A new report out today from Bitdefender Labs, the research arm of cybersecurity company S.C. Bitdefender SRL, has found that 84% of major security incidents now involve the use of legitimate system tools, a tactic known as “Living off the Land.”

The report, based on a study of 700,000 security incidents, reveals that nearly all major security incidents involve the use of trusted binaries, tools and utilities already present in enterprise environments. Further validation from Bitdefender’s Managed Detection and Response service confirmed the trend, with 85% of high-severity incidents featuring LOTL techniques.

The tools found to be more frequently used by attackers include netsh.exe, a standard Windows utility used for managing network configurations, which appeared in one-third of major attacks. Coming in behind were familiar tools such as powershell.exe, reg.exe, cscript.exe and rundll32.exe, all utilities administrators rely on but that attackers have learned to manipulate for their own gain.

While some of the tools being exploited are well known, the report also finds that attackers are getting crafty and also exploiting lesser known tools, such as sc.exe, msbuild.exe and ngen.exe, primarily used by developers. The use of such tools were found to often escape detection because they fall outside the scope of typical security monitoring.

Bitdefender Labs argues the dual use case of essential functionality and exploitation potential can create a serious challenge to defenders who are tasked with maintaining operational stability while ensuring robust security.

Making the situation even more complex, regional analysis found significant differences in tool usage practices. PowerShell.exe, for example, was found in 97.3% of organizations in Europe, the Middle East and Africa, but was much less prevalent in the Asia-Pacific region, where it appeared in only 53.3% of cases. Conversely, reg.exe use was found to be higher in APAC than in any other region, highlighting differing behaviors that can affect how security controls are implemented.

Added to the mix is the need to detect legitimate versus LOTL behavior. Tools like PowerShell and wmic.exe were commonly invoked not just by administrators but also by third-party applications executing embedded code, complicating the ability to discern what is legitimate use and not.

“Attackers are demonstrably successful in evading traditional defenses by expertly manipulating the very system utilities we trust and rely on daily and threat actors operate with a confident assertion of undetectability,” the researchers write. “This stark reality demands a fundamental shift towards security solutions like Bitdefender’s PHASR, which moves beyond blunt blocking to discern and neutralize malicious intent within these tools.”

Image: SiliconANGLE/Reve