In the cat-and-mouse game of cybersecurity, attackers have grown smarter, stealthier, and more strategic. Rather than relying solely on custom malware, many now use a technique known as Living off the Land (LoTL)—abusing legitimate tools already built into operating systems. These native utilities, trusted and widely used by system administrators, can be manipulated to carry out malicious actions without immediately raising alarms.
Let’s take a closer look at three commonly exploited LoTL tools on Windows systems—PowerShell, Windows Management Instrumentation (WMI), and Mshta—and how organisations can better detect and mitigate their misuse.
PowerShell: A Legitimate Tool Turned Lethal
PowerShell is a powerful scripting environment baked into all modern versions of Windows. System administrators rely on it daily to automate tasks, manage configurations, and perform remote operations. Unfortunately, attackers do, too.
PowerShell is particularly attractive because it allows adversaries to run sophisticated commands without writing or downloading traditional malware. They can use it to execute encoded or obfuscated commands, remotely download and run payloads, spawn additional processes, and even reconfigure system settings. Since PowerShell is built into Windows and often used legitimately, malicious commands often blend in seamlessly with normal activity.
From a detection standpoint, it’s crucial to monitor PowerShell activity closely. Start by looking for the powershell.exe process and pay special attention to instances where it spawns child processes like cmd.exe or rundll32.exe. Enabling PowerShell command-line logging, script block logging, and Windows Event IDs such as 4104 and 4688 can provide valuable visibility into suspicious behaviour.
WMI: The Silent System Admin
Windows Management Instrumentation (WMI) is another native Windows feature designed to let administrators manage systems locally or remotely. Its ability to configure settings, execute processes, and automate repetitive tasks makes it indispensable in IT—but also highly exploitable.
Cybercriminals use WMI to run malicious code without writing files to disk, making their activity harder to detect. It’s also a favourite tool for lateral movement across a network, allowing an attacker to execute code on remote machines by simply targeting their IP address or hostname.
Because WMI is frequently used for legitimate purposes, detecting misuse requires context. Unusual process executions initiated by wmiprvse.exe or remote WMI commands that don’t align with normal administrative patterns are key red flags. Logging process creation events like Event ID 4688 or using Sysmon Event ID 1 can help surface this activity.
Mshta: Trusted Utility, Hidden Danger
Mshta.exe is a lesser-known Windows utility used to run Microsoft HTML Applications (HTA). While it serves a legitimate role in executing HTML-based scripts, attackers exploit its capabilities to proxy malicious code through a trusted, signed binary.
Mshta can execute inline VBScript or JScript directly from memory or embedded in HTML files. Adversaries often use it to load remote scripts or to execute payloads hidden in otherwise benign-looking files. It’s also capable of launching PowerShell commands, often making it a stepping stone in multi-stage attacks.
Detection efforts should focus on identifying mshta.exe spawning suspicious child processes like powershell.exe. Logging command-line arguments and watching for the loading of scripting-related DLLs such as jscript9.dll can provide evidence of script execution. Even though Mshta is rarely used in most enterprise environments, it remains a powerful and often overlooked vector for attack.
Mitigating and Detecting LoTL Abuse
Since these tools are legitimate, outright blocking them isn’t always an option. Instead, focus on enhancing visibility and restricting access where appropriate.
First, enable enhanced logging across your environment—this includes PowerShell transcription, command-line logging, and audit logs for process creation. Tools like Sysmon and EDR solutions can help correlate suspicious behaviors and reveal patterns that might otherwise go unnoticed.
Next, implement controls such as AppLocker or Windows Defender Application Control (WDAC) to restrict script execution or limit which users can run utilities like PowerShell or Mshta. Even partial restrictions can reduce the attack surface significantly.
Finally, establish a regular threat-hunting routine. Look for behavioural indicators, such as PowerShell with encoded commands, WMI used for unusual remote executions, or Mshta appearing in environments where it’s not typically needed.
Test It Yourself
Want to see what this looks like in action? Here are a few safe tests using Red Teaming commands to simulate attacker behaviour:
This will print a harmless message. However, attackers can use similar techniques to hide malicious commands. By encoding the script, they make it harder to detect and understand at a glance. This can be used to execute harmful actions like downloading malware, stealing data, or creating backdoors for ongoing access. Such obfuscation helps evade security measures and makes it challenging to identify the true intent of the script. Always be cautious with encoded commands, especially if they come from untrusted sources.
This script essentially uses the mshta.exe process to run a PowerShell command. The mshta.exe is a legitimate Windows process used to execute HTA files, but it can be exploited by attackers to run malicious code.
WMI Test:
Simulate a remote execution using:
wmic /node:"127.0.0.1" process call create “calc.exe”
While this specific command is harmless and simply opens the Calculator, attackers can use similar WMIC commands to execute malicious programs or scripts remotely. This can be particularly dangerous because WMIC can run commands with administrative privileges, allowing attackers to:
Move laterally across a network to compromise other machines.
Install malware or ransomware.
Execute arbitrary commands to control the system.
Living off the land techniques like those using PowerShell, WMI, and Mshta are appealing to attackers because they help avoid detection, reduce the need for custom malware, and blend in with routine operations. But with the right logging, visibility, and controls in place, you can turn the tide—spotting abuse before it leads to compromise.
At Secure Link Solutions, we specialise in helping organisations defend against evolving and hard-to-detect cyber threats. With a proactive and layered approach to security, we provide tailored solutions that strengthen your overall cyber resilience. From advanced threat detection and response to system hardening and secure network design, we work closely with your team to ensure your business stays protected in an ever-changing threat landscape.
In the cat-and-mouse game of cybersecurity, attackers have grown smarter, stealthier, and more strategic. Rather than relying solely on custom malware, many now use a technique known as Living off the Land (LoTL)—abusing legitimate tools already built into operating systems. These native utilities, trusted and widely used by system administrators, can be manipulated to carry out malicious actions without immediately raising alarms.
Let’s take a closer look at three commonly exploited LoTL tools on Windows systems—PowerShell, Windows Management Instrumentation (WMI), and Mshta—and how organisations can better detect and mitigate their misuse.
PowerShell: A Legitimate Tool Turned Lethal
PowerShell is a powerful scripting environment baked into all modern versions of Windows. System administrators rely on it daily to automate tasks, manage configurations, and perform remote operations. Unfortunately, attackers do, too.
PowerShell is particularly attractive because it allows adversaries to run sophisticated commands without writing or downloading traditional malware. They can use it to execute encoded or obfuscated commands, remotely download and run payloads, spawn additional processes, and even reconfigure system settings. Since PowerShell is built into Windows and often used legitimately, malicious commands often blend in seamlessly with normal activity.
From a detection standpoint, it’s crucial to monitor PowerShell activity closely. Start by looking for the powershell.exe process and pay special attention to instances where it spawns child processes like cmd.exe or rundll32.exe. Enabling PowerShell command-line logging, script block logging, and Windows Event IDs such as 4104 and 4688 can provide valuable visibility into suspicious behaviour.
WMI: The Silent System Admin
Windows Management Instrumentation (WMI) is another native Windows feature designed to let administrators manage systems locally or remotely. Its ability to configure settings, execute processes, and automate repetitive tasks makes it indispensable in IT—but also highly exploitable.
Cybercriminals use WMI to run malicious code without writing files to disk, making their activity harder to detect. It’s also a favourite tool for lateral movement across a network, allowing an attacker to execute code on remote machines by simply targeting their IP address or hostname.
Because WMI is frequently used for legitimate purposes, detecting misuse requires context. Unusual process executions initiated by wmiprvse.exe or remote WMI commands that don’t align with normal administrative patterns are key red flags. Logging process creation events like Event ID 4688 or using Sysmon Event ID 1 can help surface this activity.
Mshta: Trusted Utility, Hidden Danger
Mshta.exe is a lesser-known Windows utility used to run Microsoft HTML Applications (HTA). While it serves a legitimate role in executing HTML-based scripts, attackers exploit its capabilities to proxy malicious code through a trusted, signed binary.
Mshta can execute inline VBScript or JScript directly from memory or embedded in HTML files. Adversaries often use it to load remote scripts or to execute payloads hidden in otherwise benign-looking files. It’s also capable of launching PowerShell commands, often making it a stepping stone in multi-stage attacks.
Detection efforts should focus on identifying mshta.exe spawning suspicious child processes like powershell.exe. Logging command-line arguments and watching for the loading of scripting-related DLLs such as jscript9.dll can provide evidence of script execution. Even though Mshta is rarely used in most enterprise environments, it remains a powerful and often overlooked vector for attack.
Mitigating and Detecting LoTL Abuse
Since these tools are legitimate, outright blocking them isn’t always an option. Instead, focus on enhancing visibility and restricting access where appropriate.
First, enable enhanced logging across your environment—this includes PowerShell transcription, command-line logging, and audit logs for process creation. Tools like Sysmon and EDR solutions can help correlate suspicious behaviors and reveal patterns that might otherwise go unnoticed.
Next, implement controls such as AppLocker or Windows Defender Application Control (WDAC) to restrict script execution or limit which users can run utilities like PowerShell or Mshta. Even partial restrictions can reduce the attack surface significantly.
Finally, establish a regular threat-hunting routine. Look for behavioural indicators, such as PowerShell with encoded commands, WMI used for unusual remote executions, or Mshta appearing in environments where it’s not typically needed.
Test It Yourself
Want to see what this looks like in action? Here are a few safe tests using Red Teaming commands to simulate attacker behaviour:
PowerShell Test:
Run this obfuscated command in PowerShell:
This will print a harmless message. However, attackers can use similar techniques to hide malicious commands. By encoding the script, they make it harder to detect and understand at a glance. This can be used to execute harmful actions like downloading malware, stealing data, or creating backdoors for ongoing access. Such obfuscation helps evade security measures and makes it challenging to identify the true intent of the script. Always be cautious with encoded commands, especially if they come from untrusted sources.
Mshta Test:
Run the following in Command Prompt:
This script essentially uses the
mshta.exeprocess to run a PowerShell command. Themshta.exeis a legitimate Windows process used to execute HTA files, but it can be exploited by attackers to run malicious code.WMI Test:
Simulate a remote execution using:
While this specific command is harmless and simply opens the Calculator, attackers can use similar WMIC commands to execute malicious programs or scripts remotely. This can be particularly dangerous because WMIC can run commands with administrative privileges, allowing attackers to:
Living off the land techniques like those using PowerShell, WMI, and Mshta are appealing to attackers because they help avoid detection, reduce the need for custom malware, and blend in with routine operations. But with the right logging, visibility, and controls in place, you can turn the tide—spotting abuse before it leads to compromise.
At Secure Link Solutions, we specialise in helping organisations defend against evolving and hard-to-detect cyber threats. With a proactive and layered approach to security, we provide tailored solutions that strengthen your overall cyber resilience. From advanced threat detection and response to system hardening and secure network design, we work closely with your team to ensure your business stays protected in an ever-changing threat landscape.
Stay Connected! Stay Secure!
Recent Posts
Recent Posts
Living Off the Land: How Attackers Use
9 April 2025CIS Benchmarking: Strengthening Your Cyber Security Posture
7 February 2025Understanding Data Sovereignty and Why It Matters
5 February 2025Popular Categories
Popular Tags