Close Menu
    Cybersecurity

    Detecting Living-off-the-Land Attacks in OT Networks

    InfoForTechBy No Comments18 Mins Read
    Detecting Living-off-the-Land Attacks in OT Networks


    Key Takeaways



    • LOTL attacks use trusted tools like PowerShell, WMI, and RDP, making malicious activity appear identical to normal administrative behavior inside OT networks.


    • OT environments are especially vulnerable due to legacy systems, limited logging, and inherited IT/OT trust relationships.


    • Signature-based tools fail because LOTL introduces no malware, only misuse of legitimate capabilities.


    • Detection requires behavioral baselines, passive OT monitoring, deep session inspection, and ICS-specific threat intelligence.


    • Without comprehensive OT visibility, dwell time expands dramatically, increasing operational and safety risk.

    The most dangerous attacker inside your OT network right now may not have brought a single piece of malware with them. They’re using your own tools. Your own administrative credentials. Your own scheduled tasks and remote management utilities to execute malicious commands, move laterally, and quietly pre-position for a future disruption.

    This is living-off-the-land (LOTL), the dominant attack technique in critical infrastructure targeting today. And it’s the reason traditional security measures keep failing the organizations that need protection most.

    What Does “Living Off the Land” Mean in Cybersecurity, and Why Does It Matter?

    Living off the land (LOTL) refers to a cyberattack strategy where threat actors use legitimate, pre-installed tools already present on a target system rather than deploying external malware. Common examples include PowerShell, Windows Management Instrumentation (WMI), scheduled tasks, and native remote management utilities.

    The concept is borrowed directly from military doctrine: survive and operate using only what the environment provides. In cybersecurity, that environment is your own operating system, your own administrative toolset, and in OT contexts, your own industrial control software.

    LOTL is relevant in modern cyber attacks for one core reason: it defeats the foundational logic of traditional security. Most security tools look for something foreign, an unknown file, a known-bad hash, a suspicious executable. LOTL attacks introduce nothing foreign. Every tool used is already trusted. Every action taken mirrors legitimate administrative activity. The attack is, by design, indistinguishable from normal operations using conventional detection methods.

    This is why LOTL has become the technique of choice for the most capable threat actors in the world, from nation-state groups like Volt Typhoon targeting U.S. critical infrastructure, to ransomware operators seeking to move laterally without triggering alerts. It doesn’t require sophisticated malware. It requires knowledge of the target environment and patience.


    21.5%

    of industrial organizations experienced a cyber incident in the past year



    40%

    of those incidents caused operational disruption to physical processes



    46%

    of OT assessments found adequate network monitoring deployed



    5 yrs

    Volt Typhoon maintained undetected access to U.S. critical infrastructure using only LOTL tools

    Real-Time Insight, Real-Time Prevention with Fidelis Network



    • Block attacks before damage occurs


    • Prevent lateral movement inside your network


    • Reduce false positives & alert fatigue



    Download the Whitepaper to Explore More!

    Prevention Capabilities of Fidelis Network

    What Is a Living-off-the-Land (LOTL) Attack?

    In cybersecurity, living off the land describes attacks where adversaries rely entirely on legitimate tools already present in the target environment rather than introducing external malicious executables. Instead of deploying custom malware, they weaponize built-in system tools like PowerShell, Windows Management Instrumentation (WMI), remote management utilities, and standard engineering software.

    The name comes from a military foraging concept: live off what the terrain provides. In cyber terms, the “terrain” is your operating system, your admin toolset, and your industrial control software. LOTL techniques let threat actors execute malicious code, escalate privileges, maintain persistence, and move laterally, all while looking exactly like normal system operations.

    For IT environments, LOTL is a well-documented threat. In OT environments such as power grids, water treatment, oil pipelines, manufacturing floors, it becomes an entirely different category of risk. Disruption here isn’t a data breach. It’s a grid outage, a plant shutdown, or a safety incident.

    Why LOTL work against traditional security controls?

    Antivirus software and signature-based tools look for known malicious code. LOTL attacks introduce no new code. When PowerShell executes an encoded command, it’s doing exactly what PowerShell is supposed to do. There’s no signature to detect because there’s no malware to find.

    Why OT Networks Are Uniquely Vulnerable to LOTL Techniques

    OT environments were never designed with adversarial actors in mind. They were built for reliability, not security. They runn on proprietary protocols and legacy hardware in facilities that were historically isolated from external networks.

    IT/OT convergence changed that. The same network carrying SCADA commands to a substation may also connect to a corporate IT environment running Windows, Active Directory, and remote access tools. That’s operationally necessary. It also opens a direct path for attackers who know how to use legitimate administrative tools to blend into normal operations.

    Several structural factors make detection especially difficult in OT settings:

    Challenge Why it matters in OT Risk Level
    Legacy assets Many PLCs and field devices run outdated firmware and unsupported operating systems with no capacity for endpoint detection agents Critical
    Limited logging OT assets often lack the logging capability of IT systems, leaving no forensic trail for incident investigation Critical
    IT/OT trust relationships Once inside the IT network, attackers inherit trusted relationships that carry them into the OT layer without needing further exploits Critical
    Scan-intolerant devices Active discovery tools used safely in IT environments can disrupt industrial processes if applied to OT networks High
    Low threat intel adoption Only 21% of organizations deployed intelligence integration capabilities in 2025, per the SANS ICS survey High
    Visibility gaps at lower Purdue levels Only 12.6% of organizations reported full ICS Cyber Kill Chain visibility; the gaps are largest near PLCs and process equipment Critical

    How Real Threat Groups Are Using LOTL to Target Critical Infrastructure Right Now

    LOTL attacks have moved from an advanced nation-state technique to the dominant methodology across both criminal and state-sponsored actors. The clearest example came in February 2024, when CISA, the NSA, and the FBI, alongside Five Eyes partners, issued a joint advisory confirming that PRC state-sponsored group Volt Typhoon had compromised U.S. energy, water, communications, and transportation infrastructure using exclusively LOTL techniques, maintaining access for up to five years undetected.

    Their toolkit: native utilities like wmic, ntdsutil, netsh, and PowerShell. Valid administrator credentials for lateral movement via RDP. No custom malware. The goal was not immediate disruption. It was pre-positioning for future destructive effects in the event of geopolitical conflict.

    The Dragos 2026 OT/ICS Cybersecurity Year in Review (released February 17, 2026) confirms this trajectory continues to escalate. Dragos now tracks 26 active threat groups worldwide, with three newly discovered groups emerging in 2025 alone.

    Threat Group LOTL / OT TTPs Targeted Sectors Stage
    VOLTZITE (overlaps Volt Typhoon) Compromised Sierra Wireless cellular gateways to access U.S. midstream pipeline operations; pivoted to engineering workstations; used LOTL to extract config files and investigate process shutdown conditions U.S. energy, pipelines, telecoms Stage 2
    KAMACITE Systematically mapped control loops across U.S. infrastructure throughout 2025; scanning HMIs, variable frequency drives, metering modules, and cellular gateways to understand process-level operations U.S. electric, water, manufacturing Stage 2
    SYLVANITE Operates as an initial access broker; exploited Ivanti vulnerabilities and extracted Active Directory credentials at U.S. electric and water utilities; hands footholds directly to VOLTZITE U.S. electric, water utilities Stage 1
    AZURITE Targets OT engineering workstations to exfiltrate network diagrams, alarm data, and process information, building capability for future destructive operations Manufacturing, defense, oil & gas, electric Stage 2
    ELECTRUM Targeted distributed energy systems in Poland with deliberate attempts to affect operational assets; expanded operations into Europe in 2025 European energy sector Stage 2

    How a LOTL Attack Moves Through an OT Environment



    • Initial Access: IT Network Entry

      Attacker gains a foothold via phishing, exploiting an internet-facing VPN or remote access tool, or through a compromised third-party vendor. No custom malware is used. Only standard exploitation of a known vulnerability.


      Ivanti / VPN exploit → valid credential



    • Credential Harvesting: Using Native Tools

      Using built-in system tools, the attacker extracts password hashes and Active Directory credentials. No external malicious executables are introduced. Only native system utilities that are already trusted by every security layer.

      vssadmin → NTDS.dit → credential hashes



    • Lateral Movement: Blending Into Admin Traffic

      Using stolen credentials and legitimate remote management protocols, the attacker moves laterally through IT systems toward the IT/OT boundary. Traffic looks identical to legitimate administrative tasks performed by your own engineers.

      RDP · WMI remote execution · PsExec



    • OT Pivot: Crossing Into the Control Network

      Exploiting trusted IT/OT relationships, the attacker pivots into SCADA systems, engineering workstations, and HMIs. Access is authorized by inherited credentials. No exploit of OT-specific vulnerabilities is needed.

      Sierra Wireless gateways · OT engineering software



    • Reconnaissance: Mapping Control Loops

      The attacker uses standard engineering software and legitimate administrative tools to read configuration files, alarm data, and process setpoints. The goal: understand how the physical process works and where to induce a shutdown or safety incident.


      HMI access · config file extraction · alarm data review



    • Persistence: No Malware, No Trace

      Persistence is maintained through scheduled tasks, WMI subscriptions, or modified startup scripts. All use legitimate system mechanisms. Logs are cleared using built-in log-management tools. The attacker can remain for months or years.

      schtasks · wevtutil cl · WMI subscriptions

    The Six LOTL Techniques Most Commonly Used Against OT Environments

    Understanding what these attacks look like at a technical level is prerequisite to detecting them. Each technique below is a legitimate capability of your operating systems, which is exactly why traditional antivirus software and legacy security tools miss them entirely.

    Technique Tool / Mechanism What the Attacker Does Why It Evades Detection
    Encoded command execution PowerShell -EncodedCommand Executes malicious scripts and remote commands with payloads encoded in Base64, preventing string-based detection rules from triggering PowerShell executing encoded commands is a valid, common administrative function. No signature exists for the encoding itself.
    Remote execution via WMI wmic process call create Executes commands remotely on other systems inside the OT network without deploying traditional malware or touching the disk on the target WMI activity is indistinguishable from normal system operations to legacy security tools and antivirus software
    Persistence via scheduled tasks schtasks /create Creates tasks that re-invoke malicious PowerShell commands after reboots, ensuring persistence without any new files being written Scheduled tasks are used extensively for legitimate administrative tasks, blending in with dozens of existing tasks
    Credential harvesting vssadmin / ntdsutil Accesses the Active Directory database (NTDS.dit) via Volume Shadow Copy to extract password hashes without triggering AV. This method was used by Volt Typhoon Both tools are legitimate administrative tools with valid business purposes; their misuse is behaviorally identical to authorized use
    Fileless malware execution PowerShell / WMI / .NET CLR Executes malicious payloads entirely in memory without writing files to disk, thereby evading file-based detection and forensic recovery No file is created, so file-scanning antivirus solutions have nothing to detect; traditional security controls are structurally blind to fileless malware
    Log tampering to cover tracks wevtutil cl / Clear-EventLog Deletes Windows event logs to erase evidence of lateral movement, command execution, and logon events. This technique was used systematically by VOLTZITE and Volt Typhoon Log clearing uses the same native tools used by administrators; the act of clearing is itself a native system operation

    Why Traditional Security Tools Cannot Detect LOTL in OT Environments

    The detection gap is structural, not just technical. Traditional antivirus solutions and legacy security tools were built on a fundamental assumption: malicious activity introduces something new. An unknown binary. A known-bad hash. A suspicious domain in DNS. Remove that assumption, and the entire detection model collapses.

    LOTL attacks are specifically designed to violate that assumption. When PowerShell executes a command, it is doing exactly what PowerShell is supposed to do. The command can be encoded, obfuscated, or layered in legitimate-looking parameters and still leave no artifact that a signature-based tool can match.

    How Living-off-the-Land Techniques Specifically Evade Detection

    LOTL techniques evade detection through three overlapping mechanisms.

    1. First, they produce no new files. Fileless execution in memory means file-scanning antivirus solutions have nothing to analyze.
    2. Second, every tool involved is already whitelisted. PowerShell, WMI, and scheduled tasks are trusted by every security layer in the environment by default.
    3. Third, the behavioral footprint is nearly identical to legitimate administrative activity. An encoded PowerShell command run by an attacker looks the same to a traditional security tool as one run by your own IT team. Signature-based detection fails on all three counts because it was designed to find foreign objects, not identify malicious intent behind trusted actions.

    Traditional Security Measures: What They See Behavioral Detection: What It Sees
    PowerShell running — normal ✓ PowerShell never ran on this host before → alert
    WMI activity — normal ✓ WMI executing remote process at 2 AM → anomaly
    Scheduled task created — normal ✓ Scheduled task invoking encoded command → alert
    Admin credential used — normal ✓ Admin credential used outside business hours → flag
    RDP session opened — normal ✓ RDP from IT into OT segment → suspicious
    No malware detected → no alert Log clearing after lateral movement → high-confidence IOC

    In OT environments, the gap is amplified by the fact that only 46% of assessments found adequate OT network monitoring deployed, per the Dragos 2026 report. Organizations lacking comprehensive visibility saw an average dwell time of 42 days for OT ransomware, compared to just 5 days for organizations with mature monitoring. That 37-day gap is the direct operational cost of blind spots in OT environments.

    How to Detect Living-off-the-Land Attacks in OT Networks: 5 Proven Strategies

    Detection requires a fundamentally different philosophy from traditional malware hunting. You are not looking for known-bad signatures. You are looking for anomalous patterns in otherwise legitimate behavior. The following strategies are supported by the current evidence base from SANS, CISA, and Dragos incident response cases.

    1. Establish Behavioral Baselines for Every Host in the Environment

    If PowerShell has never run on a specific engineering workstation before, a single encoded PowerShell command becomes a high-confidence indicator, even though nothing about that command is technically malicious. Behavioral baselines turn normal context into a detection mechanism. Without them, there is nothing to compare anomalous activity against.

    2. Deploy Passive Network Monitoring Tuned to OT Protocols

    In environments where endpoint agents cannot be installed on legacy PLCs and HMIs, network-based detection becomes the primary visibility layer. Passively monitoring industrial protocols such as Modbus/TCP, DNP3, IEC 61850, EtherNet/IP can surface unexpected command sequences, unauthorized device interactions, and lateral movement patterns that have no signature, but are inconsistent with normal system operations.

    3. Apply Deep Packet Inspection to Industrial Protocol Traffic

    Standard firewalls pass industrial protocol traffic without inspecting its content. Deep packet inspection that understands ICS-specific protocols can identify malicious payloads embedded inside otherwise legitimate communications. This technique allows attackers to embed malicious code within standard protocol frames in a way that perimeter tools never see.

    4. Integrate ICS-Specific Threat Intelligence

    Generic threat feeds don’t surface Volt Typhoon’s specific LOTL tradecraft. Understanding how VOLTZITE, KAMACITE, and similar groups operate in OT environments requires intelligence that maps to ICS adversary TTPs, not just IP blocklists and domain reputation scores. The SANS 2025 ICS survey confirmed that organizations using ICS-specific threat intelligence were significantly more likely to adjust defensive priorities and accelerate segmentation projects. Yet only 21% of organizations had deployed such capabilities by the end of 2025.

    5. Enforce and Audit Network Segmentation at the IT/OT Boundary

    Segmentation doesn’t prevent LOTL attacks, but it limits their blast radius. If an attacker using legitimate administrative tools in the IT environment cannot directly reach OT network segments, the lateral movement path to PLCs, HMIs, and SCADA systems is blocked. The important word is “enforce.” Having a firewall policy is not the same as having effective segmentation. Regular audits confirming that the boundary is actually enforced are a prerequisite for this control to work.

    Common Living-off-the-Land Attack Methods and How to Defend Against Each One

    The most effective way to build defenses is to pair each attack method directly with the control that counters it. Here’s how the most frequently observed LOTL techniques map to specific defensive actions organizations should prioritize:

    LOTL Attack Method How Attackers Use It Defensive Control
    PowerShell encoded commands Execute malicious scripts in memory using Base64 encoding to bypass string-based detection rules Enable PowerShell script block logging and constrained language mode; alert on encoded command usage from non-administrative hosts
    WMI remote execution Run commands on remote systems inside the network without writing files to disk, making the action invisible to file-based security tools Monitor WMI activity at the network layer; baseline which systems legitimately use WMI and alert on any deviations from that baseline
    Scheduled tasks for persistence Re-invoke malicious commands after system reboots without deploying any new executables to maintain long-term access Audit scheduled task creation events (Windows Event ID 4698); alert on tasks that invoke PowerShell or contain encoded command strings
    Credential harvesting via vssadmin / ntdsutil Extract Active Directory password hashes from NTDS.dit using Volume Shadow Copies. This is the exact method used by Volt Typhoon Monitor vssadmin and ntdsutil usage closely; restrict access to VSS on domain controllers; alert on NTDS.dit access outside scheduled backup windows
    Fileless malware execution Execute malicious payloads entirely in RAM, leaving no file on disk for antivirus software or forensic tools to find Deploy memory-based behavioral detection; monitor for process injection and unusual parent-child process relationships in real time
    Log clearing with wevtutil Erase Windows event logs to destroy evidence of lateral movement, command execution, and logon events after the fact Forward logs in real time to a centralized SIEM so local deletion cannot erase the record; configure immediate alerts on log-clearing events
    RDP lateral movement with valid credentials Move between systems using stolen but technically legitimate credentials that bypass access controls without triggering alerts Enforce MFA on all RDP connections; baseline normal RDP usage patterns and alert on off-hours or cross-segment connections

    OT LOTL Detection Readiness Checklist



    • Behavioral baselines exist for all engineering workstations and IT/OT boundary systems so that first-time PowerShell execution or unexpected WMI activity generates an alert, not silence


    • Passive OT network monitoring covers all Purdue levels, including Levels 0–2 where SANS 2025 data shows visibility collapses and consequences are most severe


    • Deep session inspection is deployed on IT/OT boundary traffic by inspecting the content and context of communications, not just their headers and ports


    • ICS-specific threat intelligence is operationalized with TTPs from groups like VOLTZITE and KAMACITE mapped to detection rules in your environment


    • Segmentation at the IT/OT boundary is actively enforced and audited, not just documented in a firewall policy that hasn’t been tested


    • Logs from IT/OT boundary systems are centralized and retained. CISA’s Volt Typhoon advisory specifically flags application event logs as a critical hunting resource


    • Incident response procedures include OT-specific recovery playbooks and involve field engineers, not just security analysts, in tabletop exercises

    How Fidelis Security Detects LOTL Threats in OT Environments

    Detecting attacks designed to evade signatures requires network-native depth beyond endpoint agents, firewalls, or IT-centric SIEM. Fidelis Network® and Fidelis Elevate® XDR deliver passive visibility for OT, surfacing LOTL in trusted processes without disrupting operations.

    Fidelis Network® uses patented Deep Session Inspection® (DSI) across all ports/protocols including IT and OT traffic, to reassemble full bidirectional sessions and decode content like encoded PowerShell, surpassing DPI limits. This reveals hidden LOTL patterns:

    LOTL Indicator How Fidelis Surfaces It
    Encoded PowerShell executing commands DSI decodes Base64 payloads in real-time sessions, behavioral matching
    WMI-based remote execution Network-layer protocol analysis flags remote commands bypassing EDR
    IT→OT lateral movement Anomaly detection vs. baselines + OT asset integration
    Credential abuse patterns Telemetry + threat intel correlation on valid auth events
    Industrial protocol anomalies DSI decoding detects anomalies in Modbus/TCP, DNP3, IEC 61850 traffic

    Fidelis Elevate® correlates DSI with endpoint data, ICS threat intel, and OT discovery (e.g., Forescout integration) for Purdue-complete coverage, turning admin tools into alerts.

    See How Fidelis Detects LOTL in Your OT Environment

    Get a customized walkthrough of how Fidelis Network® surfaces living-off-the-land attack patterns across IT/OT boundaries without disrupting operational processes.



    Request a Demo

    Key Takeaways: What Security Teams Should Do in 2026

    The Dragos 2026 report makes the trajectory clear: adversaries have moved from pre-positioning to actively mapping control loops across U.S. critical infrastructure. The groups doing this work, VOLTZITE, KAMACITE, SYLVANITE, AZURITE, are using legitimate system tools and trusted access paths because those paths work. They evade detection systems. They allow threat actors to persist for months without triggering a single alert.

    The path forward requires three foundational capabilities working together:

    The path forward requires three foundational capabilities working together:

    Visibility into the OT network itself. Not just the IT/OT boundary, but into the industrial protocols, engineering workstations, and HMIs where LOTL techniques play out at the process level. Only 46% of OT assessments found adequate monitoring deployed. That is the starting gap.

    Behavioral baselines and anomaly detection calibrated to what is normal in your specific environment. Legitimate tool usage in illegitimate contexts generates the alert it should. Without a baseline, there is no detection. There is only silence.

    ICS-specific threat intelligence that maps to adversary TTPs. Generic feeds don’t surface how VOLTZITE hands off access to KAMACITE, or how SYLVANITE extracts Active Directory credentials and passes footholds to deeper OT operators. Understanding these ecosystems is how defenders get ahead of them.

    LOTL techniques work because defenders watch for malware while attackers use administrative tools. Organizations with comprehensive OT visibility contained incidents in an average of five days. Those without took 42 days. That 37-day window is where operational disruptions, safety incidents, and physical consequences occur. Closing it is the defining security challenge of 2026.

    The post Detecting Living-off-the-Land Attacks in OT Networks appeared first on Fidelis Security.

    Share.

    Related Posts

    Leave A Reply