- Netsh.exe is the most abused Windows tool, and it still hides in plain sight
- PowerShell shows up on 73% of endpoints, not just in admin hands
- WMIC’s surprising comeback shows attackers favor tools no one’s watching anymore
A new analysis of 700,000 security incidents has revealed just how extensively cybercriminals exploit trusted Microsoft tools to breach systems undetected.
While the trend of attackers using native utilities, known as Living off the Land (LOTL) tactics, is not new, the latest data from Bitdefender’s GravityZone platform suggests it’s even more widespread than previously believed.
A staggering 84% of high-severity attacks involved the use of legitimate system binaries already present on machines. This undermines the effectiveness of conventional defenses, even those marketed as the best antivirus or best malware protection.
Some of the tools most commonly abused will be very familiar to system administrators, including powershell.exe and wscript.exe.
However, one tool unexpectedly emerged at the top: netsh.exe. A command-line utility for managing network configuration, netsh.exe was found in a third of major attacks – and while it is still used for firewall and interface management, its frequent appearance in attack chains suggests its potential for misuse is underestimated.
PowerShell remains a key component of both legitimate operations and malicious activity – although 96% of organizations use PowerShell, it was found running on 73% of endpoints, well beyond the scope of what would be expected from administrative use alone.
Bitdefender found, “third-party applications running PowerShell code without a visible interface” were a common cause.
This dual-use nature makes detection difficult, especially for tools not backed by behavior-aware engines.
It raises questions about whether the best EPP solutions are adequately tuned to account for this blurred line between normal and nefarious use.
Another surprising finding was the continued use of wmic.exe, a tool that Microsoft has deprecated.
Despite its age, the analysis shows it is still widely present in environments, often invoked by software seeking system information. It is particularly attractive when attackers are trying to blend in because of its legitimate appearance.
To tackle this issue, Bitdefender developed PHASR (Proactive Hardening and Attack Surface Reduction). This tool employs a targeted approach that goes beyond simply disabling tools.
“PHASR goes beyond blocking entire tools, it also monitors and stops the specific actions attackers use within them,” the company said.
Still, this approach is not without trade-offs. The fundamental dilemma, “can’t live with them, can’t live without them”, remains unresolved.
