Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Living off the land attacks: what practitioners need to stop now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Living off the land attacks accounted for 84% of major incidents in a 2025 analysis of more than 700,000 cases, because attackers used trusted tools like PowerShell, WMI, SSH, and RDP to move laterally and avoid malware-based detection, according to Illumio. Malware signatures are no longer enough when native administration activity is the disguise.

NHIMG editorial — based on content published by Illumio: Ransomware Containment Modern Trojan Horse, How Attackers Live Off the Land and How to Stop Them

By the numbers:

Questions worth separating out

Q: What breaks when attackers rely on living off the land techniques?

A: Traditional malware-focused controls break first, because the attacker is using approved tools rather than dropping a suspicious binary.

Q: Why do native admin tools make lateral movement harder to stop?

A: Native tools are already trusted, widely permitted, and deeply embedded in routine administration.

Q: How do security teams know if living off the land controls are working?

A: They should see fewer unexplained privileged sessions, faster isolation of suspicious hosts, and better correlation between identity, process, and network movement.

Practitioner guidance

  • Instrument native tool abuse detection Track abnormal PowerShell, WMI, SSH, RDP, cron, and other built-in administrative usage against baseline behaviour, with alerts tied to the identity running the command and the host receiving it.
  • Correlate privileges with east-west movement Join identity logs, remote execution telemetry, and system-to-system connections so you can spot accounts using legitimate access to traverse segments or initiate unusual administrative sessions.
  • Reduce standing administrative reach Limit persistent admin privileges on accounts that can invoke native tools, and move high-risk access to task-scoped approvals and just-in-time elevation wherever operationally possible.

What's in the full article

Illumio's full blog covers the operational detail this post intentionally leaves for the source:

  • Walkthroughs of how LOTL activity is detected across Windows, macOS, and Linux environments.
  • Specific examples of native tools used for persistence, exfiltration, and lateral movement.
  • The response sequence Illumio recommends for rapid containment when native tools are abused.
  • The article's incident references, including ToolShell, Medusa, and SolarWinds, with the control lessons each one illustrates.

👉 Read Illumio's analysis of living off the land ransomware containment →

Living off the land attacks: what practitioners need to stop now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

LOTL is an identity and privilege problem, not just a malware problem. Attackers succeed because trusted execution paths already exist inside enterprise environments, and those paths are usually governed as operational convenience rather than security boundaries. When administration, automation, and remote access are too broadly trusted, native tools become the attacker's camouflage. The practitioner conclusion is simple: control the identity behind the tool, not only the tool itself.

A question worth separating out:

Q: Who is accountable when living off the land activity enables ransomware spread?

A: Accountability sits across endpoint, identity, and operations teams because the failure is usually shared. Attackers exploit excessive trust in built-in tools, weak segmentation, and persistent access, so governance needs clear ownership for privilege scope, detection rules, and containment authority. Frameworks such as NIST CSF and NIST SP 800-53 help assign those responsibilities.

👉 Read our full editorial: Living off the land attacks are outpacing malware-only detection



   
ReplyQuote
Share: