TL;DR: Living off the land attacks accounted for 84% of major incidents in a 2025 analysis of more than 700,000 cases, because attackers used trusted tools like PowerShell, WMI, SSH, and RDP to move laterally and avoid malware-based detection, according to Illumio. Malware signatures are no longer enough when native administration activity is the disguise.
At a glance
What this is: The article argues that living off the land attacks let intruders hide inside legitimate system tools, making lateral movement and containment far harder than malware-led intrusions.
Why it matters: For IAM, PAM, NHI, and broader security teams, the core issue is that trusted execution paths can be abused after initial access, so detection and containment must cover privilege use, tool abuse, and movement between systems.
By the numbers:
- A 2025 analysis of over 700,000 incidents found that 84% of major attacks involved living off the land techniques.
- More than 300 organizations have already been hit by Medusa ransomware, including hospitals, financial institutions, schools, and government services.
- The FBI and CISA issued a joint advisory in February 2024 warning of Medusa ransomware's growing threat to critical infrastructure.
👉 Read Illumio's analysis of living off the land ransomware containment
Context
Living off the land attacks use legitimate tools already present in the environment, such as PowerShell, WMI, SSH, cron, and built-in remote access utilities, to move, persist, and exfiltrate without dropping obvious malware. The primary security gap is not the absence of tools, but the absence of visibility into how those tools are being used at runtime. That matters for identity governance because privileged execution, service access, and remote administrative workflows are all identity-mediated.
The article frames this as a detection and containment problem rather than a pure malware problem. For identity and access programmes, the lesson is that standing privileges, over-broad admin tools, and weak lateral movement controls create the conditions for attackers to blend in with normal operations. That is especially relevant where service accounts, automation, and remote admin access are already part of the operational baseline.
Key questions
Q: What breaks when attackers rely on living off the land techniques?
A: Traditional malware-focused controls break first, because the attacker is using approved tools rather than dropping a suspicious binary. The result is reduced alert quality, slower investigation, and a much larger window for lateral movement. Defenders need behavioural detection that understands who is using PowerShell, WMI, SSH, or RDP and why.
Q: Why do native admin tools make lateral movement harder to stop?
A: Native tools are already trusted, widely permitted, and deeply embedded in routine administration. That means an attacker can often move across systems using legitimate channels that blend into normal work. The control problem is not only detecting the tool, but recognising when the identity, timing, or destination is inconsistent with approved administration.
Q: How do security teams know if living off the land controls are working?
A: They should see fewer unexplained privileged sessions, faster isolation of suspicious hosts, and better correlation between identity, process, and network movement. If native tool use is visible but not attributable to a user, service account, or task, the control is not working well enough for real containment.
Q: Who is accountable when living off the land activity enables ransomware spread?
A: Accountability sits across endpoint, identity, and operations teams because the failure is usually shared. Attackers exploit excessive trust in built-in tools, weak segmentation, and persistent access, so governance needs clear ownership for privilege scope, detection rules, and containment authority. Frameworks such as NIST CSF and NIST SP 800-53 help assign those responsibilities.
Technical breakdown
How living off the land techniques evade malware-based detection
Living off the land, or LOTL, means using native operating system tools instead of deploying new malicious binaries. Attackers abuse trusted processes such as PowerShell, WMI, Bash, SSH, and scheduled jobs because those tools are expected to run in enterprise environments. Security products that rely on file hashes, signature matching, or obvious malware artifacts often miss the activity because the attacker is borrowing legitimate execution paths. The result is stealth, persistence, and lower noise, especially when commands run in memory or blend into administrative traffic.
Practical implication: detection must move from file-centric scanning to behavioural monitoring of trusted tool use.
Why lateral movement becomes the decisive phase
Once the attacker has a foothold, LOTL tradecraft is used to expand access by invoking built-in remote administration and orchestration tools. That includes RDP, SSH, WMI, and other system-to-system channels that are normal in hybrid estates. The danger is not only that these tools are present, but that they often operate under broad trust assumptions and inherited permissions. In practice, this makes lateral movement look like legitimate administration unless defenders correlate identity, source host, command context, and timing.
Practical implication: teams need visibility into east-west identity activity, not just perimeter or endpoint alerts.
Why containment must work without waiting for signatures
The central operational problem in LOTL incidents is speed. Attackers can escalate, move, and exfiltrate before a signature-based control ever recognises a malicious file. Containment therefore depends on the ability to isolate a host or suspend a communication path based on anomalous behaviour, not confirmed malware. This is where segmentation, policy enforcement, and rapid response become more valuable than after-the-fact investigation. The article's core point is that defenders need to control the environment being used, not just search for malicious code inside it.
Practical implication: containment playbooks should be triggered by abnormal tool and access patterns, not only by malware detection.
Threat narrative
Attacker objective: The attacker wants to maintain stealth while expanding control across the environment, enabling data theft, ransomware deployment, or prolonged access without triggering traditional malware alarms.
- Entry occurs when attackers gain a foothold and begin using native tools already trusted in the environment, rather than dropping obvious malware.
- Escalation follows as they abuse PowerShell, WMI, RDP, SSH, or similar channels to expand privileges and move laterally through the estate.
- Impact occurs when the attacker reaches valuable systems, exfiltrates data, or deploys ransomware while blending into normal administrative activity.
NHI Mgmt Group analysis
LOTL is an identity and privilege problem, not just a malware problem. Attackers succeed because trusted execution paths already exist inside enterprise environments, and those paths are usually governed as operational convenience rather than security boundaries. When administration, automation, and remote access are too broadly trusted, native tools become the attacker's camouflage. The practitioner conclusion is simple: control the identity behind the tool, not only the tool itself.
Detection that stops at the endpoint misses the real blast radius. LOTL activity often looks normal at the file level but abnormal at the identity and movement level. That makes east-west visibility, command context, and privilege correlation more important than hash-based alerts. For security programmes, this is where NIST CSF detection and response outcomes need to be paired with identity-aware telemetry, especially around privileged sessions and service access.
Standing access creates the conditions for stealthy expansion. Native tools become dangerous when they can be used by accounts with broad, persistent reach across systems. That is why PAM, least privilege, and task-scoped access matter in containment, not just access review. A programme that treats administrative reach as continuous entitlement will always struggle to distinguish legitimate administration from attacker activity.
Living off the land sharpens the case for identity-aware segmentation. Microsegmentation and containment controls only work when they are tied to who is connecting, from where, and under what authority. In other words, network policy and identity policy can no longer be separated in practice. The practitioner conclusion is to govern lateral movement as an access control problem, not only a traffic problem.
LOTL changes the economics of defensive fatigue. If defenders expect every attack to introduce malware, they will over-invest in detection signatures and under-invest in behaviour, telemetry, and rapid isolation. The article reinforces a broader market shift toward runtime containment and behavioural control. The practitioner conclusion is to measure whether the environment can be quarantined faster than the attacker can pivot.
What this signals
Living off the land should be read as an identity telemetry challenge, not only an endpoint one. If a programme cannot attribute privileged tool use to a specific identity, role, or task, then normal operations and attacker tradecraft will continue to look the same. That is why identity-aware monitoring matters as much as classic malware hunting in environments with heavy administration. The next control gap is not more alerts, but better context around who used what, where, and under whose authority.
The practical signal for security teams is whether containment can happen before lateral movement becomes entrenched. If suspicious native tool use is discovered only after exfiltration or encryption begins, the programme is already behind. Teams should expect tighter coupling between identity logs, segmentation policies, and response automation, especially where service accounts and remote admin access are common.
The broader shift is toward runtime control of trusted execution, which aligns with the same governance logic used in NHI programmes: reduce standing trust, narrow privilege scope, and make abnormal use visible before it becomes impact. That combination is what separates controlled administration from stealthy attacker movement.
For practitioners
- Instrument native tool abuse detection Track abnormal PowerShell, WMI, SSH, RDP, cron, and other built-in administrative usage against baseline behaviour, with alerts tied to the identity running the command and the host receiving it.
- Correlate privileges with east-west movement Join identity logs, remote execution telemetry, and system-to-system connections so you can spot accounts using legitimate access to traverse segments or initiate unusual administrative sessions.
- Reduce standing administrative reach Limit persistent admin privileges on accounts that can invoke native tools, and move high-risk access to task-scoped approvals and just-in-time elevation wherever operationally possible.
- Pre-stage containment for suspicious behaviour Define isolation actions that can be triggered by anomalous native tool use, unusual remote sessions, or unexpected lateral movement without waiting for malware confirmation.
Key takeaways
- Living off the land attacks succeed because defenders still over-trust native administrative tools and the identities that can run them.
- The article's evidence shows that LOTL tradecraft is now mainstream, with 84% of major incidents involving these techniques in a 2025 analysis.
- Security teams need identity-aware behavioural detection and fast containment, because signature-only controls cannot keep pace with trusted-tool abuse.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | LOTL tradecraft uses native tools to access credentials, move laterally, and drive impact. |
| NIST CSF 2.0 | DE.CM-8 | The article is fundamentally about detecting anomalous system and identity behaviour. |
| NIST SP 800-53 Rev 5 | AC-6 | Standing admin reach enables LOTL abuse across systems. |
| CIS Controls v8 | CIS-6 , Access Control Management | Access control discipline is central to limiting how attackers reuse trusted administration paths. |
Map native-tool abuse to ATT&CK tactics and tune detections for identity-linked movement, not just malware.
Key terms
- Living-off-the-Land: Living-off-the-land attacks use legitimate enterprise tools instead of custom malware. In identity environments, that means abusing approved administrative functions to perform disruptive actions while blending into normal operational traffic.
- Lateral Movement: Lateral movement is the phase of an intrusion where an attacker expands from one compromised system or account to others inside the environment. It often depends on remote administration paths, over-broad permissions, and weak segmentation, which is why identity, network, and endpoint telemetry must be analysed together.
- Behavioural Threat Detection: Behavioural threat detection identifies suspicious activity by comparing actions, timing, and relationships against normal operating patterns rather than relying on known malware signatures. It is especially useful when attackers use trusted tools, because the control has to detect misuse of legitimate behaviour rather than malicious files.
- Identity-Aware Containment: Response actions that stop an email threat from becoming an access or fraud event. This includes investigation, mailbox controls, credential checks, and approval review, all coordinated around identity impact rather than inbox hygiene alone.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- Walkthroughs of how LOTL activity is detected across Windows, macOS, and Linux environments.
- Specific examples of native tools used for persistence, exfiltration, and lateral movement.
- The response sequence Illumio recommends for rapid containment when native tools are abused.
- The article's incident references, including ToolShell, Medusa, and SolarWinds, with the control lessons each one illustrates.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It helps security and identity practitioners build controls that match how modern access actually works.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org