Your Antivirus Missed 84% of Last Year's Worst Breaches: Why Attackers Use Your Own IT Tools Against You

Eighty-four percent of high-severity breaches in the past year involved attackers who never installed malware. They used PowerShell, remote management tools, and other legitimate software that was already running on the victim’s network. Your antivirus didn’t flag it because, from its perspective, nothing malicious happened. The tools that encrypted your files were the same tools your IT team uses every day.

This is the first post in a two-part series on security blind spots that traditional defenses miss. Part two covers how attackers bypass your login security using stolen credentials from employees’ personal accounts.

What “Living Off the Land” Actually Means

The term sounds dramatic, but the concept is straightforward. Instead of writing custom malware that antivirus might recognize, attackers use tools that are already installed on your systems. PowerShell (built into every Windows machine), Windows Management Instrumentation (WMI), remote monitoring and management (RMM) platforms like ConnectWise ScreenConnect or AnyDesk, and even Microsoft’s own system administration utilities.

According to Huntress’s 2026 ransomware trends report, living-off-the-land (LOTL) techniques appeared in 84% of the most severe breach incidents they tracked. Ransomware increased 34% year-over-year, with SMBs representing 88% of ransomware victims. The attackers aren’t writing sophisticated code. They’re running scripts using the same tools your managed service provider uses to maintain your systems.

Think of it this way: a burglar who picks your lock leaves tool marks. A burglar who uses your spare key leaves nothing. LOTL attackers are using your spare keys.

Why Your Antivirus Was Never Designed to Stop This

Traditional antivirus works by maintaining a database of known malware signatures. When a file is downloaded or executed, the antivirus checks it against that database. If it matches, the file gets blocked. If it doesn’t match, it’s allowed.

The problem is obvious once you see it. PowerShell isn’t malware. It’s a legitimate Microsoft tool used by system administrators worldwide. Your antivirus will never block PowerShell.exe from running because blocking it would break your IT operations. The same applies to WMI, RMM tools, and dozens of other system utilities that attackers co-opt.

Even “next-generation” antivirus products that use behavioral heuristics struggle here. When an attacker runs a PowerShell script that enumerates network shares, downloads a payload from an attacker-controlled server, and moves laterally across your network, each individual action looks similar to what a system administrator does during normal operations. The difference between a legitimate admin script and an attack script isn’t the tool. It’s the context, the timing, and the intent.

This is why Recorded Future’s 2026 ransomware tactics analysis highlights LOTL as the dominant technique among established ransomware groups. They’ve learned that the path of least resistance runs straight through the tools your IT team relies on.

The After-Hours Problem: Why Ransomware Hits at 2 AM

Ransomware groups aren’t just using your tools. They’re using your schedule against you.

Huntress’s data shows a clear pattern: ransomware deployments disproportionately occur outside business hours, during weekends, and over holidays. Attackers deliberately wait until your IT staff has gone home. If your organization relies on a help desk that operates Monday through Friday from 8 to 5, attackers know they have a 16-hour window every night and 48 hours every weekend where nobody is watching.

For a 150-person company with an internal IT team of two or three people, this is an impossible coverage gap. Your IT staff can’t monitor endpoints around the clock. They sleep. They take vacations. The attacker doesn’t care about your PTO policy.

When a LOTL attack launches a PowerShell script at 2 AM on a Saturday that begins encrypting file shares, the timer starts. By Monday morning, the damage is done. No alert fired because nothing “malicious” executed. PowerShell ran a script, just like it does every day during your patch window.

This is exactly the gap that 24/7 SOC monitoring fills. When our analysts at Infonaligy see an RMM session initiated at 2 AM from an unrecognized IP, or a series of failed login attempts followed by a successful authentication on a Saturday night, they investigate immediately — not on Monday morning. The privilege escalations, the lateral movement, the unusual process chains all produce signals. Those signals are only useful if someone is watching when they happen.

What Actually Detects This: EDR, SOC, and Managed Detection

If antivirus watches for known-bad files and LOTL attacks use known-good tools, the solution isn’t a better antivirus. It’s a fundamentally different approach to detection.

Endpoint Detection and Response (EDR) platforms like CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint work differently than traditional AV. Instead of checking files against a signature database, they monitor the behavior of every process on the endpoint. They track process chains (did PowerShell get spawned by an email attachment?), network connections (is this admin tool connecting to a server in Eastern Europe?), and execution context (why is a remote management tool running at 3 AM when no technician has a ticket open?).

EDR generates alerts when behavior patterns don’t match normal operations. But here’s the catch: EDR alone isn’t enough. An EDR platform that generates 200 alerts per day is useless if nobody is reading those alerts at 2 AM on a Saturday.

Security Operations Center (SOC) monitoring provides the human layer that EDR needs. A SOC team reviews EDR alerts around the clock, correlates suspicious activity across multiple systems, and makes the judgment call about whether PowerShell running at 3 AM is an attacker or just a scheduled task that drifted. This includes monitoring RMM tool activity — flagging when remote management sessions originate from unrecognized sources, when unauthorized RMM software appears on endpoints, or when legitimate RMM tools are used outside approved maintenance windows. At Infonaligy, our SOC analysts pair this kind of RMM monitoring with strict access controls that limit which accounts can initiate remote sessions and from which networks, so an attacker who compromises a credential still can’t spin up an unauthorized RMM session without triggering an alert. Without human analysts reviewing these signals in real time, sophisticated LOTL attacks slip past automated detections because the individual signals are too subtle to trigger automated blocks.

Managed Detection and Response (MDR) combines EDR technology with 24/7 SOC monitoring in a single service. For most SMBs, MDR is the practical answer because building an internal SOC team (which requires at minimum 5-6 analysts to cover all shifts) costs far more than outsourcing to a managed security provider with an existing team and toolset.

Five Questions to Ask Your IT Provider This Week

If your current endpoint protection is traditional antivirus, or if you’re running EDR without 24/7 monitoring, you have a gap that attackers are actively exploiting. These questions will help you figure out where you stand:

1. What endpoint protection are we running? If the answer is “antivirus” or a product name you’d find on a consumer PC (Norton, McAfee, Kaspersky), you need an upgrade. Ask specifically whether it’s signature-based AV or behavioral EDR.

2. Who monitors our endpoints after hours? If the answer is “nobody until Monday” or “we get email alerts,” your overnight coverage has a gap. LOTL attacks target this exact window.

3. Can you detect misuse of legitimate admin tools? This is the LOTL-specific question. If your provider can’t explain how they distinguish between an admin running PowerShell and an attacker running PowerShell, they probably can’t.

4. What’s our mean time to respond to a critical alert? The difference between a contained incident and a full ransomware deployment often comes down to minutes. If your provider doesn’t track this metric, that’s a problem.

5. Do you have visibility into RMM tool usage on our endpoints? Remote management tools are a favorite LOTL vector because they’re designed to provide full remote access. Your provider should know exactly which RMM tools are installed, which should be there, and which shouldn’t.

The Upgrade Path: From AV to Protected

Moving from traditional antivirus to proper LOTL defense doesn’t require ripping everything out at once. A practical upgrade path looks like this:

Step 1: Deploy EDR on all endpoints. Replace signature-based antivirus with a behavioral EDR platform that monitors process activity, network connections, and execution context. This gives you the detection capability that antivirus lacks.

Step 2: Add 24/7 monitoring. Whether through an MDR service, an outsourced SOC, or (for larger organizations) an internal security team, ensure that EDR alerts are reviewed by humans around the clock. Unmonitored EDR is a camera with no one watching the feed.

Step 3: Harden your legitimate tools. Lock down PowerShell with Constrained Language Mode on workstations that don’t need full scripting capability. Audit which RMM tools are installed across your environment and remove any that aren’t authorized. For approved RMM platforms, implement strict access controls — limit which accounts can initiate remote sessions, restrict connections to known network ranges, and log every session for SOC review. This is an area where working with a managed security partner pays off quickly, because they can enforce these controls across your entire endpoint fleet and monitor for violations around the clock. Implement application allowlisting on critical servers.

Step 4: Test your detection. Run a tabletop exercise or purple team engagement that simulates LOTL techniques. Find out whether your new detection stack actually catches PowerShell abuse, credential dumping with built-in tools, and lateral movement via RMM software before an attacker tests it for you.

This is the same upgrade path we walk through with clients when they realize their existing endpoint security was built for a threat model that no longer reflects reality. The threat model shifted from “stop malware” to “detect misuse of legitimate tools,” and your defenses need to reflect that shift.

What Comes Next

This post focused on the endpoint detection gap. But LOTL attacks don’t start by magically appearing on your network. Attackers still need to get in. Part two of this series covers the most common entry point: stolen credentials from employees’ personal accounts that give attackers legitimate login access to your business systems. Traditional login security misses this for the same reason antivirus misses LOTL. The activity looks legitimate because the credentials are real.

If your current endpoint protection relies on traditional antivirus, or if you have EDR deployed but nobody watching it overnight, you already know what attackers are counting on. The question isn’t whether LOTL techniques will be used against businesses like yours. According to the data, they already are.