Key Takeaways
LOTL attacks use trusted tools like PowerShell, WMI, and RDP, making malicious activity appear identical to normal administrative behavior inside OT networks.
OT environments are especially vulnerable due to legacy systems, limited logging, and inherited IT/OT trust relationships.
Signature-based tools fail because LOTL introduces no malware, only misuse of legitimate capabilities.
Detection requires behavioral baselines, passive OT monitoring, deep session inspection, and ICS-specific threat intelligence.
Without comprehensive OT visibility, dwell time expands dramatically, increasing operational and safety risk.
The most dangerous attacker inside your OT network right now may not have brought a single piece of malware with them. They’re using your own tools. Your own administrative credentials. Your own scheduled tasks and remote management utilities to execute malicious commands, move laterally, and quietly pre-position for a future disruption.
This is living-off-the-land (LOTL), the dominant attack technique in critical infrastructure targeting today. And it’s the reason traditional security measures keep failing the organizations that need protection most.
What Does “Living Off the Land” Mean in Cybersecurity, and Why Does It Matter?
Living off the land (LOTL) refers to a cyberattack strategy where threat actors use legitimate, pre-installed tools already present on a target system rather than deploying external malware. Common examples include PowerShell, Windows Management Instrumentation (WMI), scheduled tasks, and native remote management utilities.
The concept is borrowed directly from military doctrine: survive and operate using only what the environment provides. In cybersecurity, that environment is your own operating system, your own administrative toolset, and in OT contexts, your own industrial control software.
LOTL is relevant in modern cyber attacks for one core reason: it defeats the foundational logic of traditional security. Most security tools look for something foreign, an unknown file, a known-bad hash, a suspicious executable. LOTL attacks introduce nothing foreign. Every tool used is already trusted. Every action taken mirrors legitimate administrative activity. The attack is, by design, indistinguishable from normal operations using conventional detection methods.
This is why LOTL has become the technique of choice for the most capable threat actors in the world, from nation-state groups like Volt Typhoon targeting U.S. critical infrastructure, to ransomware operators seeking to move laterally without triggering alerts. It doesn’t require sophisticated malware. It requires knowledge of the target environment and patience.
21.5%
of industrial organizations experienced a cyber incident in the past year
40%
of those incidents caused operational disruption to physical processes
46%
of OT assessments found adequate network monitoring deployed
5 yrs
Volt Typhoon maintained undetected access to U.S. critical infrastructure using only LOTL tools
Block attacks before damage occurs
Prevent lateral movement inside your network
Reduce false positives & alert fatigue
What Is a Living-off-the-Land (LOTL) Attack?
In cybersecurity, living off the land describes attacks where adversaries rely entirely on legitimate tools already present in the target environment rather than introducing external malicious executables. Instead of deploying custom malware, they weaponize built-in system tools like PowerShell, Windows Management Instrumentation (WMI), remote management utilities, and standard engineering software.
The name comes from a military foraging concept: live off what the terrain provides. In cyber terms, the “terrain” is your operating system, your admin toolset, and your industrial control software. LOTL techniques let threat actors execute malicious code, escalate privileges, maintain persistence, and move laterally, all while looking exactly like normal system operations.
For IT environments, LOTL is a well-documented threat. In OT environments such as power grids, water treatment, oil pipelines, manufacturing floors, it becomes an entirely different category of risk. Disruption here isn’t a data breach. It’s a grid outage, a plant shutdown, or a safety incident.
Why OT Networks Are Uniquely Vulnerable to LOTL Techniques
OT environments were never designed with adversarial actors in mind. They were built for reliability, not security. They runn on proprietary protocols and legacy hardware in facilities that were historically isolated from external networks.
IT/OT convergence changed that. The same network carrying SCADA commands to a substation may also connect to a corporate IT environment running Windows, Active Directory, and remote access tools. That’s operationally necessary. It also opens a direct path for attackers who know how to use legitimate administrative tools to blend into normal operations.
Several structural factors make detection especially difficult in OT settings:
ChallengeWhy it matters in OTRisk Level
Legacy assetsMany PLCs and field devices run outdated firmware and unsupported operating systems with no capacity for endpoint detection agentsCriticalLimited loggingOT assets often lack the logging capability of IT systems, leaving no forensic trail for incident investigationCriticalIT/OT trust relationshipsOnce inside the IT network, attackers inherit trusted relationships that carry them into the OT layer without needing further exploitsCriticalScan-intolerant devicesActive discovery tools used safely in IT environments can disrupt industrial processes if applied to OT networksHighLow threat intel adoptionOnly 21% of organizations deployed intelligence integration capabilities in 2025, per the SANS ICS surveyHighVisibility gaps at lower Purdue levelsOnly 12.6% of organizations reported full ICS Cyber Kill Chain visibility; the gaps are largest near PLCs and process equipmentCritical
How Real Threat Groups Are Using LOTL to Target Critical Infrastructure Right Now
LOTL attacks have moved from an advanced nation-state technique to the dominant methodology across both criminal and state-sponsored actors. The clearest example came in February 2024, when CISA, the NSA, and the FBI, alongside Five Eyes partners, issued a joint advisory confirming that PRC state-sponsored group Volt Typhoon had compromised U.S. energy, water, communications, and transportation infrastructure using exclusively LOTL techniques, maintaining access for up to five years undetected.
Their toolkit: native utilities like wmic, ntdsutil, netsh, and PowerShell. Valid administrator credentials for lateral movement via RDP. No custom malware. The goal was not immediate disruption. It was pre-positioning for future destructive effects in the event of geopolitical conflict.
The Dragos 2026 OT/ICS Cybersecurity Year in Review (released February 17, 2026) confirms this trajectory continues to escalate. Dragos now tracks 26 active threat groups worldwide, with three newly discovered groups emerging in 2025 alone.
Threat GroupLOTL / OT TTPsTargeted SectorsStage
VOLTZITE (overlaps Volt Typhoon)Compromised Sierra Wireless cellular gateways to access U.S. midstream pipeline operations; pivoted to engineering workstations; used LOTL to extract config files and investigate process shutdown conditionsU.S. energy, pipelines, telecomsStage 2KAMACITESystematically mapped control loops across U.S. infrastructure throughout 2025; scanning HMIs, variable frequency drives, metering modules, and cellular gateways to understand process-level operationsU.S. electric, water, manufacturingStage 2SYLVANITEOperates as an initial access broker; exploited Ivanti vulnerabilities and extracted Active Directory credentials at U.S. electric and water utilities; hands footholds directly to VOLTZITEU.S. electric, water utilitiesStage 1AZURITETargets OT engineering workstations to exfiltrate network diagrams, alarm data, and process information, building capability for future destructive operationsManufacturing, defense, oil & gas, electricStage 2ELECTRUMTargeted distributed energy systems in Poland with deliberate attempts to affect operational assets; expanded operations into Europe in 2025European energy sectorStage 2
How a LOTL Attack Moves Through an OT Environment
The Six LOTL Techniques Most Commonly Used Against OT Environments
Understanding what these attacks look like at a technical level is prerequisite to detecting them. Each technique below is a legitimate capability of your operating systems, which is exactly why traditional antivirus software and legacy security tools miss them entirely.
TechniqueTool / MechanismWhat the Attacker DoesWhy It Evades Detection
Encoded command executionPowerShell -EncodedCommandExecutes malicious scripts and remote commands with payloads encoded in Base64, preventing string-based detection rules from triggeringPowerShell executing encoded commands is a valid, common administrative function. No signature exists for the encoding itself.Remote execution via WMIwmic process call createExecutes commands remotely on other systems inside the OT network without deploying traditional malware or touching the disk on the targetWMI activity is indistinguishable from normal system operations to legacy security tools and antivirus softwarePersistence via scheduled tasksschtasks /createCreates tasks that re-invoke malicious PowerShell commands after reboots, ensuring persistence without any new files being writtenScheduled tasks are used extensively for legitimate administrative tasks, blending in with dozens of existing tasksCredential harvestingvssadmin / ntdsutilAccesses the Active Directory database (NTDS.dit) via Volume Shadow Copy to extract password hashes without triggering AV. This method was used by Volt TyphoonBoth tools are legitimate administrative tools with valid business purposes; their misuse is behaviorally identical to authorized useFileless malware executionPowerShell / WMI / .NET CLRExecutes malicious payloads entirely in memory without writing files to disk, thereby evading file-based detection and forensic recoveryNo file is created, so file-scanning antivirus solutions have nothing to detect; traditional security controls are structurally blind to fileless malwareLog tampering to cover trackswevtutil cl / Clear-EventLogDeletes Windows event logs to erase evidence of lateral movement, command execution, and logon events. This technique was used systematically by VOLTZITE and Volt TyphoonLog clearing uses the same native tools used by administrators; the act of clearing is itself a native system operation
Why Traditional Security Tools Cannot Detect LOTL in OT Environments
The detection gap is structural, not just technical. Traditional antivirus solutions and legacy security tools were built on a fundamental assumption: malicious activity introduces something new. An unknown binary. A known-bad hash. A suspicious domain in DNS. Remove that assumption, and the entire detection model collapses.
LOTL attacks are specifically designed to violate that assumption. When PowerShell executes a command, it is doing exactly what PowerShell is supposed to do. The command can be encoded, obfuscated, or layered in legitimate-looking parameters and still leave no artifact that a signature-based tool can match.
Traditional Security Measures: What They SeeBehavioral Detection: What It Sees
PowerShell running — normal ✓PowerShell never ran on this host before → alertWMI activity — normal ✓WMI executing remote process at 2 AM → anomalyScheduled task created — normal ✓Scheduled task invoking encoded command → alertAdmin credential used — normal ✓Admin credential used outside business hours → flagRDP session opened — normal ✓RDP from IT into OT segment → suspiciousNo malware detected → no alertLog clearing after lateral movement → high-confidence IOC
In OT environments, the gap is amplified by the fact that only 46% of assessments found adequate OT network monitoring deployed, per the Dragos 2026 report. Organizations lacking comprehensive visibility saw an average dwell time of 42 days for OT ransomware, compared to just 5 days for organizations with mature monitoring. That 37-day gap is the direct operational cost of blind spots in OT environments.
How to Detect Living-off-the-Land Attacks in OT Networks: 5 Proven Strategies
Detection requires a fundamentally different philosophy from traditional malware hunting. You are not looking for known-bad signatures. You are looking for anomalous patterns in otherwise legitimate behavior. The following strategies are supported by the current evidence base from SANS, CISA, and Dragos incident response cases.
1. Establish Behavioral Baselines for Every Host in the Environment
If PowerShell has never run on a specific engineering workstation before, a single encoded PowerShell command becomes a high-confidence indicator, even though nothing about that command is technically malicious. Behavioral baselines turn normal context into a detection mechanism. Without them, there is nothing to compare anomalous activity against.
2. Deploy Passive Network Monitoring Tuned to OT Protocols
In environments where endpoint agents cannot be installed on legacy PLCs and HMIs, network-based detection becomes the primary visibility layer. Passively monitoring industrial protocols such as Modbus/TCP, DNP3, IEC 61850, EtherNet/IP can surface unexpected command sequences, unauthorized device interactions, and lateral movement patterns that have no signature, but are inconsistent with normal system operations.
3. Apply Deep Packet Inspection to Industrial Protocol Traffic
Standard firewalls pass industrial protocol traffic without inspecting its content. Deep packet inspection that understands ICS-specific protocols can identify malicious payloads embedded inside otherwise legitimate communications. This technique allows attackers to embed malicious code within standard protocol frames in a way that perimeter tools never see.
4. Integrate ICS-Specific Threat Intelligence
Generic threat feeds don’t surface Volt Typhoon’s specific LOTL tradecraft. Understanding how VOLTZITE, KAMACITE, and similar groups operate in OT environments requires intelligence that maps to ICS adversary TTPs, not just IP blocklists and domain reputation scores. The SANS 2025 ICS survey confirmed that organizations using ICS-specific threat intelligence were significantly more likely to adjust defensive priorities and accelerate segmentation projects. Yet only 21% of organizations had deployed such capabilities by the end of 2025.
5. Enforce and Audit Network Segmentation at the IT/OT Boundary
Segmentation doesn’t prevent LOTL attacks, but it limits their blast radius. If an attacker using legitimate administrative tools in the IT environment cannot directly reach OT network segments, the lateral movement path to PLCs, HMIs, and SCADA systems is blocked. The important word is “enforce.” Having a firewall policy is not the same as having effective segmentation. Regular audits confirming that the boundary is actually enforced are a prerequisite for this control to work.
Common Living-off-the-Land Attack Methods and How to Defend Against Each One
The most effective way to build defenses is to pair each attack method directly with the control that counters it. Here’s how the most frequently observed LOTL techniques map to specific defensive actions organizations should prioritize:
LOTL Attack MethodHow Attackers Use ItDefensive Control
PowerShell encoded commandsExecute malicious scripts in memory using Base64 encoding to bypass string-based detection rulesEnable PowerShell script block logging and constrained language mode; alert on encoded command usage from non-administrative hostsWMI remote executionRun commands on remote systems inside the network without writing files to disk, making the action invisible to file-based security toolsMonitor WMI activity at the network layer; baseline which systems legitimately use WMI and alert on any deviations from that baselineScheduled tasks for persistenceRe-invoke malicious commands after system reboots without deploying any new executables to maintain long-term accessAudit scheduled task creation events (Windows Event ID 4698); alert on tasks that invoke PowerShell or contain encoded command stringsCredential harvesting via vssadmin / ntdsutilExtract Active Directory password hashes from NTDS.dit using Volume Shadow Copies. This is the exact method used by Volt TyphoonMonitor vssadmin and ntdsutil usage closely; restrict access to VSS on domain controllers; alert on NTDS.dit access outside scheduled backup windowsFileless malware executionExecute malicious payloads entirely in RAM, leaving no file on disk for antivirus software or forensic tools to findDeploy memory-based behavioral detection; monitor for process injection and unusual parent-child process relationships in real timeLog clearing with wevtutilErase Windows event logs to destroy evidence of lateral movement, command execution, and logon events after the factForward logs in real time to a centralized SIEM so local deletion cannot erase the record; configure immediate alerts on log-clearing eventsRDP lateral movement with valid credentialsMove between systems using stolen but technically legitimate credentials that bypass access controls without triggering alertsEnforce MFA on all RDP connections; baseline normal RDP usage patterns and alert on off-hours or cross-segment connections
OT LOTL Detection Readiness Checklist
Behavioral baselines exist for all engineering workstations and IT/OT boundary systems so that first-time PowerShell execution or unexpected WMI activity generates an alert, not silence
Passive OT network monitoring covers all Purdue levels, including Levels 0–2 where SANS 2025 data shows visibility collapses and consequences are most severe
Deep session inspection is deployed on IT/OT boundary traffic by inspecting the content and context of communications, not just their headers and ports
ICS-specific threat intelligence is operationalized with TTPs from groups like VOLTZITE and KAMACITE mapped to detection rules in your environment
Segmentation at the IT/OT boundary is actively enforced and audited, not just documented in a firewall policy that hasn’t been tested
Logs from IT/OT boundary systems are centralized and retained. CISA’s Volt Typhoon advisory specifically flags application event logs as a critical hunting resource
Incident response procedures include OT-specific recovery playbooks and involve field engineers, not just security analysts, in tabletop exercises
How Fidelis Security Detects LOTL Threats in OT Environments
Detecting attacks designed to evade signatures requires network-native depth beyond endpoint agents, firewalls, or IT-centric SIEM. Fidelis Network® and Fidelis Elevate® XDR deliver passive visibility for OT, surfacing LOTL in trusted processes without disrupting operations.
Fidelis Network® uses patented Deep Session Inspection® (DSI) across all ports/protocols including IT and OT traffic, to reassemble full bidirectional sessions and decode content like encoded PowerShell, surpassing DPI limits. This reveals hidden LOTL patterns:
LOTL IndicatorHow Fidelis Surfaces It
Encoded PowerShell executing commandsDSI decodes Base64 payloads in real-time sessions, behavioral matchingWMI-based remote executionNetwork-layer protocol analysis flags remote commands bypassing EDRIT→OT lateral movementAnomaly detection vs. baselines + OT asset integrationCredential abuse patternsTelemetry + threat intel correlation on valid auth eventsIndustrial protocol anomaliesDSI decoding detects anomalies in Modbus/TCP, DNP3, IEC 61850 traffic
Fidelis Elevate® correlates DSI with endpoint data, ICS threat intel, and OT discovery (e.g., Forescout integration) for Purdue-complete coverage, turning admin tools into alerts.
Key Takeaways: What Security Teams Should Do in 2026
The Dragos 2026 report makes the trajectory clear: adversaries have moved from pre-positioning to actively mapping control loops across U.S. critical infrastructure. The groups doing this work, VOLTZITE, KAMACITE, SYLVANITE, AZURITE, are using legitimate system tools and trusted access paths because those paths work. They evade detection systems. They allow threat actors to persist for months without triggering a single alert.
The path forward requires three foundational capabilities working together:
The path forward requires three foundational capabilities working together:
Visibility into the OT network itself. Not just the IT/OT boundary, but into the industrial protocols, engineering workstations, and HMIs where LOTL techniques play out at the process level. Only 46% of OT assessments found adequate monitoring deployed. That is the starting gap.
Behavioral baselines and anomaly detection calibrated to what is normal in your specific environment. Legitimate tool usage in illegitimate contexts generates the alert it should. Without a baseline, there is no detection. There is only silence.
ICS-specific threat intelligence that maps to adversary TTPs. Generic feeds don’t surface how VOLTZITE hands off access to KAMACITE, or how SYLVANITE extracts Active Directory credentials and passes footholds to deeper OT operators. Understanding these ecosystems is how defenders get ahead of them.
LOTL techniques work because defenders watch for malware while attackers use administrative tools. Organizations with comprehensive OT visibility contained incidents in an average of five days. Those without took 42 days. That 37-day window is where operational disruptions, safety incidents, and physical consequences occur. Closing it is the defining security challenge of 2026.
The post Detecting Living-off-the-Land Attacks in OT Networks appeared first on Fidelis Security.
No Responses