{"id":7355,"date":"2026-03-05T18:07:21","date_gmt":"2026-03-05T18:07:21","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7355"},"modified":"2026-03-05T18:07:21","modified_gmt":"2026-03-05T18:07:21","slug":"detecting-living-off-the-land-attacks-in-ot-networks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7355","title":{"rendered":"Detecting Living-off-the-Land Attacks in OT Networks"},"content":{"rendered":"
\n
\n
\n
\n
\n

Key Takeaways<\/h2>\n<\/div>\n<\/div>\n
\n
\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tLOTL attacks use trusted tools like PowerShell, WMI, and RDP, making malicious activity appear identical to normal administrative behavior inside OT networks.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tOT environments are especially vulnerable due to legacy systems, limited logging, and inherited IT\/OT trust relationships.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tSignature-based tools fail because LOTL introduces no malware, only misuse of legitimate capabilities.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tDetection requires behavioral baselines, passive OT monitoring, deep session inspection, and ICS-specific threat intelligence.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tWithout comprehensive OT visibility, dwell time expands dramatically, increasing operational and safety risk.<\/span><\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

The most dangerous attacker inside your OT network right now may not have brought a single piece of malware with them. They\u2019re using your own tools. Your own administrative credentials. Your own scheduled tasks and remote management utilities to execute malicious commands, move laterally, and quietly pre-position for a future disruption.<\/p>\n

This is living-off-the-land (LOTL), the dominant attack technique in critical infrastructure targeting today. And it\u2019s the reason traditional security measures keep failing the organizations that need protection most.<\/p>\n<\/div>\n<\/div>\n

\n
\n

What Does “Living Off the Land” Mean in Cybersecurity, and Why Does It Matter?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Living off the land (LOTL) refers to a cyberattack strategy where threat actors use legitimate, pre-installed tools already present on a target system rather than deploying external malware<\/a>. Common examples include PowerShell, Windows Management Instrumentation (WMI), scheduled tasks, and native remote management utilities.<\/p>\n

The concept is borrowed directly from military doctrine:<\/strong><\/em> survive and operate using only what the environment provides. In cybersecurity, that environment is your own operating system, your own administrative toolset, and in OT contexts, your own industrial control software.<\/p>\n

LOTL is relevant in modern cyber attacks for one core reason:<\/strong><\/em> it defeats the foundational logic of traditional security. Most security tools look for something foreign, an unknown file, a known-bad hash, a suspicious executable. LOTL attacks introduce nothing foreign. Every tool used is already trusted. Every action taken mirrors legitimate administrative activity. The attack is, by design, indistinguishable from normal operations using conventional detection methods.<\/p>\n

This is why LOTL has become the technique of choice for the most capable threat actors in the world, from nation-state groups like Volt Typhoon targeting U.S. critical infrastructure, to ransomware operators seeking to move laterally without triggering alerts. It doesn\u2019t require sophisticated malware. It requires knowledge of the target environment and patience.<\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t<\/div>\n
\n

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t21.5%\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/h3>\n

\n\t\t\t\t\t\tof industrial organizations experienced a cyber incident in the past year\t\t\t\t\t<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t<\/div>\n
\n

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t40%\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/h3>\n

\n\t\t\t\t\t\tof those incidents caused operational disruption to physical processes\t\t\t\t\t<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t<\/div>\n
\n

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t46%\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/h3>\n

\n\t\t\t\t\t\tof OT assessments found adequate network monitoring deployed\t\t\t\t\t<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t<\/div>\n
\n

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t5 yrs\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/h3>\n

\n\t\t\t\t\t\tVolt Typhoon maintained undetected access to U.S. critical infrastructure using only LOTL tools\t\t\t\t\t<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
Real-Time Insight, Real-Time Prevention with Fidelis Network<\/div>\n<\/div>\n<\/div>\n
\n
\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tBlock attacks before damage occurs<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tPrevent lateral movement inside your network<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tReduce false positives & alert fatigue<\/span><\/p><\/div>\n<\/div>\n

\n
\n
\n\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tDownload the Whitepaper to Explore More!<\/span>
\n\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n

What Is a Living-off-the-Land (LOTL) Attack?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

In cybersecurity, living off the land describes attacks where adversaries rely entirely on legitimate tools already present in the target environment rather than introducing external malicious executables. Instead of deploying custom malware, they weaponize built-in system tools like PowerShell, Windows Management Instrumentation (WMI), remote management utilities, and standard engineering software.<\/p>\n

The name comes from a military foraging concept: live off what the terrain provides. In cyber terms, the \u201cterrain\u201d is your operating system, your admin toolset, and your industrial control software. LOTL techniques let threat actors execute malicious code, escalate privileges, maintain persistence, and move laterally, all while looking exactly like normal system operations.<\/p>\n

For IT environments, LOTL is a well-documented threat. In OT environments such as power grids, water treatment, oil pipelines, manufacturing floors, it becomes an entirely different category of risk. Disruption here isn\u2019t a data breach<\/a>. It\u2019s a grid outage, a plant shutdown, or a safety incident.<\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n <\/div>\n<\/div>\n
\n
\n

Why LOTL work against traditional security controls?<\/h3>\n<\/div>\n
\n

Antivirus software and signature-based tools look for known malicious code. LOTL attacks introduce no new code. When PowerShell executes an encoded command, it\u2019s doing exactly what PowerShell is supposed to do. There\u2019s no signature to detect because there\u2019s no malware to find.<\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

Why OT Networks Are Uniquely Vulnerable to LOTL Techniques<\/h2>\n<\/div>\n<\/div>\n
\n
\n

OT environments were never designed with adversarial actors in mind. They were built for reliability, not security. They runn on proprietary protocols and legacy hardware in facilities that were historically isolated from external networks.<\/p>\n

IT\/OT convergence changed that. The same network carrying SCADA<\/a> commands to a substation may also connect to a corporate IT environment running Windows, Active Directory, and remote access tools. That\u2019s operationally necessary. It also opens a direct path for attackers who know how to use legitimate administrative tools to blend into normal operations.<\/p>\n<\/div>\n<\/div>\n

\n
\n

Several structural factors make detection especially difficult in OT settings:<\/p>\n<\/div>\n<\/div>\n

\n
\n

\t\t\t\t\tChallengeWhy it matters in OTRisk Level\t\t\t\t<\/p>\n

\t\t\t\t\tLegacy assetsMany PLCs and field devices run outdated firmware and unsupported operating systems with no capacity for endpoint detection<\/a> agentsCriticalLimited loggingOT assets often lack the logging capability of IT systems, leaving no forensic trail for incident investigationCriticalIT\/OT trust relationshipsOnce inside the IT network, attackers inherit trusted relationships that carry them into the OT layer without needing further exploitsCriticalScan-intolerant devicesActive discovery tools used safely in IT environments can disrupt industrial processes if applied to OT networksHighLow threat intel adoptionOnly 21% of organizations deployed intelligence integration capabilities in 2025, per the SANS ICS surveyHighVisibility gaps at lower Purdue levelsOnly 12.6% of organizations reported full ICS Cyber Kill Chain visibility; the gaps are largest near PLCs and process equipmentCritical\t\t\t\t<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

How Real Threat Groups Are Using LOTL to Target Critical Infrastructure Right Now<\/h2>\n<\/div>\n<\/div>\n
\n
\n

LOTL attacks have moved from an advanced nation-state technique to the dominant methodology across both criminal and state-sponsored actors. The clearest example came in February 2024, when CISA, the NSA, and the FBI, alongside Five Eyes partners, issued a joint advisory confirming that PRC state-sponsored group Volt Typhoon had compromised U.S. energy, water, communications, and transportation infrastructure using exclusively LOTL techniques, maintaining access for up to five years undetected.<\/p>\n

Their toolkit:<\/strong> native utilities like wmic, ntdsutil, netsh, and PowerShell. Valid administrator credentials for lateral movement via RDP. No custom malware. The goal was not immediate disruption. It was pre-positioning for future destructive effects in the event of geopolitical conflict.<\/p>\n

The Dragos 2026 OT\/ICS Cybersecurity Year in Review (released February 17, 2026) confirms this trajectory continues to escalate. Dragos now tracks 26 active threat groups worldwide, with three newly discovered groups emerging in 2025 alone.<\/p>\n<\/div>\n<\/div>\n

\n
\n

\t\t\t\t\tThreat GroupLOTL \/ OT TTPsTargeted SectorsStage\t\t\t\t<\/p>\n

\t\t\t\t\tVOLTZITE (overlaps Volt Typhoon)Compromised Sierra Wireless cellular gateways to access U.S. midstream pipeline operations; pivoted to engineering workstations; used LOTL to extract config files and investigate process shutdown conditionsU.S. energy, pipelines, telecomsStage 2KAMACITESystematically mapped control loops across U.S. infrastructure throughout 2025; scanning HMIs, variable frequency drives, metering modules, and cellular gateways to understand process-level operationsU.S. electric, water, manufacturingStage 2SYLVANITEOperates as an initial access broker; exploited Ivanti vulnerabilities and extracted Active Directory credentials at U.S. electric and water utilities; hands footholds directly to VOLTZITEU.S. electric, water utilitiesStage 1AZURITETargets OT engineering workstations to exfiltrate network diagrams, alarm data, and process information, building capability for future destructive operationsManufacturing, defense, oil & gas, electricStage 2ELECTRUMTargeted distributed energy systems in Poland with deliberate attempts to affect operational assets; expanded operations into Europe in 2025European energy sectorStage 2\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n

How a LOTL Attack Moves Through an OT Environment<\/h2>\n<\/div>\n<\/div>\n
\n
\n
\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

Initial Access: IT Network Entry<\/h4>\n

Attacker gains a foothold via phishing, exploiting an internet-facing VPN or remote access tool, or through a compromised third-party vendor. No custom malware is used. Only standard exploitation of a known vulnerability.<\/p>\n


\nIvanti \/ VPN exploit \u2192 valid credential
\n<\/span><\/p>\n<\/div>\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

Credential Harvesting: Using Native Tools<\/h4>\n

Using built-in system tools, the attacker extracts password hashes and Active Directory credentials. No external malicious executables are introduced. Only native system utilities that are already trusted by every security layer.<\/p>\n


\nvssadmin \u2192 NTDS.dit \u2192 credential hashes
\n<\/span><\/p>\n<\/div>\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

Lateral Movement: Blending Into Admin Traffic<\/h4>\n

Using stolen credentials and legitimate remote management protocols, the attacker moves laterally through IT systems toward the IT\/OT boundary. Traffic looks identical to legitimate administrative tasks performed by your own engineers.<\/p>\n


\nRDP \u00b7 WMI remote execution \u00b7 PsExec
\n<\/span><\/p>\n<\/div>\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

OT Pivot: Crossing Into the Control Network<\/h4>\n

Exploiting trusted IT\/OT relationships, the attacker pivots into SCADA systems, engineering workstations, and HMIs. Access is authorized by inherited credentials. No exploit of OT-specific vulnerabilities is needed.<\/p>\n


\nSierra Wireless gateways \u00b7 OT engineering software
\n<\/span><\/p>\n<\/div>\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

Reconnaissance: Mapping Control Loops<\/h4>\n

The attacker uses standard engineering software and legitimate administrative tools to read configuration files, alarm data, and process setpoints. The goal: understand how the physical process works and where to induce a shutdown or safety incident.<\/p>\n


\nHMI access \u00b7 config file extraction \u00b7 alarm data review
\n<\/span><\/p>\n<\/div>\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

Persistence: No Malware, No Trace<\/h4>\n

Persistence is maintained through scheduled tasks, WMI subscriptions, or modified startup scripts. All use legitimate system mechanisms. Logs are cleared using built-in log-management tools. The attacker can remain for months or years.<\/p>\n


\nschtasks \u00b7 wevtutil cl \u00b7 WMI subscriptions
\n<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n

The Six LOTL Techniques Most Commonly Used Against OT Environments<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Understanding what these attacks look like at a technical level is prerequisite to detecting them. Each technique below is a legitimate capability of your operating systems, which is exactly why traditional antivirus software and legacy security tools miss them entirely.<\/p>\n<\/div>\n<\/div>\n

\n
\n

\t\t\t\t\tTechniqueTool \/ MechanismWhat the Attacker DoesWhy It Evades Detection\t\t\t\t<\/p>\n

\t\t\t\t\tEncoded command executionPowerShell -EncodedCommandExecutes malicious scripts and remote commands with payloads encoded in Base64, preventing string-based detection rules from triggeringPowerShell executing encoded commands is a valid, common administrative function. No signature exists for the encoding itself.Remote execution via WMIwmic process call createExecutes commands remotely on other systems inside the OT network without deploying traditional malware or touching the disk on the targetWMI activity is indistinguishable from normal system operations to legacy security tools and antivirus softwarePersistence via scheduled tasksschtasks \/createCreates tasks that re-invoke malicious PowerShell commands after reboots, ensuring persistence without any new files being writtenScheduled tasks are used extensively for legitimate administrative tasks, blending in with dozens of existing tasksCredential harvestingvssadmin \/ ntdsutilAccesses the Active Directory database (NTDS.dit) via Volume Shadow Copy to extract password hashes without triggering AV. This method was used by Volt TyphoonBoth tools are legitimate administrative tools with valid business purposes; their misuse is behaviorally identical to authorized useFileless malware executionPowerShell \/ WMI \/ .NET CLRExecutes malicious payloads entirely in memory without writing files to disk, thereby evading file-based detection and forensic recoveryNo file is created, so file-scanning antivirus solutions have nothing to detect; traditional security controls are structurally blind to fileless malwareLog tampering to cover trackswevtutil cl \/ Clear-EventLogDeletes Windows event logs to erase evidence of lateral movement, command execution, and logon events. This technique was used systematically by VOLTZITE and Volt TyphoonLog clearing uses the same native tools used by administrators; the act of clearing is itself a native system operation\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n

Why Traditional Security Tools Cannot Detect LOTL in OT Environments<\/h2>\n<\/div>\n<\/div>\n
\n
\n

The detection gap is structural, not just technical. Traditional antivirus solutions<\/a> and legacy security tools were built on a fundamental assumption: malicious activity introduces something new. An unknown binary. A known-bad hash. A suspicious domain in DNS. Remove that assumption, and the entire detection model collapses.<\/p>\n

LOTL attacks are specifically designed to violate that assumption. When PowerShell executes a command, it is doing exactly what PowerShell is supposed to do. The command can be encoded, obfuscated, or layered in legitimate-looking parameters and still leave no artifact that a signature-based tool can match.<\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n <\/div>\n<\/div>\n
\n
\n

How Living-off-the-Land Techniques Specifically Evade Detection<\/h3>\n<\/div>\n
\n

LOTL techniques evade detection through three overlapping mechanisms.<\/p>\n

First, they produce no new files. Fileless execution in memory means file-scanning antivirus solutions have nothing to analyze.Second, every tool involved is already whitelisted. PowerShell, WMI, and scheduled tasks are trusted by every security layer in the environment by default.Third, the behavioral footprint is nearly identical to legitimate administrative activity. An encoded PowerShell command run by an attacker looks the same to a traditional security tool as one run by your own IT team. Signature-based detection<\/a> fails on all three counts because it was designed to find foreign objects, not identify malicious intent behind trusted actions.<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n

\t\t\t\t\tTraditional Security Measures: What They SeeBehavioral Detection: What It Sees\t\t\t\t<\/p>\n

\t\t\t\t\tPowerShell running \u2014 normal \u2713PowerShell never ran on this host before \u2192 alertWMI activity \u2014 normal \u2713WMI executing remote process at 2 AM \u2192 anomalyScheduled task created \u2014 normal \u2713Scheduled task invoking encoded command \u2192 alertAdmin credential used \u2014 normal \u2713Admin credential used outside business hours \u2192 flagRDP session opened \u2014 normal \u2713RDP from IT into OT segment \u2192 suspiciousNo malware detected \u2192 no alertLog clearing after lateral movement \u2192 high-confidence IOC\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n

In OT environments, the gap is amplified by the fact that only 46% of assessments found adequate OT network monitoring deployed, per the Dragos 2026 report. Organizations lacking comprehensive visibility saw an average dwell time of 42 days for OT ransomware, compared to just 5 days for organizations with mature monitoring. That 37-day gap is the direct operational cost of blind spots in OT environments.<\/p>\n<\/div>\n<\/div>\n

\n
\n

How to Detect Living-off-the-Land Attacks in OT Networks: 5 Proven Strategies<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Detection requires a fundamentally different philosophy from traditional malware hunting. You are not looking for known-bad signatures. You are looking for anomalous patterns in otherwise legitimate behavior. The following strategies are supported by the current evidence base from SANS, CISA, and Dragos incident response cases.<\/p>\n<\/div>\n<\/div>\n

\n
\n

1. Establish Behavioral Baselines for Every Host in the Environment<\/h3>\n<\/div>\n<\/div>\n
\n
\n

If PowerShell has never run on a specific engineering workstation before, a single encoded PowerShell command becomes a high-confidence indicator, even though nothing about that command is technically malicious. Behavioral baselines turn normal context into a detection mechanism. Without them, there is nothing to compare anomalous activity against.<\/p>\n<\/div>\n<\/div>\n

\n
\n

2. Deploy Passive Network Monitoring Tuned to OT Protocols<\/h3>\n<\/div>\n<\/div>\n
\n
\n

In environments where endpoint agents cannot be installed on legacy PLCs and HMIs, network-based detection<\/a> becomes the primary visibility layer. Passively monitoring industrial protocols such as Modbus\/TCP, DNP3, IEC 61850, EtherNet\/IP can surface unexpected command sequences, unauthorized device interactions, and lateral movement patterns that have no signature, but are inconsistent with normal system operations.<\/p>\n<\/div>\n<\/div>\n

\n
\n

3. Apply Deep Packet Inspection to Industrial Protocol Traffic<\/h3>\n<\/div>\n<\/div>\n
\n
\n

Standard firewalls pass industrial protocol traffic without inspecting its content. Deep packet inspection<\/a> that understands ICS-specific protocols can identify malicious payloads embedded inside otherwise legitimate communications. This technique allows attackers to embed malicious code within standard protocol frames in a way that perimeter tools never see.<\/p>\n<\/div>\n<\/div>\n

\n
\n

4. Integrate ICS-Specific Threat Intelligence<\/h3>\n<\/div>\n<\/div>\n
\n
\n

Generic threat feeds don\u2019t surface Volt Typhoon\u2019s specific LOTL tradecraft. Understanding how VOLTZITE, KAMACITE, and similar groups operate in OT environments requires intelligence that maps to ICS adversary TTPs, not just IP blocklists and domain reputation scores. The SANS 2025 ICS survey confirmed that organizations using ICS-specific threat intelligence were significantly more likely to adjust defensive priorities and accelerate segmentation projects. Yet only 21% of organizations had deployed such capabilities by the end of 2025.<\/p>\n<\/div>\n<\/div>\n

\n
\n

5. Enforce and Audit Network Segmentation at the IT\/OT Boundary<\/h3>\n<\/div>\n<\/div>\n
\n
\n

Segmentation doesn\u2019t prevent LOTL attacks, but it limits their blast radius. If an attacker using legitimate administrative tools in the IT environment cannot directly reach OT network segments, the lateral movement<\/a> path to PLCs, HMIs, and SCADA systems is blocked. The important word is \u201cenforce.\u201d Having a firewall policy is not the same as having effective segmentation. Regular audits confirming that the boundary is actually enforced are a prerequisite for this control to work.<\/p>\n<\/div>\n<\/div>\n

\n
\n

Common Living-off-the-Land Attack Methods and How to Defend Against Each One<\/h2>\n<\/div>\n<\/div>\n
\n
\n

The most effective way to build defenses is to pair each attack method directly with the control that counters it. Here\u2019s how the most frequently observed LOTL techniques map to specific defensive actions organizations should prioritize:<\/p>\n<\/div>\n<\/div>\n

\n
\n

\t\t\t\t\tLOTL Attack MethodHow Attackers Use ItDefensive Control\t\t\t\t<\/p>\n

\t\t\t\t\tPowerShell encoded commandsExecute malicious scripts in memory using Base64 encoding to bypass string-based detection rulesEnable PowerShell script block logging and constrained language mode; alert on encoded command usage from non-administrative hostsWMI remote executionRun commands on remote systems inside the network without writing files to disk, making the action invisible to file-based security toolsMonitor WMI activity at the network layer; baseline which systems legitimately use WMI and alert on any deviations from that baselineScheduled tasks for persistenceRe-invoke malicious commands after system reboots without deploying any new executables to maintain long-term accessAudit scheduled task creation events (Windows Event ID 4698); alert on tasks that invoke PowerShell or contain encoded command stringsCredential harvesting via vssadmin \/ ntdsutilExtract Active Directory password hashes from NTDS.dit using Volume Shadow Copies. This is the exact method used by Volt TyphoonMonitor vssadmin and ntdsutil usage closely; restrict access to VSS on domain controllers; alert on NTDS.dit access outside scheduled backup windowsFileless malware executionExecute malicious payloads entirely in RAM, leaving no file on disk for antivirus software or forensic tools to findDeploy memory-based behavioral detection; monitor for process injection and unusual parent-child process relationships in real timeLog clearing with wevtutilErase Windows event logs to destroy evidence of lateral movement, command execution, and logon events after the factForward logs in real time to a centralized SIEM so local deletion cannot erase the record; configure immediate alerts on log-clearing eventsRDP lateral movement with valid credentialsMove between systems using stolen but technically legitimate credentials that bypass access controls without triggering alertsEnforce MFA on all RDP connections; baseline normal RDP usage patterns and alert on off-hours or cross-segment connections\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n

OT LOTL Detection Readiness Checklist<\/h2>\n<\/div>\n<\/div>\n
\n
\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tBehavioral baselines exist for all engineering workstations and IT\/OT boundary systems so that first-time PowerShell execution or unexpected WMI activity generates an alert, not silence<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tPassive OT network monitoring covers all Purdue levels, including Levels 0\u20132 where SANS 2025 data shows visibility collapses and consequences are most severe<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tDeep session inspection<\/a> is deployed on IT\/OT boundary traffic by inspecting the content and context of communications, not just their headers and ports<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tICS-specific threat intelligence<\/a> is operationalized with TTPs from groups like VOLTZITE and KAMACITE mapped to detection rules in your environment<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tSegmentation at the IT\/OT boundary is actively enforced and audited, not just documented in a firewall policy that hasn’t been tested<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tLogs from IT\/OT boundary systems are centralized and retained. CISA’s Volt Typhoon advisory specifically flags application event logs as a critical hunting resource<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tIncident response procedures include OT-specific recovery playbooks and involve field engineers, not just security analysts, in tabletop exercises<\/span><\/p><\/div>\n<\/div>\n

\n
\n

How Fidelis Security Detects LOTL Threats in OT Environments<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Detecting attacks designed to evade signatures requires network-native depth beyond endpoint agents, firewalls, or IT-centric SIEM. Fidelis Network<\/a>\u00ae and Fidelis Elevate\u00ae XDR deliver passive visibility for OT, surfacing LOTL in trusted processes without disrupting operations.<\/p>\n

Fidelis Network\u00ae uses patented Deep Session Inspection<\/a>\u00ae (DSI) across all ports\/protocols including IT and OT traffic, to reassemble full bidirectional sessions and decode content like encoded PowerShell, surpassing DPI limits. This reveals hidden LOTL patterns:<\/p>\n<\/div>\n<\/div>\n

\n
\n

\t\t\t\t\tLOTL IndicatorHow Fidelis Surfaces It\t\t\t\t<\/p>\n

\t\t\t\t\tEncoded PowerShell executing commandsDSI decodes Base64 payloads in real-time sessions, behavioral matchingWMI-based remote executionNetwork-layer protocol analysis flags remote commands bypassing EDRIT\u2192OT lateral movementAnomaly detection vs. baselines + OT asset integrationCredential abuse patternsTelemetry + threat intel correlation on valid auth eventsIndustrial protocol anomaliesDSI decoding detects anomalies in Modbus\/TCP, DNP3, IEC 61850 traffic\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n

Fidelis Elevate<\/a>\u00ae correlates DSI with endpoint data, ICS threat intel, and OT discovery (e.g., Forescout integration) for Purdue-complete coverage, turning admin tools into alerts.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
See How Fidelis Detects LOTL in Your OT Environment<\/div>\n<\/div>\n<\/div>\n
\n
\n\t\t\t\t\t\t\t\t\tGet a customized walkthrough of how Fidelis Network\u00ae surfaces living-off-the-land attack patterns across IT\/OT boundaries\u00a0without disrupting operational processes.\t\t\t\t\t\t\t\t<\/div>\n<\/div>\n
\n
\n
\n\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tRequest a Demo<\/span>
\n\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n

Key Takeaways: What Security Teams Should Do in 2026<\/h2>\n<\/div>\n<\/div>\n
\n
\n

The Dragos 2026 report makes the trajectory clear: adversaries have moved from pre-positioning to actively mapping control loops across U.S. critical infrastructure. The groups doing this work, VOLTZITE, KAMACITE, SYLVANITE, AZURITE, are using legitimate system tools and trusted access paths because those paths work. They evade detection systems. They allow threat actors to persist for months without triggering a single alert.<\/p>\n<\/div>\n<\/div>\n

\n
\n

The path forward requires three foundational capabilities working together:<\/p>\n<\/div>\n<\/div>\n

\n
\n

\n\t\t\t\tThe path forward requires three foundational capabilities working together:<\/p>\n

Visibility into the OT network itself. Not just the IT\/OT boundary, but into the industrial protocols, engineering workstations, and HMIs where LOTL techniques play out at the process level. Only 46% of OT assessments found adequate monitoring deployed. That is the starting gap.\t\t\t<\/p>\n<\/div>\n<\/div>\n

\n
\n

\n\t\t\t\tBehavioral baselines and anomaly detection calibrated to what is normal in your specific environment. Legitimate tool usage in illegitimate contexts generates the alert it should. Without a baseline, there is no detection. There is only silence.\t\t\t<\/p>\n<\/div>\n<\/div>\n

\n
\n

\n\t\t\t\tICS-specific threat intelligence that maps to adversary TTPs. Generic feeds don’t surface how VOLTZITE hands off access to KAMACITE, or how SYLVANITE extracts Active Directory credentials and passes footholds to deeper OT operators. Understanding these ecosystems is how defenders get ahead of them.\t\t\t<\/p>\n<\/div>\n<\/div>\n

\n
\n

LOTL techniques work because defenders watch for malware while attackers use administrative tools. Organizations with comprehensive OT visibility contained incidents in an average of five days. Those without took 42 days. That 37-day window is where operational disruptions, safety incidents, and physical consequences occur. Closing it is the defining security challenge of 2026.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

The post Detecting Living-off-the-Land Attacks in OT Networks<\/a> appeared first on Fidelis Security<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

Key Takeaways LOTL attacks use trusted tools like PowerShell, WMI, and RDP, making malicious activity appear identical to normal administrative behavior inside OT networks. OT environments are especially vulnerable due to legacy systems, limited logging, and inherited IT\/OT trust relationships. Signature-based tools fail because LOTL introduces no malware, only misuse of legitimate capabilities. Detection requires […]<\/p>\n","protected":false},"author":0,"featured_media":7356,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-7355","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7355"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7355"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7355\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7356"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}