Cybersecurity solutions provider Sophos has reported a significant increase in the misuse of trusted Windows tools, known as “living off the land” binaries (LOLBins), by attackers. The latest Active Adversary Report highlights a 51% rise in this activity since 2021, with an 83% increase over the past three years.
LOLBins are legitimate Windows applications that attackers leverage for malicious purposes, such as system discovery and maintaining access. Sophos analyzed nearly 200 incident response cases through its X-Ops teams in the first half of 2024 and found that 187 unique Microsoft LOLBins were involved. The remote desktop protocol (RDP) emerged as the most frequently targeted tool, used in 89% of these cases.
“Living-off-the-land provides attackers with both stealth and a sense of legitimacy,” said John Shier, field CTO, Sophos. “These tools are integral to Windows systems, but administrators must understand how they are being used in their environments to detect misuse. Without proper monitoring, IT teams may overlook critical activity, increasing the risk of ransomware.”
Ransomware continues to be a pressing issue. Despite disruptions to its infrastructure earlier this year, the LockBit ransomware group accounted for 21% of infections during the reporting period, making it the most frequently encountered threat.
Compromised credentials
Sophos identified compromised credentials as the leading cause of attacks, responsible for 39% of incidents. While this is a drop from 56% in 2023, it remains the primary entry point for attackers.
The report also found differences in detection times. Median dwell time —how long attackers remain undetected — was eight days for Sophos’ incident response team but just one day for its managed detection and response (MDR) team.
Another concern involves older Active Directory (AD) servers. The report revealed that attackers frequently targeted outdated server versions, with 21% of compromised servers already beyond Microsoft’s mainstream support. These outdated systems are harder to secure and pose a significant risk.
The findings underscore the importance of proactive monitoring and regular system updates. Sophos advises organizations to strengthen their defenses by understanding how their tools are used and addressing vulnerabilities promptly.
“Staying vigilant is critical,” Shier added. “With the right approach, IT teams can mitigate threats and reduce the chances of severe incidents.”