The intruder who never installs anything Living-off-the-land attacks

What is a living-off-the-land attack?

A living-off-the-land (LOTL) attack is an intrusion carried out almost entirely with the legitimate software already installed on your systems. Instead of smuggling in malicious programs, the attacker gains access — usually with valid credentials stolen through phishing or social engineering, bought from a criminal marketplace, or harvested from a compromised internet-facing device — and then lives off what the environment provides: PowerShell, Windows Management Instrumentation (WMI), remote desktop, scheduled tasks, and the everyday command-line utilities that keep a network running. Researchers call these tools LOLBins — living-off-the-land binaries.

The crucial point is that none of these tools is malicious. They are signed, trusted components of the operating system, used thousands of times a day for perfectly legitimate work. The attack is not in the file; it is in who is running it, and why. These intruders do not break in. They log in.

Why your antivirus sees nothing

Traditional antivirus — and a good deal of modern endpoint protection — is built around one question: is this file bad? It hunts for known malware signatures, suspicious executables and code behaving the way malicious code behaves. That model still stops an enormous amount of commodity cybercrime, and you should absolutely keep it.

It is also precisely the model that living off the land is designed to defeat. When an attacker authenticates with a valid (stolen) account and uses PowerShell — a Microsoft tool, signed by Microsoft, present on every Windows machine — to map your network, there is no bad file to detect. The activity is indistinguishable from a system administrator doing their job, unless someone is watching behaviour: who logged in, from where, at what hour, and what they did next. A clean scan answers the question “is there malicious software on this machine?” It says nothing about the more important one: “is there a malicious person inside this network?”

Volt Typhoon: living off the land at nation-state scale

The marquee example of this tradecraft is Volt Typhoon, a Chinese state-sponsored group publicly exposed in May 2023, when Microsoft and cyber security agencies across the Five Eyes — the ASD’s Australian Cyber Security Centre among them — warned it had burrowed into critical infrastructure across the United States: communications, energy, transport and water utilities, with a notable cluster on the strategically important island of Guam.

What made the advisory remarkable was not the targeting but the method. Volt Typhoon deployed essentially no malware. The group typically entered through internet-facing devices such as routers, firewalls and VPN appliances, used stolen administrator credentials, and then worked hands-on-keyboard with built-in Windows tools. It copied the Active Directory credential database using ntdsutil — a utility Windows ships for legitimate directory maintenance — set up internal traffic relays with netsh, routed its connections through compromised home and small-office routers so they appeared to come from local addresses, and cleared event logs on the way out.

The follow-up was worse. In February 2024, a second joint advisory — again co-sealed by the ASD’s ACSC, alongside companion guidance on identifying and mitigating LOTL techniques — confirmed that Volt Typhoon had maintained undetected access inside some victim networks for at least five years. The assessment was blunt: this was not espionage but pre-positioning — establishing footholds in civilian infrastructure to enable disruptive or destructive attacks in the event of a major crisis or conflict. And the victims were not all giants. One small Massachusetts utility, Littleton Electric Light and Water, learned from an FBI phone call that the group had been inside its network for the better part of a year.

Why this matters in Australia

The ASD did not co-sign those advisories as a courtesy. Australian critical infrastructure — power, water, ports, telcos, hospitals — runs on the same Windows domains, the same edge appliances and the same remote-access tools as the American victims, and the ACSC explicitly urged Australian operators to hunt for the same tradecraft on their own networks.

The concern has not faded. The ASD’s Annual Cyber Threat Report 2024–25 noted that living-off-the-land tradecraft has persisted, and that catching the most sophisticated threats now requires defenders to understand the behavioural patterns of their own networks — not just scan for bad files. Critical infrastructure accounted for 13% of the incidents the ACSC responded to during the year, and the agency’s headline advice has hardened into two sobering words: assume compromise. Best-practice event logging tops its list of recommended actions, for a simple reason — you cannot hunt an intruder through logs you never kept.

There is a supply-chain sting here too. The 2024 advisory noted that some victims were smaller organisations with limited security capability that provide services to larger, critical ones. If your business supplies, supports or connects to critical infrastructure, you are in scope. Nor has the technique stayed exclusive: ransomware crews and ordinary cybercriminals have copied the homework, leaning on legitimate remote-management software and built-in utilities for the same reason the nation-states do. It works.

What LOTL activity actually looks like

Because there is no malware to find, the tells are behavioural — small wrongnesses inside otherwise normal activity:

• A valid account logging in at 2am, from an unfamiliar location, or from a device it has never touched before

• PowerShell or command-line activity from staff or machines that have no business running it

• A copy of the Active Directory database being taken outside any scheduled maintenance window

• New scheduled tasks, port proxies or remote-access tools that nobody remembers creating

• Event logs that have been cleared — the absence of evidence treated as evidence

Read more: Indicators of compromise (IOCs) guide

Watching behaviour, not just files

You cannot block a tool your own administrators need, and you cannot signature-match an attack that has no malware. The defensive goal shifts from spotting bad files to noticing bad behaviour — and that is achievable for an ordinary Australian business.

• Log everything that matters, and keep it. Centralised event logging is the foundation of LOTL detection, which is why the ASD puts it first. Volt Typhoon sat inside networks for five years; a 30-day retention policy hands an intruder like that a very quiet life.

• Baseline what normal looks like. You cannot spot unusual behaviour without knowing what usual is. Cyber security analytics and user behaviour monitoring flag the anomalies — the odd login hour, the first-time use of an admin tool — that signature scanning never will.

• Treat identity as the perimeter. Stolen credentials are the front door, so guard them: phishing-resistant multi-factor authentication, least privilege, and close scrutiny of administrator and service accounts.

• Make the land harder to live off. Application control, restricting PowerShell to those who genuinely need it, and disabling unused utilities — core Essential Eight territory — shrink the toolkit an intruder inherits. Our system hardening guide covers the fundamentals.

• Watch the edge. Volt Typhoon’s way in was internet-facing devices. Routers, firewalls and VPN appliances deserve the same patching urgency as servers — and as our recent piece on zero-days explains, the window between disclosure and exploitation keeps shrinking.

• Hunt, don’t just wait for alerts. Assume compromise and go looking. Proactive threat hunting through your own logs, with strong network security visibility underneath it, is the discipline that finds the five-year intruders.

A final word

“No malware found” answers yesterday’s question. The attackers most worth worrying about — and the ASD’s advisories could not be clearer on this — have moved to a model where the only thing separating them from your own administrators is behaviour. The honest test of your security posture is no longer whether a scan comes back clean. It is whether anyone would notice a legitimate account doing illegitimate things on a Tuesday night.

For many businesses the candid answer is no — not for lack of care, but because nobody is watching around the clock, and these attacks are built to be missed by anyone who isn’t. That is a solvable problem. If you would like help building the visibility to catch the intruder who never installs anything, learn more about our managed SOC services, or get in touch at enquiries@xiphcyber.com.