Living off the Land (LotL) Attacks

Living off the Land (LotL) attacks occur when threat actors misuse legitimate tools already present within a system to perform malicious activity. Rather than deploying traditional malware, attackers leverage trusted administrative utilities to blend into normal operations and evade detection.

In 2026, threat actors exploited vulnerabilities in SolarWinds Web Help Desk to gain unauthorised access to systems and installed legitimate administrative and monitoring tools to evade detection.

How LotL Attacks Work

Attackers typically:
1. Gain initial access through phishing, stolen credentials, or exposed services
2. Use built-in tools (e.g., PowerShell, WMI, remote administration utilities)
3. Escalate privileges and move laterally across systems
4. Establish persistence, exfiltrate data, or deploy ransomware

These actions often resemble normal administrative activity, making detection more difficult.

Why It Matters

LotL techniques are frequently observed in ransomware incidents, business email compromise (BEC), insider threats, and advanced persistent threat (APT) campaigns.

Because the activity relies on legitimate system tools, organisations must prioritise visibility, monitoring, and access control rather than attempting to block tools outright.

Risk Factors

Organisations face increased risk if they:
1. Allow excessive administrative privileges
2. Lack of centralised logging and monitoring
3. Do not enforce multi-factor authentication (MFA)
4. Have weak password or credential management practices

Recommended Best Practices

1. Strengthen Access Controls: Enforce multi-factor authentication (MFA), apply least-privilege principles, and regularly review privileged accounts.

2. Enhance Monitoring: Implement centralised logging, monitor administrative tool usage, and establish alerts for unusual behaviour patterns.

3. Harden Systems: Restrict unnecessary administrative utilities, disable unused services, and apply security patches promptly.

4. Promote User Awareness: Conduct regular phishing awareness training and encourage prompt reporting of suspicious activity.