Notifications
Clear all
Topic starter
12/06/2026 9:11 pm
TL;DR: Living-off-the-land attacks now let threat actors use trusted admin tools, legitimate credentials, and normal-looking telemetry to bypass endpoint-centric defences, with campaigns like Volt Typhoon and Sandworm showing how hard they are to spot, according to AuthMind. The core problem is not malware volume but identity blind spots and weak cross-domain visibility.
NHIMG editorial — based on content published by AuthMind: an analysis of living-off-the-land attacks and identity observability
Questions worth separating out
Q: How should security teams detect living-off-the-land attacks in hybrid environments?
A: Security teams should correlate identity context with process, cloud, and network telemetry instead of hunting for malware alone.
Q: Why do living-off-the-land attacks bypass so many traditional controls?
A: They bypass controls because the activity is built from tools, credentials, and admin patterns that defenders already trust.
Q: What signals indicate native tools are being abused by an attacker?
A: Look for first-time use of administrative tools, access to unusual targets, privileged actions that do not match the account’s baseline, and repeated movement between systems in a short window.
Practitioner guidance
- Correlate identity and process telemetry Join IAM, PAM, EDR, and cloud logs so native tool usage can be evaluated against the identity that invoked it, the target asset, and the access path.
- Baseline normal admin behaviour by identity Track first-time tool use, unusual access destinations, and off-hours privileged activity for each account or service principal instead of relying on generic alert thresholds.
- Join privileged access workflows to execution context Verify that privileged sessions can be tied to approved workflows and that bypassed PAM paths are visible in downstream detection and investigation tooling.
What's in the full article
AuthMind's full blog post covers the operational detail this post intentionally leaves for the source:
- Examples of the native tools and access patterns the vendor says are most often abused in LOTL activity
- How the vendor correlates identity, network, and cloud signals to reconstruct suspicious access paths
- The detection workflow it uses to flag deviations from identity baselines in hybrid environments
- Practical examples of how a SOC can triage admin activity that may be legitimate or malicious
👉 Read AuthMind's analysis of living-off-the-land attacks and identity observability →
LOTL attacks: why identity-driven detection is still falling short?
Explore further
12/06/2026 11:05 pm
Living-off-the-land is an identity problem before it is a malware problem. The article shows that the attacker’s advantage comes from operating inside trusted administrative pathways, not from exotic code execution. That means the security failure is not the presence of a process, but the inability to distinguish legitimate use from malicious use at the identity layer. Practitioners should treat this as a control visibility issue across IAM, PAM, and SOC domains.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- That same research found that 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why identity-led detection still lags behind attacker tradecraft.
A question worth separating out:
Q: How can organisations reduce the impact of living-off-the-land activity?
A: Organisations can reduce impact by tightening privileged workflows, improving identity baselines, and making lateral movement visible across on-prem and cloud environments. The goal is to shorten the time between access and detection so an attacker cannot freely reuse legitimate tools for long enough to expand control or reach sensitive data.
👉 Read our full editorial: Living-off-the-land attacks expose the limits of identity observability
