The Bottom Line: Attackers use legal system tools instead of malware to remain invisible — CISOs must align their detection logic to behavioral anomalies and access controls.
Attackers increasingly use native IT tools such as SSH or PowerShell for cyberattacks to hide among legitimate system activities. For CISOs, this becomes a challenge, as traditional security controls often fail to detect such attacks.
Living off the land attacks rely on already installed system tools rather than specialized malware. SSH, PowerShell, WinRM, or similar administrative tools give attackers legitimate access to systems without raising suspicion. The activities appear in the network and logs as normal maintenance or administrative tasks.
This strategy offers attackers significant advantages: they avoid endpoint detection, bypass signature-based antimalware, and leave minimal forensic traces. At the same time, they neutralize a central detection indicator — unexpected processes or suspicious software — on the attacked system.
For CISOs, this means that perimeter and signature-based defense alone is insufficient. Visibility of all system activities — particularly PowerShell executions, SSH connections, and WinRM usage — becomes a prerequisite for detection. Behavior-based anomaly detection helps identify unusual patterns of such tools. At the same time, rapid containment is critical: those who detect suspicious administrative tool usage must be able to terminate sessions immediately and isolate affected accounts.
Source: www.computerweekly.com · Published 7 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.3.