacks-explained/
- Archinal, Lee (Intel 471). How to threat hunt Living Off The Land binaries. Help Net Security, May 29, 2025. https://www.helpnetsecurity.com/2025/05/29/threat-hunt-living-off-the-land-binaries-video/
- CISA, NSA, FBI. People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Joint Cybersecurity Advisory AA23-144A. May 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- Vorhees, Matthew Alan. Prevention Strategies for Modern Living Off the Land Usage. SANS Institute White Paper, March 2024. https://www.sans.org/white-papers/prevention-strategies-modern-living-off-land-usage
- MITRE Corporation. ATT&CK for Enterprise — Living Off the Land Techniques. MITRE ATT&CK Knowledge Base. https://attack.mitre.org
- CrowdStrike. What Are Living Off the Land (LOTL) Attacks? CrowdStrike Cybersecurity 101 Series. https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/living-off-the-land-attack
