admin The tactic, commonly described as “living off the land”, relies on trusted tools already present inside corporate environments. PowerShell, Windows Management Instrumentation, certutil, mshta, rundll32, regsvr32, scheduled tasks, remote monitoring software and JavaScript execution frameworks are being used to download payloads, run code in memory, create persistence, steal credentials and disable security controls.
The shift is significant because many of these utilities are essential to routine IT operations. Blocking them outright can disrupt business systems, while allowing unrestricted use gives intruders a ready-made route to operate under the cover of normal administration. Attackers are exploiting that ambiguity to reduce their malware footprint and shorten the time between initial access and deeper compromise.
Security investigations across 2025 and 2026 show a steady rise in malware-free and hands-on-keyboard intrusions, where attackers depend less on custom malicious files and more on credentials, scripts and trusted binaries. The pattern has appeared in ransomware operations, espionage campaigns, infostealer distribution, cloud intrusions and attacks against developers, government networks and managed service environments.
PowerShell remains one of the most frequently abused tools because it can execute commands remotely, fetch files, decode payloads and run scripts directly in memory. WMI is used for lateral movement, remote execution and persistence through event subscriptions. Certutil, a certificate management utility, can be repurposed to download or decode files. Mshta and rundll32 can launch malicious scripts or dynamic-link libraries while appearing to use ordinary Windows components.
Attackers also lean on legitimate remote access and administration tools after gaining entry. AnyDesk, ScreenConnect, Atera, TeamViewer, Zoho Assist, PsExec and similar platforms have been seen in intrusions where operators sought durable access without deploying easily detectable backdoors. These tools are not inherently malicious, but their misuse can give attackers interactive control, file transfer capability and a channel for lateral movement.
The technique has become more effective as businesses expand cloud services, remote work tools and software-as-a-service platforms. Adversaries increasingly use valid accounts, stolen session tokens and legitimate cloud management utilities to blend with expected user behaviour. Once inside, they may use Microsoft 365 tools, Azure PowerShell, AWS command-line interfaces, Google Drive, GitHub or other trusted platforms for command-and-control, data staging or payload delivery.
Cybercriminal groups have paired these methods with social engineering and search manipulation. Campaigns impersonating popular tools such as PuTTY, WinSCP, Ghidra and other software used by developers and security professionals have pushed malicious installers through fake websites and poisoned search results. Once installed, loaders can deploy infostealers, clippers or remote access malware while using standard Windows processes to maintain persistence.
Ransomware operators benefit from the same approach. Instead of immediately deploying encryption malware, affiliates often enter through stolen credentials, exploit exposed remote services, run reconnaissance with native commands, disable backups, escalate privileges and exfiltrate data before launching the final payload. That sequence makes early detection harder because many actions resemble legitimate troubleshooting or administrative work.
Espionage groups have also adopted the model. State-linked actors targeting government, telecommunications, technology and critical infrastructure networks have used trusted binaries, cloud storage services and standard administrative channels to avoid triggering conventional alerts. The objective is often long-term access rather than rapid disruption, making quiet use of normal tools particularly valuable.
The operational advantage for attackers is clear. Traditional antivirus systems are strongest when they can inspect suspicious files, known malware signatures or unusual executable behaviour. Living-off-the-land activity shifts the problem toward context: who launched the tool, from where, at what time, with which parameters, against which system, and whether the behaviour fits that user’s role.
Defenders are responding by placing more emphasis on behavioural analytics, endpoint detection and response, identity security, script logging, application control and stronger monitoring of command-line activity. PowerShell transcription, constrained language mode, signed script policies, WMI event monitoring, tighter privilege controls and alerts for abnormal use of remote management tools are becoming central parts of enterprise defence.
Security teams are also moving toward zero-trust access models, where valid credentials alone are not enough to justify sensitive activity. Multi-factor authentication, device health checks, least-privilege administration, just-in-time access and stronger controls over service accounts can limit the damage when attackers obtain passwords or tokens.
The challenge is not merely technical. Many organisations still lack clear baselines for normal administrative behaviour, especially across hybrid cloud and remote work environments. Without that baseline, defenders struggle to distinguish a helpdesk technician repairing a system from an intruder using the same tool to stage an attack.
