Cybercriminals’ New Playground: How Native Windows Tools are Turned Against North American Businesses

In the ever-evolving landscape of cybersecurity, attackers are increasingly adopting a “less is more” approach. Instead of deploying sophisticated, custom-built malware, they are turning to the very tools that keep your systems running. A recent analysis has shed light on this alarming trend, and the findings are a wake-up call for organizations across North America.

A startling report based on the analysis of 700,000 security incidents has revealed that 84% of high-severity cyberattacks now involve the use of legitimate, built-in system tools. This “Living off the Land” (LOTL) tactic allows cybercriminals to fly under the radar of conventional security solutions, making their malicious activities nearly indistinguishable from benign administrative tasks.

The Unsuspecting Culprits

The report highlights a few key Windows utilities that have become favorites among cybercriminals:

• Netsh.exe: This command-line utility for network configuration has been identified as the most abused tool, present in a staggering one-third of major attacks. Its ability to manipulate network settings, including firewall rules, makes it a powerful instrument for attackers to create backdoors and exfiltrate data.
• PowerShell: A versatile and powerful scripting language, PowerShell has long been a double-edged sword. While indispensable for system administrators, it was found running on 73% of endpoints, a clear indicator of its widespread abuse by attackers for automating malicious scripts and commands.
• WMIC.exe: Despite being officially deprecated by Microsoft, the Windows Management Instrumentation Command-line tool is making a resurgence in the cybercriminal’s toolkit. Its ability to gather system information makes it a valuable reconnaissance tool for attackers, and its legitimate appearance often allows it to go unnoticed.

The Impact on North American Organizations

For businesses in North America, this trend is particularly concerning. The region is a prime target for cyberattacks due to its economic significance and high level of digitalization. The use of LOTL tactics poses a unique set of challenges:

• Bypassing Traditional Defenses: Many organizations rely on security solutions that are designed to detect known malware signatures. LOTL attacks, by their very nature, do not involve malicious files, rendering these traditional defenses ineffective.
• Increased Dwell Time: Because they are using legitimate tools, attackers can remain undetected within a network for longer periods. This extended “dwell time” gives them ample opportunity to move laterally, escalate privileges, and achieve their objectives, whether it’s data theft, espionage, or ransomware deployment.
• Difficulty in Attribution: The use of common system tools makes it challenging for security teams to distinguish between legitimate and malicious activity. This complicates incident response and forensic analysis, making it harder to determine the source and extent of a breach.

How Mjolnir Security Can Help

The rise of LOTL attacks necessitates a paradigm shift in how we approach cybersecurity. At Mjolnir Security, we understand that simply blocking tools is not the answer. A more nuanced, behavior-based approach is required. Here’s how we can help your organization stay ahead of these evolving threats:

• Advanced Threat Detection: Our security solutions go beyond traditional signature-based detection. We employ advanced behavioral analysis and machine learning algorithms to identify and flag suspicious activities, even when they are carried out using legitimate tools.
• Proactive Threat Hunting: Our team of seasoned security experts proactively hunts for threats within your network. By understanding the latest attacker techniques, we can identify and neutralize LOTL attacks before they can cause significant damage.
• Endpoint Detection and Response (EDR): We provide robust EDR solutions that offer deep visibility into endpoint activity. This allows for the real-time detection of malicious behavior and a rapid, effective response to any security incidents.
• Security Posture Assessment: We conduct comprehensive assessments of your security posture to identify and remediate any weaknesses that could be exploited by LOTL attacks. This includes hardening your systems and ensuring that your security controls are properly configured.

In an era where the lines between friend and foe are increasingly blurred, a proactive and intelligent approach to security is paramount. Don’t let your own tools be turned against you. Contact Mjolnir Security today to learn how we can help you build a more resilient defense against the ever-present threat of cyberattacks.

References

• Primary Source: DeMuro, J. (2024). Cybercriminals love this little-known Microsoft tool a lot, but not as much as this CLI utility for network management. TechRadar Pro. Retrieved from https://www.techradar.com/pro/security/cybercriminals-love-this-little-known-microsoft-tool-a-lot-but-not-as-much-as-this-cli-utility-for-network-management
• Underlying Report: Bitdefender. (2024). Bitdefender Threat Debrief: August 2023 – January 2024. Bitdefender Labs.
• Dabell, D. (2025, June 5). Cybercriminals love this little-known Microsoft tool a lot – but not as much as this CLI utility for network management. TechRadar Pro. Retrieved from https://www.techradar.com/pro/security/cybercriminals-love-this-little-known-microsoft-tool-a-lot-but-not-as-much-as-this-cli-utility-for-network-management
• Bitdefender Labs. (2025, May 19). Living Off the Land: What We Learned from 700,000 Security Incidents. The Hacker News. Retrieved from https://thehackernews.com/expert-insights/2025/05/living-off-land-what-we-learned-from.html
• Riley, D. (2025, June 3). Bitdefender report finds 84% of major attacks now involve legitimate tools. SiliconANGLE. Retrieved from https://siliconangle.com/2025/06/03/bitdefender-report-finds-84-major-attacks-now-involve-legitimate-tools/