Living Off the Land
An attack technique where adversaries use legitimate, pre-installed system tools rather than custom malware to carry out malicious activities, making detection harder.
Also known as: LotL, fileless attack, living-off-the-land attack
Last reviewed: 1 June 2026
Living off the land (LotL) attacks exploit the tools that are already present on a target system — scripting engines such as PowerShell, Windows Management Instrumentation (WMI), built-in command-line utilities, and standard administrative frameworks. Because these tools are trusted and commonly used for legitimate purposes, their misuse blends into normal system activity and evades signature-based security tools that look for known malicious files.
An attacker using LotL techniques might use PowerShell to download further instructions, leverage WMI to schedule persistent tasks, use built-in network utilities to map internal systems, or exploit scripting engines to exfiltrate data — all without ever dropping a custom malware binary to disk. This dramatically lowers the attacker's footprint and increases the difficulty of forensic attribution.
Defenders counter LotL by monitoring process behaviour and scripting activity with endpoint detection and response (EDR) tools, applying application whitelisting, and using anomaly-based detection that flags unusual use of legitimate utilities rather than relying on known-bad file signatures.
Examples
- An attacker who compromises a corporate laptop runs encoded PowerShell commands to harvest credentials and move laterally — no custom malware file is ever written to disk.