Legitimate Tool Abuse: Why Threat Actors Use Trusted Tools

Legitimate tool abuse is becoming a central part of modern cyberattacks. Patch management, penetration testing, and exploit detection remain essential pillars of a mature security programme, but they no longer explain the full exposure picture on their own. Threat actors increasingly abuse legitimate company tools, either at the start of or during their attacks, using trusted pathways that are harder to distinguish from normal operations.

Why Legitimate Tool Abuse Is Increasing

Using legitimate tools in cyberattacks isn’t a novel concept. In cybersecurity, the issue became far more visible in the mid-2010s as analysts observed attackers increasingly using:

• Native Windows utilities (PowerShell, WMI, certutil, netsh)
• Built-in scripting engines
• Admin tools already present on systems

Rather than dropping custom malware, adversaries “lived off the land”, using what the operating system already provided.

The concept later expanded through the public LOLBAS (Living Off the Land Binaries and Scripts) project, cataloguing legitimate Windows binaries, scripts, and libraries that could be abused for malicious purposes.

What’s changed now is scale and scope. Living off the land used to mean abusing OS-level utilities. Today, it extends to:

• Cloud administration consoles
• VPNs
• SaaS APIs
• RMM platforms
• Identity providers
• Backup systems

Recent research found that 84 percent of high-severity incidents in a dataset of 700,000 analysed security incidents involved living off the land tactics. One news report also highlighted the broader trend of attackers abusing trusted administrative tools and pathways. Separately, public reporting uncovered how the advanced threat group APT41 used Google Calendar events to carry out command and control over compromised environments.

Modern environments provide far more powerful legitimate tooling to help threat actors achieve their goals if they can hijack them. Cloud administration consoles can reconfigure entire infrastructures. RMM platforms grant persistent remote access across fleets of endpoints. Identity providers federate authentication across dozens of services. Backup platforms and orchestration tools operate with broad, often underestimated privilege.

Once authenticated, adversaries can operate inside approved control planes without introducing foreign binaries or necessarily triggering exploit signatures. Modern IT environments are also designed for remote access and automation. Hybrid work, outsourced IT support, third-party integrations, and cloud-first architectures all require legitimate administrative pathways. Those same pathways become attractive when compromised.

What This Means for SMEs

For many small and mid-sized enterprises, legitimate tool abuse presents a structural challenge rather than a purely technical one. SME IT environments often evolve pragmatically. Identity systems expand as new SaaS platforms are adopted. Remote management tools are introduced to support hybrid work or outsourced IT providers. Administrative privileges accumulate over time as teams grow and responsibilities shift. Service accounts enable automation and integrations, then get left largely unchanged.

Flat or broadly scoped administrative roles can be common in mid-sized environments, particularly where IT teams are lean. A single compromised account may have visibility across cloud infrastructure, endpoint management, backup systems, and collaboration platforms. Remote management tools, deployed to improve support efficiency, can provide deep access across a company’s device fleet.

In this context, living off the land tactics are highly effective. The issue is not necessarily the absence of security controls. SMEs increasingly deploy MFA, endpoint protection, and centralised logging. The issue is that identity and administrative pathways are inherently trusted, and often more permissive than is ideal.

So what should be done? As attacker behaviour shifts toward credential and control-plane abuse, SMEs must broaden their defensive lens. Vulnerability management and penetration testing remain important, but they address only part of the exposure picture. Equal attention must be given to privilege concentration, identity governance, and the scope of remote administrative tooling.

Defensive Priorities for SMEs in the Age of Legitimate Tool Abuse

If intrusion increasingly piggybacks on valid credentials and sanctioned tools, your defensive strategy must extend beyond patching exposed systems. For SMEs, three priorities become structurally important.

1. Privilege Discipline Over Privilege Convenience

Admin access in mid-sized environments often expands gradually. A third-party vendor receives standing access to speed up support. An internal admin account is reused across platforms because it is simpler than segmenting roles. Service accounts retain permissions long after the original integration changes. Over time, these decisions create silent privilege concentration.

Reducing exposure requires systematic review:

• Mapping who holds administrative rights across cloud, endpoint, backup, and SaaS platforms
• Identifying shared or legacy service accounts
• Restricting broad “global admin” style roles
• Implementing time-bound or role-based elevation where feasible

This is about making privilege intentional rather than inherited.

2. Control-Plane Visibility and Oversight

Traditional monitoring focuses heavily on endpoint alerts and perimeter events. Legitimate tool abuse shifts attention to control planes:

• Identity provider logs
• Administrative console activity
• Remote management platform actions
• Backup configuration changes
• Privilege escalation events

These logs often exist. The question is whether they are reviewed with the right context. Anomalies in legitimate tool usage rarely announce themselves clearly. SMEs benefit from formalising how control-plane activity is monitored, escalated, and periodically reviewed.

3. Governance That Matches Technical Reality

Perhaps most importantly, legitimate tool abuse exposes gaps between written policy and operational practice. Many SMEs maintain documented access policies. Far fewer systematically validate that actual privilege assignments align with those policies, or periodically assess whether their security architecture reflects current threat behaviour.

As attacker tradecraft evolves, governance must evolve alongside it. This is where structured risk assessment becomes essential. Rather than reacting to isolated incidents, organisations can evaluate:

• How privilege is distributed across systems
• Whether identity architecture reflects least-privilege principles
• How remote administrative access is controlled and logged
• Where trust is concentrated across cloud and SaaS platforms

A disciplined governance and risk framework helps translate these questions into measurable controls and documented improvements. When legitimate tools become the attacker’s infrastructure, resilience depends on how tightly that infrastructure is designed, monitored, and reviewed.

Legitimate tool abuse exposes a simple reality: security breakdowns increasingly occur within the boundaries of what is technically “allowed”. The “vulnerability” is often excessive privilege, inherited administrative roles, poorly reviewed service accounts, and loosely governed remote access pathways.

A mature Governance, Risk, and Compliance framework forces organisations to answer difficult but necessary questions: Who holds privileged access today? Does that access align with documented policy? Are service accounts and remote administration pathways reviewed on a defined schedule? Where is trust concentrated?

Structured GRC work provides a mechanism to reduce privilege sprawl, tighten control-plane oversight, and ensure that security architecture evolves alongside modern intrusion techniques. For organisations that want support reviewing these questions in practice,
Contact us today to learn more.