Living-Off-the-Land Attacks: How Hackers Turn Your Own Tools Against You

Living-off-the-land attacks are dangerous not because they are technically exotic, but because they are nearly invisible to the defenses most small businesses rely on. Instead of deploying custom malware that antivirus software might catch, attackers move through your network using the same administrative tools your IT team uses every day: PowerShell, Windows Management Instrumentation (WMI), Remote Desktop Protocol, Task Scheduler, and more. The attack blends into normal operations. By the time anyone notices, the adversary may have been inside for weeks – or months.

1. The Threat Landscape: What Living-Off-the-Land Actually Means
2. Who Gets Targeted – and Why Small Businesses Are Not Exempt
3. Real-World Examples and Advisory Data
4. Why Traditional Security Tools Miss These Attacks
5. What Behavioral Detection Actually Looks Like for a Small Business
6. What to Ask Your IT Firm Right Now
7. How to Start Defending Your Business Today

The Threat Landscape: What Living-Off-the-Land Attacks Actually Mean

The term “living off the land” comes from wilderness survival – consume only what the environment already provides. In cybersecurity, it describes adversaries who use pre-installed operating system utilities and legitimate administrative software as their primary weapons. No custom malware. No suspicious executable. The entire operation runs on software that is already signed, trusted, and expected to be running on your machines.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued multiple joint advisories documenting this technique at scale. In May 2023, a landmark joint advisory attributed to the Volt Typhoon threat actor – a Chinese state-sponsored group – called out living-off-the-land attacks as the group’s primary method of maintaining persistence in U.S. critical infrastructure for as long as five years without detection. The full advisory is published at CISA.gov and is required reading for any security professional.

The tools most commonly abused include: PowerShell (Microsoft’s own scripting environment, present on every modern Windows machine), WMI (a built-in Windows administration interface), PsExec (a legitimate remote execution utility from Microsoft’s Sysinternals suite), certutil.exe (a certificate management tool that can also download files from the internet), and Remote Desktop Protocol. None of these are inherently dangerous. All of them become dangerous in the wrong hands.

Who Gets Targeted – and Why Small Businesses Are Not Exempt

The popular narrative is that sophisticated criminal groups focus on enterprise targets – banks, hospitals, government agencies. That narrative is dangerously outdated. The FBI’s 2023 Internet Crime Report recorded $12.5 billion in adjusted losses from cybercrime, and business email compromise alone – often an entry point for broader network intrusions – hit $2.9 billion. Small businesses represented the majority of victim counts across most crime categories.

Small businesses are attractive for living-off-the-land attacks for structural reasons, not size reasons. They typically have fewer staff monitoring network activity, little to no alerting on administrative tool usage, shared local administrator credentials that make lateral movement easy, and no logging of PowerShell execution or WMI queries. For an attacker, that environment practically invites this technique.

There is also the supply chain dimension. A 10-person professional services firm that works with a larger client – a pharmaceutical company, a financial institution, a government contractor – is a soft entry point into that larger organization’s ecosystem. Targeting the small firm with trusted access to the large firm’s systems is a well-documented attack path. CISA’s advisories on supply chain intrusion patterns reflect this reality directly.

For companies where client security questionnaires are standard – pharmaceutical consulting firms satisfying vendor security requirements, for example – a living-off-the-land intrusion that persists undetected for months can quietly invalidate every compliance attestation the firm has made. That is a business-ending event, not just a technical incident.

Real-World Examples and Advisory Data

The Volt Typhoon advisory is the most publicly detailed example, but it is far from isolated. The 2021 Colonial Pipeline ransomware attack – which caused fuel shortages across the southeastern United States – began with a compromised VPN credential, then used legitimate Windows tools to move laterally before deploying ransomware. The attackers did not need to bring exotic weapons. The environment handed them everything they needed.

In 2022, CISA and its international partners issued a joint advisory on threat actors targeting managed IT providers – the firms responsible for managing infrastructure for small and mid-sized businesses. The advisory explicitly warned that these attackers were using native operating system tools, remote monitoring software, and standard scripting utilities to traverse from managed IT environments into their clients’ networks. The moment one entry point is compromised, the entire client base becomes a target.

FBI data shows that ransomware actors increasingly use a “hands-on-keyboard” approach – a human operator actively navigating the victim’s environment using legitimate tools – rather than fully automated malware. This is specifically because it bypasses signature-based detection. The operator reads the environment, maps the network using built-in commands like net view and ipconfig, identifies high-value targets like backup servers or domain controllers, and moves to them using credentials harvested earlier in the attack.

A pattern documented across dozens of incidents: the attacker gains initial access via a phishing email, elevates privileges using a known vulnerability or stolen credential, then spends days or weeks using PowerShell and WMI to quietly map the environment. Backup systems are identified and disabled. Data is staged. Ransomware – or data exfiltration – follows. The period between initial access and discovery averages over 200 days in many tracked incidents. Living-off-the-land attacks are uniquely effective at stretching that window.

Why Traditional Security Tools Miss Living-Off-the-Land Attacks

Traditional antivirus and endpoint protection tools work primarily through signature matching – a database of known malicious files that gets checked against anything running on your machine. Living-off-the-land attacks defeat this approach almost entirely because there is nothing to match. PowerShell is not malware. WMI is not malware. A scheduled task is not malware. The tools are clean; it is the context and intent of their use that is malicious.

Consider this: a legitimate IT administrator running a PowerShell script to push a software update looks nearly identical to an attacker running a PowerShell script to harvest credentials – from a signature-based tool’s perspective. Both are PowerShell. Both may be running under a legitimate account. The tool sees: trusted application, signed binary, known process. It takes no action.

Firewall rules fare no better. Outbound connections made by certutil.exe or PowerShell may be flagged as expected administrative traffic. Lateral movement using Remote Desktop Protocol between internal machines can be completely invisible to a perimeter firewall focused on external threats. Many small business firewalls are not configured to log or alert on internal traffic at all.

Log-based detection requires that logs actually exist and that someone is reviewing them. Most small businesses do not have PowerShell script block logging enabled. WMI activity is not logged by default. Remote Desktop access logs are often not forwarded anywhere. Without these logs, real-time detection is essentially impossible – and forensic reconstruction after an incident is severely limited.

This is why security has increasingly shifted toward “behavioral detection” – identifying attacks based on what tools are doing and whether that behavior matches known attack patterns, rather than matching known malware signatures.

What Behavioral Detection Actually Looks Like for a Small Business

Behavioral detection is not a single product. It is an architecture – a combination of configuration choices, monitoring infrastructure, and human review that together create the ability to distinguish between “IT admin running PowerShell at 10am on a Tuesday” and “PowerShell running at 2am from an account that has never used it before, connecting to an external IP, and attempting to disable Windows Defender.”

For a small business, meaningful behavioral detection against living-off-the-land attacks starts with concrete steps any capable IT partner should be able to execute:

• Enable PowerShell script block logging and module logging. This captures what PowerShell commands are actually executing, not just that PowerShell launched. Without it, PowerShell-based attacks are nearly invisible.
• Enable Windows event logging for key categories – logon events, process creation, scheduled task creation and modification, and service installation. These are the audit trails that reveal lateral movement.
• Forward logs to a centralized location. Logs that sit only on individual endpoints can be deleted by an attacker with local admin rights. Centralizing logs – even to a simple cloud-based log management service – preserves them and enables analysis.
• Restrict and monitor administrative tool usage. PowerShell execution policies, application control rules, and alert thresholds on tools like PsExec should flag anomalous use patterns rather than allowing any process to run unchecked.
• Apply the principle of least privilege. If a standard user account cannot run PowerShell remotely, an attacker who compromises that account cannot use it for lateral movement. Reducing privileges is one of the highest-value defensive actions available at any spending level.
• Baseline normal administrative behavior. You cannot detect anomalies without knowing what normal looks like. A good IT partner documents which accounts use which tools, at what times, from which machines – and builds alerting around deviations from that baseline.
• Review logs regularly, not just when alerts fire. Many living-off-the-land attacks do not trigger automated alerts because the behavior is subtle. A trained analyst reviewing logs periodically can identify patterns – like an account conducting reconnaissance over several days – that automated rules miss.

The goal is not to block all administrative tool use – that would break legitimate IT operations. The goal is to make the use of those tools visible, so that when a threat actor starts moving through your environment, there is a trail to detect and follow. Learn more about how Xact IT approaches cybersecurity for small and mid-sized businesses.

A practical illustration: a 15-person professional services firm likely has no reason for any user account other than the IT administrator to be running PowerShell. If behavioral monitoring is configured correctly, the first time a regular employee account executes a PowerShell command – even a signed, legitimate script – an alert fires. That alert may be the earliest possible sign that an account has been compromised and is being used for reconnaissance. Without behavioral monitoring, that moment passes in silence.

Network segmentation matters here too. Most small businesses run flat networks – every machine can reach every other machine. That is operationally convenient and a security liability. An attacker on a flat network has access to every device, every file share, and every server from the moment they compromise a single endpoint. Basic segmentation – separating workstations from servers, isolating critical systems – raises the cost of lateral movement significantly and often forces the attacker into noisier moves that are easier to catch.

What to Ask Your IT Firm Right Now

If you are evaluating whether your current IT support is equipped to detect and respond to living-off-the-land attacks, these questions separate security partners who are genuinely prepared from those still fighting the last war with signature-based tools:

• Is PowerShell script block logging currently enabled across our environment? Where are those logs stored, and who reviews them?
• Do we have a baseline of normal administrative activity? If a user account starts executing commands it has never used before, does anyone find out?
• Are our Windows security event logs being forwarded off individual machines? If an attacker deleted the local logs tonight, would we still have a record?
• How is lateral movement between internal machines detected? Is there any monitoring of traffic between machines inside the network, or only traffic crossing the perimeter?
• Is least privilege applied to our user accounts? How many accounts have local administrator rights that do not strictly need them?
• Has our network been segmented so that a compromised workstation cannot directly reach our servers and backup systems?
• When did we last review our administrative tool usage policies against current CISA guidance on living-off-the-land techniques?

These are not trick questions. A capable IT partner should answer each of them clearly, with specifics about your environment. Vague answers – “yes, we have monitoring in place” without any description of what is actually monitored – are a signal that the monitoring may exist in name only.

The businesses that get caught by living-off-the-land attacks are rarely the ones that skipped security entirely. They are often the ones that invested in the tools everyone told them to buy – antivirus, a firewall, a password manager – and then assumed those tools were sufficient. Against a technique specifically designed to route around those tools, that assumption is the most dangerous thing in the environment.

How to Start Defending Your Business Against Living-Off-the-Land Attacks Today

Behavioral detection, log centralization, privilege restriction, and network segmentation are not glamorous controls. They do not make for exciting vendor marketing. But they are the actual defenses that create visibility into living-off-the-land attacks – the technique the FBI and CISA have identified as one of the most persistent and difficult-to-detect threats facing organizations of every size.

For most small businesses, the path forward is not a large technology investment. It is a configuration and process investment. Turning on the right Windows logging settings costs nothing. Enforcing least privilege is an administrative task, not a procurement decision. Centralizing logs to a cloud service can cost a few dollars a month. These foundational steps, executed consistently, create the visibility layer that makes every other security control more effective.

The NIST Cybersecurity Framework provides a vendor-neutral foundation for thinking through these controls – particularly its “Detect” function, which maps directly to the behavioral monitoring practices described here. Aligning your security program to the NIST framework also gives you a credible answer when clients, insurers, or auditors ask how your organization manages cyber risk.

The businesses that have never experienced a damaging breach are not simply lucky – they are instrumented. They have made deliberate choices about what to log, what to alert on, and how to respond. If your business has not yet made those choices, the right time to start is now. See how Xact IT builds these controls into everyday operations. Or, if you want to know where your environment stands today, Book a Free Cybersecurity Strategy Call – a 20-minute conversation with no obligation.