{
	"id": "a608b69f-5ba1-497a-b1a2-31cd8479c8ac",
	"created_at": "2026-04-06T00:08:57.900937Z",
	"updated_at": "2026-04-10T13:11:21.873855Z",
	"deleted_at": null,
	"sha1_hash": "7646a2ebf2ee74d22fba69070af88c13b1753247",
	"title": "How analyzing 700,000 security incidents helped our understanding of Living Off the Land tactics - Help Net Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 170181,
	"plain_text": "How analyzing 700,000 security incidents helped our\r\nunderstanding of Living Off the Land tactics - Help Net Security\r\nBy Help Net Security\r\nPublished: 2025-07-01 · Archived: 2026-04-05 20:18:33 UTC\r\nThis article shares initial findings from internal Bitdefender Labs research into Living off the Land (LOTL)\r\ntechniques. Our team at Bitdefender Labs, comprised of hundreds of security researchers with close ties to\r\nacademia, conducted this analysis as foundational research during the development of our GravityZone Proactive\r\nHardening and Attack Surface Reduction (PHASR) technology.\r\nThe results reveal adversaries’ persistent and widespread use of trusted system tools in most significant security\r\nincidents. While this research was primarily for our internal development efforts, we believe these initial insights\r\nfrom Bitdefender Labs are valuable for broader understanding and we are sharing them now, ahead of a more\r\ncomprehensive report.\r\nData analysis and initial findings\r\nTo figure out exactly how common LOTL binaries are, we analyzed 700,000 security incidents from our\r\nBitdefender GravityZone platform along with telemetry data (legitimate usage) from the last 90 days. Security\r\nincidents were not simple alerts, but correlated events, and we analyzed the whole chain of commands to identify\r\nhow frequently attackers are using LOTL binaries. The result? 84% of major attacks (incidents with high severity)\r\ninvolved the use of LOTL binaries. For validation, we also examined our MDR data and found a consistent trend:\r\n85% of incidents involved LOTL techniques.\r\nThe most abused tool? Netsh.exe\r\nWhile LOTL tools are a well-covered topic (including our tech explainer), most prior analysis has been based on\r\nexperience, not hard data. We based our analysis on the frequency of tools usage, instead of how much damage\r\nthey could cause. We were hoping to discover binaries that are frequently abused yet rarely used for legitimate\r\npurposes.\r\nWhat was quite visible immediately is that the tools popular with attackers are also very popular with\r\nadministrators. The usual suspects like powershell.exe, wscript.exe, and cscript.exe were all present. However, one\r\nof the more surprising findings was that netsh.exe was the most frequently abused tool, appearing in one-third of\r\nmajor attacks. While checking firewall configurations is a logical initial step for attackers, this clearly\r\ndemonstrates how data analysis can spotlight trends that human operators might instinctively disregard.\r\n1. Netsh.exe – Administrators use this command-line utility for management of network configuration, including\r\nfirewalls, interfaces, and routing.\r\nhttps://www.helpnetsecurity.com/2025/07/01/bitdefender-lotl-security-incidents-phasr/\r\nPage 1 of 4\n\n2. PowerShell.exe – Often referred to as the “Swiss Army Knife” of Windows management, PowerShell is a\r\nversatile command-line shell and scripting language.\r\n3. Reg.exe – This command-line tool allows administrator to query, change, add, or remove registry entries, and\r\nthreat actors frequently use it to establish persistence.\r\n4. Csc.exe – The Microsoft C# Compiler is a command-line tool for compiling C# source code into executable\r\nassemblies (.exe files) or dynamic link libraries (.dll files).\r\n5. Rundll32.exe – This system utility loads and executes functions exported from DLL files. Often used for DLL\r\nsideloading attacks.\r\nAs mentioned earlier, the popularity of tools among attackers often reflects their popularity with legitimate\r\nadministrators. This general trend held true for the most part, but some notable exceptions appeared. Specifically,\r\nthreat actors leverage tools like mshta.exe, pwsh.exe, and bitsadmin.exe but administrators rarely use them.\r\nWhile most LOLBins are very familiar to those experienced in system administration, there is another category of\r\nabused tools that is not so well understood. These tools, such as csc.exe, msbuild.exe (Microsoft Build Engine), or\r\nngen.exe (.NET Native Image Generator), are primarily used by developers, and can fly under the radar of\r\nsecurity monitoring focused solely on traditional system administration binaries.\r\nAn example of MSBuild.exe abuse from our Unfading Sea Haze research\r\nThe temptation of simple solutions\r\nOur research revealed another unexpected observation: The widespread use of PowerShell.exe in business\r\nenvironments. While nearly 96% of organizations in our dataset legitimately utilize PowerShell, our initial\r\nexpectation was that its execution would be limited primarily to administrators. To our surprise, we detected\r\nPowerShell activity on a staggering 73% of all endpoints. Further investigation revealed that PowerShell is\r\nfrequently invoked not only by administrators (and their pesky logon/logoff scripts), but also by third-party\r\napplications running PowerShell code without a visible interface.\r\nA similar pattern emerged with wmic.exe. This tool, popular around the year 2000, has largely been superseded by\r\nPowerShell for administrative purposes – and is slated for decommissioning by Microsoft. However, we were\r\nhttps://www.helpnetsecurity.com/2025/07/01/bitdefender-lotl-security-incidents-phasr/\r\nPage 2 of 4\n\nsurprised to find its regular usage across many workstations. Analyzing the data, it became clear that wmic.exe is\r\nstill commonly employed by a multitude of third-party applications to gather system information.\r\nGeographical analysis also revealed intriguing differences in tool usage. For example, PowerShell.exe showed a\r\nnotably lower presence in APAC (Asia-Pacific), at just 53.3% of organizations in our dataset. This stands in sharp\r\ncontrast to EMEA, where our analysis indicated a much higher adoption rate of 97.3%. Conversely, while\r\nPowerShell usage was lower in APAC, reg.exe was more frequently present in this region compared to all other\r\ngeographical areas.\r\nThis underscores the importance of nuanced understanding, as even tools appearing outdated or unused can be\r\ncritical for specific functions and disabling them can cause unforeseen disruptions.\r\nYou can’t live with them, you can’t live without them\r\nThe LOTL reality that we “can’t live with them, and can’t live without them” directly informed the development\r\nof our Bitdefender GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology.\r\nRecognizing the inherent risks and potential for disruption in simply blocking these essential tools, PHASR adopts\r\na more nuanced and intelligent approach: individualized endpoint hardening through action-based control.\r\nPHASR goes beyond blocking entire tools, it also monitors and stops the specific actions attackers use within\r\nthem. By analyzing the behavior of processes like powershell.exe, wmic.exe, or certutil.exe, PHASR distinguishes\r\nmalicious intent from legitimate use. For instance, PHASR allows PowerShell to execute regular scriptswhile\r\nproactively blocking its attempts to run encrypted commands or tamper with critical system configurations.\r\nConsider WMIC.exe again. Instead of blocking the entire tool, which could disrupt legitimate operations, PHASR\r\ndifferentiates between its legitimate use for system information retrieval and its abuse for lateral movement or\r\nprocess manipulation. This action-level blocking, combined with the layered analysis of user and attacker\r\nbehavior, enables tailored protection without business disruption.\r\nPHASR’s effectiveness lies in its architecture, which incorporates hundreds of granular rules informed by known\r\nattacker playbooks and our extensive threat intelligence. The engine continuously learns by establishing a baseline\r\nof typical user and application behavior on each endpoint. This learned behavior is then constantly compared\r\nagainst known malicious patterns and emerging threats. Intelligent analysis allows PHASR to not only detect and\r\nreport suspicious activity but also to proactively block access to specific tools or even parts of their functionality\r\nwhen their use deviates from the established baseline and aligns with malicious indicators. This proactive blocking\r\noccurs seamlessly, without requiring constant manual policy adjustments or fine-tuning, ensuring robust protection\r\nagainst even novel LOTL attacks.\r\nConclusion\r\nThe words of “gg,” the BlackBasta ransomware group leader, chillingly underscore the central challenge revealed\r\nby our analysis of 700,000 security incidents. “If we use standard utilities, we won’t be detected… We never drop\r\ntools on machines.” The staggering 84% prevalence of Living off the Land (LOTL) techniques in major attacks\r\ndirectly validates this adversary perspective.\r\nhttps://www.helpnetsecurity.com/2025/07/01/bitdefender-lotl-security-incidents-phasr/\r\nPage 3 of 4\n\nAttackers are demonstrably successful in evading traditional defenses by expertly manipulating the very system\r\nutilities we trust and rely on daily—and threat actors operate with a confident assertion of undetectability. This\r\nstark reality demands a fundamental shift towards security solutions like Bitdefender’s PHASR, which moves\r\nbeyond blunt blocking to discern and neutralize malicious intent within these tools.\r\nSource: https://www.helpnetsecurity.com/2025/07/01/bitdefender-lotl-security-incidents-phasr/\r\nhttps://www.helpnetsecurity.com/2025/07/01/bitdefender-lotl-security-incidents-phasr/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.helpnetsecurity.com/2025/07/01/bitdefender-lotl-security-incidents-phasr/"
	],
	"report_names": [
		"bitdefender-lotl-security-incidents-phasr"
	],
	"threat_actors": [
		{
			"id": "f51de4ba-d3f5-4df7-ab5a-034b32584e48",
			"created_at": "2024-06-20T02:02:10.208158Z",
			"updated_at": "2026-04-10T02:00:04.960754Z",
			"deleted_at": null,
			"main_name": "Unfading Sea Haze",
			"aliases": [],
			"source_name": "ETDA:Unfading Sea Haze",
			"tools": [
				"DustyExfilTool",
				"EtherealGh0st",
				"FluffyGh0st",
				"InsidiousGh0st",
				"Ps2dllLoader",
				"SerialPktdoor",
				"SharpJSHandler",
				"SharpZulip",
				"SilentGh0st",
				"Stubbedoor",
				"TranslucentGh0st",
				"xkeylog"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cd48e0e6-b206-478d-bcb4-198be54bdf7a",
			"created_at": "2024-06-07T02:00:04.002734Z",
			"updated_at": "2026-04-10T02:00:03.644376Z",
			"deleted_at": null,
			"main_name": "Unfading Sea Haze",
			"aliases": [],
			"source_name": "MISPGALAXY:Unfading Sea Haze",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434137,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7646a2ebf2ee74d22fba69070af88c13b1753247.pdf",
		"text": "https://archive.orkl.eu/7646a2ebf2ee74d22fba69070af88c13b1753247.txt",
		"img": "https://archive.orkl.eu/7646a2ebf2ee74d22fba69070af88c13b1753247.jpg"
	}
}