Logstail
← Back to blog
Hackers prefer your legitimate tools over malware
SecuritySOARSOCTechnologyVulnerability

July 10, 2026

Attackers Love Legitimate Tools More Than Malware

Attackers actually prefer your legitimate software over Malware

Ask someone how hackers break into computers.

You’ll probably hear the same answers: Viruses, Ransomware, Trojans, or mysterious hacking software.

The reality is often much less dramatic—and in practice, far more difficult to spot. Modern attackers increasingly rely on the same software businesses use every day. Instead of deploying obvious malware, they steal passwords, abuse built-in Windows tools, send convincing phishing emails, and hide inside trusted applications that are already installed on your computer.

This approach, known as Living Off the Land (LOTL), has become a defining characteristic of modern intrusions. In fact, CISA and its international cybersecurity partners recently published dedicated guidance on identifying and mitigating LOTL techniques, noting that threat actors routinely abuse legitimate system tools to blend into normal activity and evade detection.

What are Living Off the Land attacks?

Living Off the Land (LOTL) attacks rely on the software and tools already installed on a system rather than custom malware. Windows includes dozens of legitimate administrative utilities designed for troubleshooting, automation, and system management. In the hands of an attacker, however, those same tools can be abused for reconnaissance, persistence, credential access, lateral movement, and even data exfiltration—all while blending into normal system activity. Because attackers leverage trusted software that is already present on the system, these techniques are known as Living Off the Land.

If not malware, what tools do hackers usually deploy?

In reality, the most abused tools by cyberattackers are all common tools that constantly run in any everyday desktop. Attackers don’t actually deploy anything, they instead abuse existing software. The most common LOTL tools are considered to be Netsh.exe, Powershell.exe, Reg.exe, Csc.exe and Rundll32.exe . All tools your computer typically trusts.

Of course, to exploit such tools, attackers first need a way in. More often than not, this LOTL attack doesn’t begin with PowerShell or a command prompt. It begins with a convincing phishing email or a carefully crafted social engineering campaign. For instance, they will deploy a fake Microsoft login page, a malicious invoice attachment, or a password reset notification to steal valid credentials. Instead of breaking through the front door, attackers prefer blending into everyday activity. Users should follow a secure code of conduct to minimize this attack vector.

Once inside, attackers rarely need to introduce suspicious software. Built-in Windows utilities (like the aforementioned Netsh, or Reg) already provide powerful capabilities for executing commands, modifying config, managing firewall rules, or running scripts. Since system admins and IT teams use these tools every day, security products cannot simply block or flag every execution. Instead, defenders must determine whether the tool is behaving normally—or carrying out commands that don’t fit the context.

Furthermore, attackers don’t limit themselves to Windows utilities. They also abuse trusted business software that organizations rely on every day. Remote access platforms like TeamViewer, AnyDesk, and Remote Desktop can provide an easy way to maintain access to compromised systems. Likewise, cloud services such as Microsoft 365, OneDrive, and SharePoint can help attackers distribute phishing emails, and acquire sensitive documents without standing out from legitimate business traffic.

Why are these attacks so difficult to detect?

The effectiveness of Living Off the Land attacks lies in their ability to blend into legitimate system activity. Rather than introducing a suspicious executable, attackers execute commands through software that is already trusted by the operating system and routinely used by administrators. From the perspective of a security solution, seeing PowerShell, Reg.exe, or Netsh.exe launch is not unusual—the challenge is determining whether those tools are performing legitimate administrative tasks or malicious ones.

This also exposes one of the limitations of traditional signature-based detection. Security teams have long relied on executable hashes and OSINT threat intelligence to quickly identify known malware. However, legitimate Windows binaries always produce legitimate hashes. Looking up the hash of PowerShell.exe or Netsh.exe in an OSINT platform simply confirms that the file is authentic—not whether an attacker is abusing it.

As a result, detecting LOTL attacks depends far more on context than on file reputation. Instead of asking “Is this executable malicious?”, defenders must ask “Is this legitimate tool behaving in a legitimate way?”. That shift from identifying bad files to identifying suspicious behavior is what makes Living Off the Land attacks one of the most persistent challenges for modern Security Operations Centers.

How to detect LOTL attacks

LOTL Attacks fall into the following main categories:

Process creation (Windows / Sysmon)

  • Unusual parent-child relationships (e.g., winword.exepowershell.exe).
  • Native Windows binaries (powershell.exe, cmd.exe, rundll32.exe, etc.) executed outside their normal context.
  • Encoded, obfuscated, or download-and-execute PowerShell commands.

Authentication & privilege events

  • Administrative tools launched after remote logins or unexpected privilege elevation.
  • Legitimate utilities followed by lateral movement or privileged activity.

Persistence & system changes

  • Native tools creating scheduled tasks, services, or Run keys.
  • Security settings or registry modified immediately after suspicious execution.

Network activity

  • PowerShell or other Windows utilities connecting to unusual or first-seen destinations.
  • Outbound connections inconsistent with the parent application’s normal behavior.

Behavioural context

  • Activity outside normal software installation or administrative workflows.
  • Multiple low-severity events forming a chain of suspicious behavior.

Protecting yourself from LOTL attacks using Logstail

Investigating attacks with Logstail

Using Logstail’s SOAR & SIEM platform which you can find on Logstail’s Security Suite you can setup up your own detection alerts & rules to capture LOTL attacks.

In Logstail’s SOAR module, you can seamlessly review LOTL alerts and perform context-rich investigations to find suspicious behavior, as well as automate Playbook responses. One alert is never enough to spot a LOTL attack. In the following live-example, we notice suspicious PowerShell spawns and executions.

Logstail SOAR interface allows us to instantly review this same alert in Logstail’s SIEM with the click of one button.

We can quickly notice some very important pointers.

The process executes a simple inventory command  Get-AppxPackage This is launched from an HP Support Assistant installation directory, runs under the SYSTEM account as part of a legitimate service, and is not followed by suspicious network activity or persistence mechanisms. As long as this isn’t followed by behavior, we are already almost certain that this is not a LOTL attack.

Logstail’s Automated Response to an LOTL Attack

These alerts can trigger automatic response Playbooks that can quarantine, isolate and remediate the attack in real-time. Your playbooks can either utilize standardized imports or user-customized designs. You can make such Playbooks on Logstail’s Playbook Builder.

In this example, we want to look for critical Remote Powershell session instances. An alert from our current ruleset monitors is a critical severity “Malicious Powershell Commandlets – Scriptblock”. Considering that this alert has been well tuned to minimize false positives, it is not expected to trigger on legitimate service-related PowerShell activity, such as network discovery scripts (e.g. SSDPSRV discovering UPnP devices when connecting to printers or smart TVs) executed under svchost.exe. This is an appropriate trigger node condition for our Playbook.

Once that alert is collected by the SIEM and passed to SOAR, an automated email notification and an isolation of the endpoint will automatically take place. This way we ensure that nothing of utmost threat like data exfiltration will ever materialize, since the device will be isolated from the network by Logstail’s Playbook.

This will create a complete SOAR workflow which will automatically respond to threats and alert you in real time whenever the behavioral analysis matches the attack.

Conclusion

Logstail’s software detection solutions combat one of the most common misconception about cybersecurity: that every major breach begins with specialized malware. In reality, many of today’s attackers achieve their objectives by combining stolen credentials, social engineering, and the same trusted tools that organizations use every day. Malware still plays a significant role in modern cyberattacks, but it is increasingly only one part of a much larger intrusion, one that won’t stand out as dangerous.

For defenders, this shift reinforces an important lesson. Security is no longer just about blocking malicious files—it’s about understanding how legitimate tools should behave and recognizing when that behavior changes. Organizations should employee strong detection solutions, like Logstail’s SIEM/SOAR platform and establish a strong security hygiene: Least-privilege access, Phishing awareness, and Behavioral monitoring. After all, if cybercriminals continue to hide in plain sight, the ability to distinguish normal activity from malicious intent becomes one of the most valuable defenses a security team can have.

Contact Our Experts or Sign Up for Free