Bitdefender Finds 84% of Attacks Use Built In Windows Tools, Here’s How

Criminal groups once carried their own hacking software into a target network. Today they often use programmes that already sit on every Windows computer. This method is called Living off the Land because attackers “live” off tools an organisation relies on every day.

Bitdefender Labs looked at 700,000 incidents recorded through its GravityZone platform and found that 84% of high-severity breaches used this tactic. A second review inside the company’s managed detection work showed a nearly identical 85%.

Because the tools are signed by Microsoft and run common jobs such as scripting, firewall updates and registry edits, security scanners see nothing unusual at first. Intruders can move across departments and harvest data while logs look like routine maintenance.

 

Which Windows Tools Are Misused Most?

 

Netsh.exe, a command that changes network rules, is the favourite. Bitdefender said it appeared in one third of the serious breaches they checked. Staff need netsh to open or close firewall ports, so turning it off would stop ordinary work.

PowerShell is next, Bitdefender Labs reported that 96% of organisations use the shell for honest tasks and 73% of endpoints launch it at least once. Third-party programmes often start hidden PowerShell windows to fetch settings or run updates, handing extra cover to intruders.

Reg.exe, rundll32.exe and the C# compiler csc.exe also appear often. Even msbuild.exe and ngen.exe, tools for software developers, feature in attack chains. Their presence shows that criminals scour every corner of Windows for programs that can run code without drawing attention.

 

 

How Does PowerShell Use Change In Different Areas?

 

Bitdefender looked at geography and saw some differences. Only 53.3% of Asia-Pacific organisations recorded PowerShell traffic, which is way less than the 97.3% logged across Europe, the Middle East and Africa.

Where PowerShell traffic is lighter, attackers switch tactics. Bitdefender reports heavier use of reg.exe in Asia-Pacific, a file that writes straight to the Windows registry.

Old commands still offer openings as well, and WMIC, popular at the start of the century, survives on many machines because legacy software calls it. Attackers follow that trail, knowing the activity blends into routine system checks.

These contrasts give a warning to defenders that a rule safe for one branch might stop payroll scripts in another. A map of local habits helps security teams watch the right signals without blocking daily work.

 

How Can Companies Stay Safe?

 

Bitdefender built GravityZone Proactive Hardening and Attack Surface Reduction, or PHASR, to watch what each process tries to do and stop only harmful commands. Blocking an entire file, such as netsh or PowerShell, would cripple service desks, stopping a single risky action keeps the business running.

PHASR learns everyday behaviour on every computer. If PowerShell starts using encrypted text or attempts to switch off protections, PHASR halts that line while letting harmless scripts finish. The same rule set watches WMIC, netsh and many other tools.

The researched concluded by saying, “This stark reality demands a fundamental shift towards security solutions like Bitdefender’s PHASR, which moves beyond blunt blocking to discern and neutralize malicious intent within these tools.”