Cybercriminals breaking into manufacturing have shifted from traditional malware to more sophisticated methods that abuse legitimate applications and tools — like wolves in sheep’s clothing. Known as Living-off-the-Land (LOTL), this strategy turns trusted system entities into masks for malicious activity that bypass defenses because they appear safe. These attacks blend into industrial networks, hiding as everyday workflows and compromising safety procedures in ways that can cause long-term damage to production and supply chain relationships.
What Is a Living-off-the-Land Attack?
LOTL is a type of cyberattack in which hackers exploit legitimate applications already present within the digital ecosystem to avoid detection, hence the name. Instead of deploying foreign, malicious threats that most security infrastructure can more easily flag, intruders rely on pre-installed utilities and disguise their activity as part of normal workflows.
Why LOTL Is a Threat to Manufacturing
The high costs of conventional cyberattacks already burden the industry, and the risks are escalating as infiltration methods become more advanced. It saw the sharpest rise among all sectors, with the average breach cost climbing to about USD 830,000 over the past year.
The stealth of LOTL techniques makes this financial strain even more severe. Attackers can abuse valid digital signatures from vendors like Microsoft, Apple and major Linux distributions. These tools have elevated privileges by design and are often whitelisted, which means security applications treat them as safe.
Threat actors exploit this trust. They hijack the same operating system utilities, administrative scripts or batch files that plant engineers and IT staff rely on to control equipment and keep production running. That allows them to steal sensitive data or manipulate processes while appearing to operate within normal parameters.
For example, when a system administrator uses PowerShell to check status and an adversary uses the same PowerShell to exfiltrate data, the digital footprints of the two look almost identical. For factory networks that thrive on consistent uptime and continuity, these overlaps create blind spots where standard security solutions overlook the activity because it mimics legitimate operations.
The stealth of LOTL campaigns mirrors broader cyber trends. Cyberattacks strike every 39 seconds, and even more concerning is that adversaries lurk undetected for an average of 208 days before discovery. This long dwell time allows intruders to exploit trusted frameworks like PowerShell or WMI, blending into production workflows like defense and critical infrastructure.
How to Defend Against LOTL Attacks
The inherent legitimacy creates a detection paradox. Since they're central, security teams cannot block these frameworks without disrupting daily tasks. The real challenge is not identifying the tools themselves but recognizing malicious patterns hidden within routine activity, something traditional signature-based defenses struggle to achieve.
Here are defense tactics production companies should use instead.
1. Control Administrative Tools and Script Usage
Hackers frequently abuse PowerShell, WMI, schtasks.exe and rund1132.exe for execution and persistence, but engineers and administrators also use them widely. Blocking these outright is impractical, especially as they’re central to operations. Instead, a more granular approach for strict usage policies is ideal.
Set clear rules for when and how these infrastructures are used. Implement logging at a granular level. Monitor for unusual parent-child process relationships, like web server launching PowerShell. According to MITRE ATT&CK data, tracking process creation is key to spotting malicious activity, whether it’s the launch of unauthorized binaries, the misuse of scripting tools or attempts to escalate privileges.
Tightening controls on existing frameworks helps prevent attackers from turning them into weapons while keeping plant engineers productive.
2. Segment Networks and Restrict Lateral Movement
NotPetya took down Maersk and spread across enterprise and industrial networks in 2017 by using WMI and PsExec — lateral tools that allow for executing files and shell commands and can be used to copy files to a remote system. Once inside, the wiper, disguised as ransomware, disrupted shipping and production globally, which amounts to $10 billion overall. Segmentation would have significantly limited its ability to move freely.
Manufacturing networks often connect production lines, safety systems and enterprise applications. Attackers take advantage of this flat structure. To contain movement:
- Separate IT and OT zones with strict access controls
- Use firewalls that monitor east-west traffic
- Require multi-factor authentication for remote administrative sessions.
Proper segmentation ensures that if a cybercriminal compromises one workstation, they do not automatically reach controllers or safety systems, reducing the blast radius of an incident.
3. Monitor for Persistence Through Registry and Scheduled Tasks
LOTL actors often use Registry Run Keys and scheduled tasks to survive reboots. These changes appear minor but allow threat actors to stay embedded for weeks or months. Groups like APT29 use WMI event subscriptions as a persistence method to keep access. Because these subscriptions operate within the Windows Management Instrumentation framework, they often leave few or no file artifacts, making them harder to detect with file-based monitoring tools.
For shop floor systems, persistence means intruders can re-enter even after a patch or reboot, undermining recovery efforts. Maintenance routines should include regular audits of registry entries and scheduled task lists. Furthermore, automating integrity checks helps spot unauthorized changes early and lowers the risk of attackers re-establishing control.
Focusing on these persistence points helps security teams reduce the likelihood of repeat outages in production environments and strengthen long-term resilience.
4. Strengthen Identity and Credential Security
Mimikatz and similar credential-dumping techniques remain a primary method for adversaries to harvest Windows access keys and achieve domain-level entry. Once cybercriminals hold domain admin rights, they move laterally into IT and OT assets, including ERP, MES and PLC engineering stations, especially in networks lacking strict segmentation.
Recommended mitigations include:
- Implementing multi-factor authentication for privileged accounts
- Rotating and randomizing administrative passwords
- Disabling cached login details where possible
- Limiting the number of accounts with local administrator rights on engineering workstations
5. Detect Fileless Malware Activity in Memory
Fileless malware runs directly in memory through PowerShell or WMI without leaving files on disk. This makes discovery by traditional antivirus software, which relies mainly on signature-based file scanning, unreliable. Endpoint detection and response (EDR) tools are better suited to catch suspicious script execution, unusual command-line arguments and in-memory code injections.
However, careful deployment of EDR matters in manufacturing. Some machines, especially those driving controllers or real-time systems, cannot sustain heavy scanning loads. A selective deployment strategy works best. Focus first on operator workstations, engineering laptops and servers that bridge IT and OT. By targeting high-value nodes with advanced detection, you can balance security with operational continuity.
6. Patch Vulnerable Drivers and Monitor LOLDrivers
Attackers exploit legitimately signed, vulnerable drivers in a technique called Bring Your Own Vulnerable Driver. These drivers sometimes run in kernel mode, which gives them elevated privileges. Once loaded, they can disable or interfere with endpoint protection tools, manipulate memory directly or override security enforcement.
Many industrial companies use third-party drivers for device control, OEM hardware or specialized industrial equipment. This reliance expands the attack surface when even one driver has known flaws. To mitigate these risks and harden the driver layer:
- Maintain a complete inventory of drivers
- Track vendor vulnerability announcements
- Block loading of known-vulnerable drivers where the OS or security infrastructure allows
- Use behavioral monitoring at the kernel level to catch abnormal driver actions
7. Train Plant Staff on Security Awareness
Phishing is a common entry point for LOTL attacks. Cybercriminals send emails with attachments or documents containing macros or embedded scripts that trigger trusted system frameworks once opened. Nearly four in 10 workers in manufacturing will likely fall for such attempts. Training staff to spot suspicious attachments or links lowers the chance of them opening harmful files.
Shift workers and operators often receive less cyber training than office staff, which leaves gaps. Adjusting awareness programs to their schedules and roles and using scenario-based drills makes the training more effective. Showing staff realistic examples, like a fake maintenance update delivered by email, helps them recognize anomalies more quickly.
Catching these attempts early reduces the chance of intruders leveraging built-in tools like PowerShell or WMI without detection, improving the odds of stopping malicious activity before it disrupts production.
8. Plan for Incident Response and Recovery
When LOTL attacks succeed, speed of response matters. A structured response process limits damage. Steps include
- Isolating affected systems
- Conducting a forensic analysis to identify the tools abused
- Eradicating persistence mechanisms
- Patching exploited weaknesses
- Restoring from known-clean backups
Manufacturers should rehearse this procedure with tabletop exercises. Since LOTL crosses boundaries, both IT and OT staff should be involved. Communication plans must also be ready. Customers and partners will demand accurate updates if an incident disrupts production schedules.
Harden Defenses to Hidden LOTL Threats
LOTL attacks are effective because they exploit what manufacturers already trust — the tools built into operating systems and industrial software. However, companies can still reduce exposure without interrupting production. One solution is not enough. A layered defense ensures LOTL becomes a contained risk instead of a plant-wide disruption.
