Hackers Are Turning Your Own Tools Against You – And It’s Getting Worse

byRioot Published:

Most security teams work hard to block viruses and suspicious files. That’s their job, right? But what if hackers don’t need to sneak anything new onto your network? What if everything they need is already there?

That’s exactly what’s happening with a sneaky type of attack called a “living off the land” (LOTL) attack. Instead of bringing in outside malware, cybercriminals are now using the very tools built into your operating system — tools your IT team uses every day — to quietly move through your systems and do serious damage.

It’s not just a rare trick anymore. It’s becoming the norm.

CrowdStrike recently found that nearly 8 out of 10 cyberattacks now skip traditional malware altogether. Bitdefender’s research backs this up — they say these LOTL techniques are now a major feature in most serious security incidents they study.

We looked deeper into how these attacks actually work, what the data is telling us, and what you can realistically do to protect your business from this invisible threat.

Hackers Are Turning Your Own Tools Against You – And It’s Getting Worse
What You Need to Know:

  • They use your own tools against you: These attacks don’t rely on outside malware. Hackers use what’s already on your system — things like PowerShell or netsh — to fly under the radar.

  • It all looks normal: Since they’re using trusted tools, their activity often blends in with regular system processes, making it really hard to spot.

  • It’s more common than you think: LOTL techniques are now showing up in most high-impact security breaches. This isn’t a niche issue — it’s the new reality.

  • They’re doing more than just poking around: These tools help hackers scan your network, boost their access, move from one system to another, and eventually steal data — all without raising alarms.

  • You can fight back: Start by limiting access to powerful system tools. Make sure employees only have the permissions they absolutely need. Segment your network so that a single breach doesn’t open the door to everything. And, maybe most importantly, train your team — awareness can be a powerful line of defense.

What the Latest Data Tells Us About LOTL—and Why It Should Worry You

Living off the land (LOTL) tactics aren’t new—they’ve been floating around the cybersecurity world for over a decade. But now, for the first time, security teams are truly starting to understand just how serious and far-reaching their impact can be. Bitdefender’s 2025 report offers one of the clearest and most alarming snapshots yet.

Their research, which analyzed more than 700,000 security incidents from across the globe over just three months, revealed something startling: a whopping 84% of major attacks made use of LOTL techniques. That’s not a typo—most serious breaches didn’t involve flashy malware or zero-days, but everyday system tools like netsh.exe, rundll32.exe, powershell.exe, and wmic.exe. Because these tools come pre-installed and are signed by Microsoft, they blend in almost perfectly with normal system activity. It’s like hiding in plain sight.

One tool stood out among the rest—netsh.exe. It was used in roughly one-third of all incidents. Attackers frequently leveraged it to silently disable firewalls, map out internal networks, or open backdoors—all while mimicking legitimate admin behavior. If that doesn’t send a chill down your spine, it should.

Other commonly misused tools included Csc.exe and Reg.exe. But attackers rarely stop at just one. Instead, they string these tools together into stealthy, customized scripts capable of hopping across machines and gradually escalating privileges. These scripts can quietly move from initial access all the way to stealing sensitive data—without setting off any alarms.


Why LOTL Is a Favorite Tool Among Ransomware Groups

Over the years, cybercriminals have gotten smarter. They’ve realized that it’s easier—and often more effective—to become part of the system than to fight their way in. That’s what makes LOTL tactics so attractive: they allow attackers to operate from within the network’s circle of trust, undetected and unnoticed.

Threatdown, a major endpoint security provider, didn’t mince words in their 2025 State of Malware report. They called LOTL tactics “indispensable” to ransomware gangs—and the numbers back that up. The report highlighted that Windows Remote Desktop Protocol (RDP) is one of the most popular doors attackers walk through to begin these stealthy attacks.

Here’s a glimpse at some of the most commonly observed LOTL behaviors caught by ThreatDown’s EDR tools in 2024:

  • Scanning internal networks using tools like Advanced IP Scanner – 19%

  • Altering the hosts file to block updates or redirect traffic – 10%

  • Creating hidden local accounts to keep a foothold – 9%

  • Running PowerShell commands that look like routine admin tasks – 9%

  • Tricking users into launching attacks via malicious links – 9%

Most common LOTL techniques in 2025. Source: ThreatDown

How Can Organizations Spot and Stop LOTL Attacks?

LOTL (Living Off the Land) attacks are tricky to catch. Why? Because attackers use the same tools that IT teams rely on every day to keep things running. Blocking those tools outright could actually do more harm than good, disrupting regular operations.

Bitdefender explains that the key to catching these attacks isn’t just spotting the tools—it’s noticing how they’re being used. It’s about watching for behavior that feels “off.” For example, is PowerShell doing something unusual? Is WMIC being used in a way that doesn’t match typical patterns? That’s where the red flags begin to show.

By focusing on the behavior inside these tools rather than the tools themselves, companies can stay safer—without breaking what already works.

Kaspersky also shares some smart advice to help reduce the risk of these sneaky attacks:

1. Limit the use of well-known “LOLBins”
Tools like PowerShell, netsh, and rundll32 are useful—but they can also be dangerous in the wrong hands. Use them only when necessary.

2. Set clear application control rules
Make sure only trusted apps and scripts can run, especially in sensitive areas.

3. Tighten up scripting environments
Don’t give free rein to scripts. Block any that are unauthorized or hard to understand (which is often a sign of something shady).

4. Use EDR (Endpoint Detection & Response) tools
These can spot strange patterns in how processes are chained together—one of the signs of a LOTL attack.

5. Stick to least privilege access
Only give admin rights to people who really need them. Fewer high-level users = less damage if someone breaks in.

6. Segment your network
Break your system into smaller parts, so if an attacker gets in, they can’t easily move around.

7. Train your IT and security teams
Make sure your staff knows what LOTL behavior looks like and when something just doesn’t feel right.

These steps won’t stop every attack, but they make things a lot harder for intruders. It’s like putting up extra fences and motion sensors—if someone does try to sneak in, they’re more likely to get caught.


The Bottom Line:

LOTL attacks are quiet, sneaky, and becoming more common. What Bitdefender points out is both unsettling and eye-opening: tools we’ve always trusted are now being used against us.

But there’s hope. With better visibility, smarter controls, and stronger setups, we can spot these attacks before they cause real damage. The key is to stop assuming that just because something is familiar, it’s always safe.

Stay alert. Stay curious. And never stop questioning what you think you already know.


Tags:

You might like

View all
Previous Post Next Post
Share to other apps
Copy Post Link