Living off the Land: When the Malware Is Your Own Admin Tools

PowerShell isn't malware. Neither is wmic. When an intruder works with your own administrative tools, the only tell is behavior the host has never shown before.

Nothing here looks wrong

Picture a domain controller at two in the morning. PowerShell is running. So is wmic, and a little later, ntdsutil. Every one of these is a signed Microsoft binary that ships with Windows. Every command runs under a valid administrator account. No malware touched the disk. No exploit was thrown. To a tool that inspects files and matches signatures, nothing here is worth a second look.

That is exactly the point. The activity is an intruder copying the directory database that holds your password hashes, and they are doing it with the same tools your administrators use every day.

The technique has a name. Defenders call it living off the land: rather than bring malware, the attacker uses the legitimate software already present on the host. It is not a fringe tactic. By one widely cited industry threat report, roughly 79 percent of the intrusions detected in 2024 involved no malware at all. The operators logged in and worked by hand with the tools that were already there.

Why the usual defenses look away

Signature-based tools, and most endpoint protection, are built around one question: is this file or this behavior known to be bad? Living-off-the-land activity answers that question with a clean no, every time. PowerShell is not malware. wmic is not malware. An administrator logging in to a server is not an incident. Each individual action is something the environment sees thousands of times a day from legitimate users.

The federal government has put a spotlight on this. In February 2024, CISA and partner agencies published an advisory on Volt Typhoon, a state-sponsored group that compromised United States critical infrastructure across the communications, energy, transportation, and water sectors. The group relied on living-off-the-land techniques almost entirely, and in some victim networks it held access for at least five years. The advisory is candid about why this is so hard to catch: the activity blends into normal administration, and signature-based and endpoint tools are poorly suited to spotting it. The mitigation guidance points defenders toward a different approach, establishing what normal looks like for a host so the abnormal can stand out.

That is the problem in one line. You cannot catch living-off-the-land activity by asking whether the tool is malicious, because it is not. You can only catch it by asking whether the tool is being used the way it normally is.

Normal tool, abnormal behavior

Step back from the binary and look at the behavior around it.

A domain controller has habits. It talks to a known set of machines. The same handful of administrators sign in, from the same places, during the same hours. ntdsutil, the tool an attacker might use to extract the directory database, almost never runs interactively, and when it does, it is during a planned maintenance window by a known person. A real domain controller has a shape, and that shape is consistent enough to measure.

Now the intruder's session stops being invisible. ntdsutil firing at two in the morning is not normal for this host. A burst of new outbound connections to an address the machine has never contacted is not normal. An administrative account signing in from a subnet it has never used is not normal. None of these trip a signature. All of them are departures from how this specific machine behaves.

What Qato does with that

This is the gap Qato is built to cover. Lightweight agents on each host report behavioral statistics: process creation, network connections, listening ports, authentication events, and more. A server learns a rolling baseline for each metric on each host, with separate profiles for business hours, off-hours, and weekends, so a quiet Saturday is judged against other quiet Saturdays. The baseline is private to your environment and lives on your own hardware. There is nothing for an outsider to study.

When a host steps outside its own normal, Qato scores the deviation and shows its work. The score breaks into the specific metrics that moved, each in standard deviations from that host's baseline, so an analyst sees that process creation and outbound connections and an off-hours login all departed together, and by how much. A legitimate tool used in an illegitimate way leaves a behavioral fingerprint, and the fingerprint is what Qato reads.

When the same hand moves from one host to the next, each hop raises its own anomaly. Qato links anomalies that connect through network sessions into an episode, reconstructing the path across hosts rather than leaving an analyst to assemble a dozen separate alerts by hand. Lateral movement with built-in tools is still movement, and movement leaves a trail across baselines.

Qato does not replace your endpoint protection, your intrusion detection, or your SIEM, and it does not ask you to blocklist the administrative tools your team depends on. Those tools have to keep working. Qato covers the case those defenses were never designed for: the legitimate program, run by a legitimate account, doing something this host does not normally do.

The honest version of the problem

You cannot ban PowerShell. You cannot treat every administrator login as an attack. The tools an intruder abuses are the same tools that keep the network running, which is precisely why living off the land works, and why it has kept a foreign actor inside critical infrastructure for years at a stretch.

What you can do is know the difference between normal use and abnormal use, for every host, on a Tuesday afternoon and a quiet weekend alike, well enough to notice the moment a familiar tool starts behaving like a stranger.

Beyond signatures. Beyond rules. Detect the unknown.

Previous
Previous

The Black Box Problem: Why 'Trust the AI' Isn't Good Enough in a SOC

Next
Next

Why Attackers Can Download Your Signatures but Not Your Baselines