The Bottom Line: Bitdefender found in an analysis of 2,100,230 high-severity incidents that attackers prefer to abuse legitimate system tools rather than deploy new malware.
A Bitdefender analysis shows that trusted administrative tools such as PowerShell, WMIC, and Certutil are misused by attackers in 23 percent of security incidents. These “living off the land” tools thus pose a greater security challenge than specialized malware.
Bitdefender examined 2,100,230 security incidents with high severity and found that legitimate administrative tools were used as attack vectors in 23 percent of cases. The most frequently abused tools are PowerShell, WMIC, netsh, Certutil, and MSBuild — all standard components of Windows systems that IT teams use daily.
A standard Windows 10 system contains approximately 2,250 so-called Living-off-the-Land Binaries (LOLBins) distributed across 987 separate executable files. This volume creates a large attack surface, since attackers have numerous ways to achieve access or lateral movement in the network using legitimate system resources. The risk is amplified by the fact that such activities are difficult to distinguish from legitimate administrative activities.
To address this challenge, Bitdefender offers a free analysis tool called Internal Attack Surface Assessment. The assessment is designed to give organizations with 250 or more employees a concrete, prioritized overview: which users, endpoints, and tools can be safely removed from attacker access without disrupting business operations. This converts the abstract problem of “living off the land” into an operational inventory.
Source: ainews-dev.lumi-systems.io · Published 15 May 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.5.2.