Sophisticated attackers have largely given up on smuggling exotic malware into corporate networks. Endpoint detection tools catch most of it, signature databases update faster than attackers can rotate their toolkits, and the operational cost of staying ahead has grown steadily. The smart move now is to use what is already there.
Why It Works
PowerShell, WMI, PsExec, certutil, regsvr32, mshta, scheduled tasks, and the various Sysinternals tools all serve their purposes legitimately, which makes their misuse harder to detect. The endpoint agent that flags an unknown binary running from a temp directory may happily ignore powershell.exe doing exactly the same work.
Common Techniques
Encoded PowerShell commands run in memory without ever touching disk in a meaningful way. WMI event subscriptions provide persistence that survives reboots and most cleanup attempts. Certutil downloads files from arbitrary URLs while leaving fewer traces than curl or wget. Scheduled tasks created with specific privileges become long-lived backdoors.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
“The living-off-the-land techniques I use during engagements rarely require anything custom. Built-in Windows tooling, used in slightly unusual ways, completes most attack chains without triggering signature-based detection.”
Detection Through Behaviour
Effective detection focuses on the behaviour rather than the tools. PowerShell with encoded commands, command-line arguments containing base64 strings, parent-child chains that put administrative tools under unusual parents, and any tool reaching out to LDAP from an unusual workstation all stand out from legitimate activity.
Application Control as Prevention
Microsoft’s AppLocker and Windows Defender Application Control both provide ways to restrict which executables can run and how. Properly configured, they block many living-off-the-land techniques by limiting access to the underlying tools, or by preventing specific dangerous patterns.
PowerShell Logging Has Improved
Modern PowerShell versions support comprehensive logging of script blocks, transcripts of every session, and detailed records of module loading. Most environments do not enable this logging by default, which leaves a major detection gap.
What to Do This Quarter
Audit PowerShell logging configuration across your estate. Enable comprehensive logging where it is currently off. Review your endpoint detection rules for behavioural patterns rather than file signatures. Consider deploying application control policies, even in audit mode initially.
