Study finds 84% of severe cyber incidents use LOTL methods

Bitdefender has released new research analysing 700,000 cybersecurity incidents to better understand the use of so-called 'living off the land' techniques (LOTL) by cybercriminals.

LOTL techniques involve attackers exploiting commonly used applications and utilities already present in target environments, making them particularly difficult to identify and prevent using conventional security measures.

According to the data collected by Bitdefender Labs, 84 per cent of major security incidents – defined as those with high severity – involved the use of LOTL binaries. This figure was corroborated by managed detection and response (MDR) data, which indicated that 85 per cent of incidents employed LOTL methods.

The research specifically highlights how attackers leverage widely used backend tools like PowerShell, a Microsoft Windows command-line shell and scripting language, and Netsh, a network configuration utility. The most frequently abused tool was found to be netsh.exe, appearing in one-third of major attacks.

Bitdefender's team of several hundred security researchers conducted this foundational study as part of the development of GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology. The company is sharing these initial findings in advance of a more comprehensive report.

"Attackers are demonstrably successful in evading traditional defences by expertly manipulating the very system utilities we trust and rely on daily – and threat actors operate with a confident assertion of undetectability. This stark reality demands a fundamental shift towards security solutions like Bitdefender's PHASR, which moves beyond blunt blocking to discern and neutralise malicious intent within these tools," the report stated.

The use of well-known tools such as powershell.exe, wscript.exe, and cscript.exe was common among both administrators and attackers. Notably, netsh.exe's prevalence among attackers was unexpected compared to its more typical use by administrators for network management, firewall configuration, and routing.

Other tools often targeted by attackers include reg.exe, used to query and modify Windows registry entries; csc.exe, the Microsoft C# Compiler; and rundll32.exe, which loads and executes functions from DLL files, frequently facilitating DLL sideloading attacks.

Some tools, such as mshta.exe, pwsh.exe, and bitsadmin.exe, were found to be used often by threat actors but rarely by administrators, presenting an additional challenge for traditional security monitoring, which tends to focus on more familiar administration tools.

The research also identified a subset of tools primarily used by developers, such as msbuild.exe and ngen.exe, that are less recognised by security monitoring systems focused only on administration binaries. Their legitimate use in development environments allows them to evade detection more easily.

Analysis also revealed that PowerShell was not used solely by administrators.

The study found that 96 per cent of organisations in the dataset legitimately utilise PowerShell, with activity detected on 73 per cent of endpoints. Many third-party applications were discovered invoking PowerShell code without any visible interface, blurring the distinction between routine and potentially malicious use.

A similar pattern was found with wmic.exe, an older management tool now largely superseded by PowerShell but still in use by third-party applications to gather system information, despite its planned deprecation by Microsoft.

Geographical comparisons demonstrated varying patterns in tool usage.

In the Asia-Pacific (APAC) region, PowerShell was present in only 53.3 per cent of organisations studied, contrasting with a rate of 97.3 per cent in the Europe-Middle East-Africa (EMEA) region. Conversely, use of reg.exe was higher in APAC compared with other regions.

The report noted the significance of such differences. It said, "This underscores the importance of nuanced understanding, as even tools appearing outdated or unused can be critical for specific functions and disabling them can cause unforeseen disruptions."

The findings directly informed the design of Bitdefender's PHASR technology, which adopts a targeted, behaviour-based approach to endpoint security. Rather than indiscriminately blocking entire utilities, PHASR analyses the actions performed within tools like powershell.exe, wmic.exe, or certutil.exe, and allows or blocks specific behaviours based on baseline use and known malicious patterns.

The report detailed PHASR's methodology: the technology monitors typical user and application behaviour on each endpoint, comparing ongoing activity with patterns characteristic of cyberattacks.

This allows for proactive blocking of suspicious actions without impeding legitimate business operations or requiring constant policy updates.

Highlighting the threat posed by the use of trusted tools, the report quoted the leader of the BlackBasta ransomware group, known as 'gg': "If we use standard utilities, we won't be detected... We never drop tools on machines."

Referring to this observation, the report stated, "The staggering 84 per cent prevalence of Living off the Land (LOTL) techniques in major attacks directly validates this adversary perspective."

The assessment of the ongoing challenge provided by these techniques was summarised as, "Attackers are demonstrably successful in evading traditional defences by expertly manipulating the very system utilities we trust and rely on daily – and threat actors operate with a confident assertion of undetectability."

"This stark reality demands a fundamental shift towards security solutions like Bitdefender's PHASR, which moves beyond blunt blocking to discern and neutralise malicious intent within these tools."