Skip to content
FortaRisks
Back to the glossaryAttacks and incidents

Living off the land (LOLBins)

Living off the land refers to a technique where the attacker uses the legitimate tools already present on the system (PowerShell, WMI, admin utilities) rather than bringing their own malware. By blending into normal activity, they evade defenses based on detecting malicious files.

Updated on July 2, 2026

What is living off the land?

Living off the land is an approach in which the attacker relies on the target environment's already-installed, legitimate tools rather than dropping their own malicious programs. They use the same utilities as system administrators: command shells, remote management tools, built-in scripts.

The appeal for the attacker is twofold: they leave few artifacts on disk, and their activity looks like that of a legitimate administrator, which makes it hard to distinguish from normal traffic.

Why it matters for your organization

This technique defeats defenses centered on recognizing malware. There is no suspicious file to spot, no known signature to block: the attacker borrows tools you cannot simply remove, because they are needed for administration.

The consequence is a shift in defensive paradigm: detection must move from "which file" to "which behavior". That is exactly what the MITRE ATT&CK framework structures.

How to reduce the risk

  • Behavioral detection: spot abnormal use of legitimate tools.
  • Least privilege: limit who can run PowerShell, WMI or admin tools.
  • Advanced logging: enable detailed logs (scripts, command lines).
  • Application control: govern the execution of sensitive interpreters and utilities.

Where organizations most often fall short

The main pitfall is relying on traditional antivirus, blind to these attacks since no malware is dropped. The other mistake is not logging admin-tool activity enough: without those traces, post-incident investigation becomes very hard, and real-time detection impossible.

Frequently asked questions

What are LOLBins?

LOLBins stands for Living Off the Land Binaries: legitimate operating-system executables and scripts abused by attackers. PowerShell, WMI, PsExec or certutil are common examples. Because they are normal, signed tools, their mere presence is not suspicious, which complicates detection.

How do you detect a living-off-the-land attack?

Not by looking for malicious files, which do not exist here, but by analyzing behavior: an admin tool used at an unusual time, by an account that never uses it, or in an abnormal sequence. Behavioral detection and MITRE ATT&CK mapping are essential here.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.