IT OT Convergence

Living Off The Land

2 min read

What is Living Off The Land (LotL)?

Living Off The Land (LotL) is an attack technique in which legitimate, built-in tools or software on a system are abused for malicious purposes. By doing so, attackers can hide within normal system behaviour and evade detection.

In OT environments, LotL is especially dangerous because systems often have weak Logging and Monitoring, and tools such as PowerShell or PsExec are available by default.

🧠 Characteristics of LotL attacks

Characteristic Explanation
Uses legitimate software No malware required, only standard tools
Difficult to detect Activity resembles normal use
Often used by APTs For persistence, lateral movement and data theft
Abuses trusted processes Such as scripts, system services or admin tools

⚙️ Commonly used LotL tools

Tool Description
PowerShell Automation tool, often used for downloads and command execution
WMI For lateral movement and process management
PsExec Microsoft tool for remote command execution
certutil Abused for file transfer or decoding
RDP Remote desktop access without additional software
schtasks / at Time-scheduled persistent payloads
BITSAdmin Data exfiltration via Background Intelligent Transfer Service

🔐 Examples in an OT context

Scenario Explanation
Downloading PLC configurations via script PowerShell used to copy project files to an external server
Staff account abused for login RDP with legitimate credentials, no malware involved
Setting up a backdoor with schtasks Attack software is reactivated daily
Historian exfiltration via WMI Historical data is sent outside the network through trusted services

🛡️ Security measures against LotL

Measure Explanation
Application Whitelisting Block tools such as PowerShell or WMI unless explicitly required
Logging & SIEM Detect anomalous use of system tools
Least Privilege Restrict who is allowed to use these tools
EDR Recognise behavioural patterns rather than only known malware
Security Awareness Operators recognise suspicious scripts or processes
Network segmentation Limit where these tools can establish connections

✅ Best practices

  • Disable PowerShell where it is not required, or restrict it via Group Policy
  • Monitor use of cmd.exe, powershell.exe, wscript.exe, mshta.exe, etc.
  • Use Code Signing and patch management to limit abuse
  • Analyse a baseline behaviour for each system to spot deviations quickly
  • Use anomaly detection for lateral movement or unusual scripting activity

📌 In summary

Living Off The Land attacks are difficult to detect because they install nothing “suspicious”. Especially in OT, strong restrictions, Logging and awareness are needed to prevent abuse of built-in tools.

Graph View

Backlinks