Martin Zugec, Technical Solutions Director, Bitdefender, on how analysing 700,000 security incidents helped in the understanding of Living Off the Land tactics
Findings from internal Bitdefender Labs research into Living off the Land (LOTL) techniques reveal adversaries’ persistent and widespread use of trusted system tools in most significant security incidents.
“While this research was primarily for our internal development efforts, we believe these initial insights from Bitdefender Labs are valuable for broader understanding and we are sharing them now, ahead of a more comprehensive report,” said Martin Zugec, Technical Solutions Director, Bitdefender.
Researchers analysed 700,000 security incidents from the Bitdefender GravityZone platform along with telemetry data (legitimate usage) from the last 90 days.
Security incidents were not simple alerts, but correlated events – with the whole chain of commands analysed to identify how frequently attackers are using LOTL binaries.
Overall, 84% of major attacks (incidents with high severity) involved the use of LOTL binaries.
For validation, researchers also examined Bitdefender’s MDR data and found a consistent trend: 85% of incidents involved LOTL techniques.
“What was quite visible immediately is that the tools popular with attackers are also very popular with administrators. The usual suspects like powershell.exe, wscript.exe and cscript.exe were all present,” said Martin Zugec.
“However, one of the more surprising findings was that netsh.exe was the most frequently abused tool, appearing in one-third of major attacks. While checking firewall configurations is a logical initial step for attackers, this clearly demonstrates how data analysis can spotlight trends that human operators might instinctively disregard,” he said.
Researchers found the popularity of tools among attackers often reflected their popularity with legitimate administrators.
This general trend held true for the most part, but some notable exceptions appeared. Specifically, threat actors leverage tools like mshta.exe, pwsh.exe and bitsadmin.exe but administrators rarely use them.
While most LOLBins are very familiar to those experienced in system administration, there is another category of abused tools that is not so well understood. These tools, such as csc.exe, msbuild.exe (Microsoft Build Engine), or ngen.exe (.NET Native Image Generator), are primarily used by developers and can fly under the radar of security monitoring focused solely on traditional system administration binaries.
Another unexpected observation was the widespread use of PowerShell.exe in business environments.
“While nearly 96% of organisations in our dataset legitimately utilise PowerShell, our initial expectation was that its execution would be limited primarily to administrators. To our surprise, we detected PowerShell activity on a staggering 73% of all endpoints. Further investigation revealed that PowerShell is frequently invoked not only by administrators (and their pesky logon/logoff scripts), but also by third-party applications running PowerShell code without a visible interface.”
Researcher saw a similar pattern emerge with wmic.exe. This tool, popular around the year 2000, has largely been superseded by PowerShell for administrative purposes – and is slated for decommissioning by Microsoft.
“However, we were surprised to find its regular usage across many workstations. Analysing the data, it became clear that wmic.exe is still commonly employed by a multitude of third-party applications to gather system information,” said Martin Zugec.
Geographical analysis also revealed intriguing differences in tool usage. For example, PowerShell.exe showed a notably lower presence in APAC (Asia-Pacific), at just 53.3% of organisations in Bitdefender’s dataset. This stands in sharp contrast to EMEA, where the analysis indicated a much higher adoption rate of 97.3%.
Conversely, while PowerShell usage was lower in APAC, reg.exe was more frequently present in this region compared to all other geographical areas.
“This underscores the importance of nuanced understanding as even tools appearing outdated or unused can be critical for specific functions and disabling them can cause unforeseen disruptions,” said Martin Zugec.
The research references the words of ‘gg’, the BlackBasta ransomware group leader, to chillingly underscore the central challenge revealed: “If we use standard utilities, we won’t be detected… We never drop tools on machines.”
“The staggering 84 % prevalence of LOTL techniques in major attacks directly validates this adversary perspective.
“Attackers are demonstrably successful in evading traditional defences by expertly manipulating the very system utilities we trust and rely on daily – and threat actors operate with a confident assertion of undetectability. This stark reality demands a fundamental shift towards security solutions which move beyond blunt blocking to discern and neutralise malicious intent within these tools,” said Zugec.
