05 June 2025
A new investigation by cybersecurity firm Bitdefender has shed light on the alarming prevalence of “living off the land” (LOTL) tactics employed by cybercriminals, revealing that these techniques are involved in over 84% of major security incidents.
Drawing from an analysis of 700,000 cyberattack cases, the research highlights how attackers exploit legitimate, widely used system utilities to evade detection — posing a significant challenge to traditional security defenses.
The study, conducted by Bitdefender Labs and its team of hundreds of security researchers, examined how cybercriminals leverage common tools such as PowerShell, Netsh, and others like reg.exe, csc.exe, and rundll32.exe to carry out malicious activities. Notably, netsh.exe was found in approximately one-third of high-severity attacks, despite its normal use by network administrators. The research also uncovered that tools traditionally associated with development environments, such as msbuild.exe and ngen.exe, are exploited by threat actors, often evading detection because they are less recognized by security systems focused on administrative utilities.
PowerShell emerged as a particularly versatile tool in these malicious campaigns. While 96% of organizations in the dataset use PowerShell legitimately, activity was detected on 73% of endpoints across the surveyed institutions. Many third-party applications invoke PowerShell scripts silently, blending routine management with potential malicious intent. Similarly, wmic.exe, an older management tool being phased out by Microsoft, remains in active use by third-party apps, further complicating detection efforts.
Regional differences in tool usage patterns were also apparent. In the Asia-Pacific region, only 53.3% of organizations used PowerShell, compared with 97.3% in the Europe-Middle East-Africa region, and higher reliance on reg.exe was observed in APAC. These variations underscore the importance of nuanced security approaches that consider local operational contexts, as some tools, though outdated, remain vital for specific tasks.
The insights gained from this research directly informed the development of Bitdefender’s GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology. Unlike traditional security measures that block entire utilities, PHASR employs a behaviour-based approach. It monitors typical activity patterns within tools like PowerShell, wmic.exe, or certutil.exe, and evaluates ongoing actions against baseline profiles and known malicious patterns. This targeted methodology enables the system to proactively block suspicious behaviours while allowing legitimate operations to proceed, reducing disruptions.
The report emphasizes that cybercriminals are increasingly confident in their ability to operate undetected by exploiting trusted system utilities. Quoting a member of the notorious BlackBasta ransomware group, “If we use standard utilities, we won't be detected… We never drop tools on machines.” Such statements validate the significance of the study’s findings and highlight why traditional security solutions alone are insufficient.
