It’s 3:37 am on a Sunday in Los Angeles, and one of the leading financial services firms on the West Coast is experiencing the second week of a living-off-the-land (LOTL) attack. A nation-state cyberattack squad has targeted the firm’s pricing, trading and valuation algorithms for cryptocurrency gain. Using common tools, the nation state has penetrated the firm’s infrastructure and is slowly weaponizing it for its own gain.
According to CrowdStrike’s 2025 Global Threat Report, nearly 80% of modern attacks, including those in finance, are now malware-free, relying on adversaries exploiting valid credentials, remote monitoring tools and administrative utilities with breakout times (sometimes less than a minute).
No one in the SOC or across the cybersecurity leadership team suspects anything is wrong. But there are unmistakable signals that an attack is underway.
The upsurge in credential theft, business email compromise and exploit of zero-day vulnerabilities is creating the ideal conditions for LOTL attacks to proliferate. Bitdefender’s recent research found that 84% of modern attacks use LOTL techniques, bypassing traditional detection systems. In nearly 1 in 5 cases, attackers increasingly aided by automation and streamlined toolkits exfiltrated sensitive data within the first hour of compromise.
LOTL-based tactics now account for the majority of modern cyber intrusions, with advanced persistent threats (APTs) often lingering undetected for weeks or months before hackers exfiltrate valuable data, according to IBM’s X-Force 2025 Threat Intelligence Index.
The financial repercussions are staggering. CrowdStrike’s 2025 threat research puts the average cost of ransomware-related downtime at $1.7 million per incident, which can balloon to $2.5 million in the public sector. For industry leaders, the stakes are so high that security budgets now rival those of core profit centers.
Your most trusted tools are an attacker’s arsenal
"These are the tools that you cannot disable because your administrators are using them, your applications are using them, your [employees] are using them, but attackers [are using them, too]," Martin Zugec, technical solutions director at Bitdefender, said at RSAC-2025 earlier this year. "You cannot disable them because you will impact the business."
CrowdStrike’s 2025 report confirms that adversaries routinely exploit utilities such as PowerShell, Windows management instrumentation (WMI), PsExec, remote desktop protocol (RDP), Microsoft Quick Assist, Certutil, Bitsadmin, MSBuild and more to persist inside enterprises and evade detection. LOTL tools of the trade leave no digital exhaust, making it extremely difficult to spot an attack in progress.
“Threat actors increasingly exploit techniques such as bring your own vulnerable driver (BYOVD) and LOTL to disable endpoint detection and response (EDR) agents and conceal malicious activity within legitimate system operations," Gartner notes in a recent report. "By leveraging common OS tools, such as PowerShell, MSHTA and Certutil, they complicate detection and hide in the noise of EDR alerts."
CrowdStrike’s ransomware survey reveals that 31% of ransomware incidents begin with the misuse of legitimate remote monitoring and management tools, proving that even enterprise IT utilities are rapidly weaponized by attackers.
The documented realities in CrowdStrike's reports corroborate the industry's deeper research: The IT stack itself is now the attack vector, and those relying on traditional controls and signature-based detection are dangerously behind the curve.
Behavioral clues hiding in plain sight
Adversaries who rely on LOTL techniques are notorious for their patience.
Attacks that once required malware and attention-grabbing exploits have given way to a new norm: Adversaries blending into the background, using the very administrative and remote management tools security teams depend on.
As Bitdefender's Zugec pointed out: “We are mostly seeing that the playbook attackers use works so well they just repeat it at scale. They don’t break in, they log in. They don’t use new malware. They just use the tools that already exist on the network.”
Zugec described a textbook LOTL breach: No malware, no new tools. BitLocker, PowerShell, common admin scripts; everything looked routine until the files were gone and no one could trace it back. That’s where threat actors are winning today.
Adversaries are using normality as their camouflage. Many of the admins’ most trusted and used tools are the very reason LOTL attacks have scaled so quickly and quietly. Zugec is brutally honest: “It has never been as easy to get inside the network as it is right now.” What was once a breach of perimeter is now a breach by familiarity, invisible to legacy tools and indistinguishable from routine administration.
CrowdStrike’s 2025 Global Threat Report captures the scale of this phenomenon in numbers that should command every board’s attention. The reports’ authors write: “In 2024, 79% of detections CrowdStrike observed were malware-free [a significant rise from 40% in 2019], indicating adversaries are instead using hands-on-keyboard techniques that blend in with legitimate user activity and impede detection. This shift toward malware-free attack techniques has been a defining trend over the past five years."
The report’s researchers also found that breakout times for successful attacks continue to shrink; the average is just 48 minutes, the fastest 51 seconds.
Zugec’s advice for defenders working in this new paradigm is blunt and pragmatic. “Instead of just chasing something else, figure out how we can take all these capabilities that we have, all these technologies, and make them work together and fuel each other.” The first step: “Understanding your attack surface. Just getting familiar with how the attackers operate, what they do, not five weeks ago, but right now, should be the first step.”
He urges teams to learn what normal looks like inside their own environment and use this baseline to spot what’s truly out of place, so defenders stop chasing endless alerts and start responding only when it matters.
Take complete ownership of your tech stack now
LOTL attacks don’t just exploit trusted tools and infrastructures, they take advantage of an organizations’ culture and daily ability to compete.
Staying secure means making constant vigilance a core value, backed by zero trust and microsegmentation as cultural anchors. These are just the first steps. Consider the NIST Zero Trust Architecture (SP 800-207) as an organizational backbone and playbook to tackle LOTL head-on:
Limit privileges now on all accounts and delete long-standing accounts for contractors that haven’t been used in years: Apply least-privilege access across all admin and user accounts to stop attackers from escalating.
Enforce microsegmentation: Divide your network into secure zones; this will help confine attackers, limit movement and shrink the blast radius if something goes wrong.
Harden tool access and audit who is using them: Restrict, monitor and log PowerShell, WMI and other utilities. Use code signing, constrained language modes and limit access to trusted personnel.
Adopt NIST zero trust principles: Continuously verify identity, device hygiene and access context as outlined in SP 800-207, making adaptive trust the default.
Centralize behavioral analytics and logging: Use extended monitoring to flag unusual activities with system tools before an incident escalates.
Deploy adaptive detection if you have an existing platform that can scale and provide this at a minimal charge: Employ EDR/XDR to hunt for suspicious patterns, especially when attackers use legitimate tools in ways that sidestep traditional alerting.
Red team regularly: Actively test defenses with simulated attacks and know how adversaries misuse trusted tools to penetrate routine security.
Elevate security awareness and make it muscle memory: Train users and admins on LOTL methods, social engineering and what subtle signals betray compromise.
Update and inventory: Maintain application inventories, patch known vulnerabilities and conduct frequent security audits.
Bottom line: The financial services firm referenced at the beginning of this story eventually recovered from its LOTL attack. Today, their models, the CI/CD process for AI development and gen AI R&D are managed by a team of cybersecurity managers with decades of experience locking down U.S. Department of Defense sites and vaults.
LOTL attacks are real, growing, lethal and require a new mindset by everyone in cybersecurity.
