March 23, 2026

Chuck Faughnan, III
Personam.ai

Many cyberattacks announce themselves loudly: A ransomware screen appears. A malware alert fires. A security dashboard lights up with warnings.

But some of the most dangerous attacks happening today don’t look like attacks at all.

There is no obvious malware. No suspicious executable. No clearly malicious program running in memory. Instead, the attacker quietly uses tools that already exist inside the environment.

Security professionals call this “Living Off the Land (LOTL)”.

For healthcare organizations, where networks are complex and uptime is critical, these “ghost attacks” are becoming one of the hardest threats to detect.

What “Living Off the Land” Actually Means

A Living Off the Land attack happens when threat actors exploit legitimate tools and administrative utilities already present inside the environment or a system.

Rather than deploying obvious malware, attackers use trusted components of the operating system or the network environment itself. That might include tools like PowerShell, Windows Management Instrumentation (WMI), Remote Desktop Protocol (RDP), or common system utilities used by administrators every day.

Because these tools exist for legitimate reasons, traditional security solutions often treat their activity as normal. The attacker is effectively hiding in plain sight.

The concept is simple: if the activity looks like something an IT administrator might do, traditional detection tools may not flag it.

That ability to blend into routine operations is what makes LOTL techniques so powerful.

Why Healthcare Environments Are Especially Vulnerable

Healthcare networks are uniquely difficult to monitor. Hospitals, research institutions, and healthcare systems operate thousands of devices across multiple environments, many of which cannot run traditional security agents.

Medical imaging equipment, infusion pumps, patient monitoring systems, laboratory analyzers, and other FDA-regulated devices often cannot support endpoint software. Even when monitoring is possible, clinical operations frequently require exceptions that create visibility gaps.

The result is an environment where attackers can move laterally using legitimate credentials and trusted administrative tools without triggering obvious alarms.

Many healthcare security teams are familiar with this scenario. A compromised account accesses systems normally. Administrative tools are used legitimately—just not by the right person.

From a detection perspective, it can be incredibly difficult to distinguish between routine activity and malicious behavior.

Why Attackers Prefer LOTL Techniques

Living Off the Land attacks have become popular for several reasons.

First, they evade detection. Signature-based security tools are designed to detect known malware patterns. If no malware is introduced, those defenses often have little to detect.

Second, LOTL techniques exploit trust. System utilities and administrative tools are inherently trusted by operating systems and security software. That trust becomes a shield for attackers.

Third, these attacks leave fewer indicators of compromise. Without traditional malware artifacts, investigators may struggle to find evidence of the intrusion.

Finally, attackers can maintain persistence for longer periods of time. Because their actions resemble legitimate activity, they may remain undetected while moving through the network, escalating privileges, and gathering sensitive information.

For organizations responsible for protecting patient data and life-critical systems, that level of stealth is particularly dangerous.

Recent Campaigns Highlight the Growing Threat

Recent cyber campaigns demonstrate how effective LOTL techniques have become.

One example involved a China-aligned group known as Phantom, which researchers linked to sophisticated intrusion activity targeting multiple sectors. The campaign relied heavily on legitimate system tools and compromised credentials rather than easily detectable malware. By operating through trusted system utilities already present in the environment, attackers were able to remain hidden for extended periods.

Manufacturing and industrial organizations have also experienced a surge in attacks that follow a similar pattern. Hacktivist and state-sponsored groups targeting Operational Technology (OT) environments have increasingly relied on administrative tools, credential abuse, and remote access utilities to move laterally through networks.

These incidents highlight a growing shift in attacker strategy. Instead of deploying obvious malicious software, threat actors are learning to operate inside the systems that organizations already trust.

Healthcare networks share many of the same characteristics that make these attacks successful: complex ecosystems, privileged administrative tools, and limited endpoint visibility.

The Structural Detection Gap

Many hospitals and healthcare systems have invested heavily in cybersecurity over the past decade. Endpoint detection platforms, identity monitoring tools, and SIEM systems are now common components of security architecture.

Yet a structural detection gap remains.

Healthcare networks frequently include shared service accounts and generic logins used across multiple systems. Identity-based security tools often assume that activity performed with valid credentials is legitimate. Meanwhile, many hospital networks remain relatively flat internally, allowing attackers to easily move laterally once access is obtained.

SOC teams are also under pressure. Limited staff and constant alerts can make it difficult to identify subtle behavioral anomalies buried within normal operational traffic.

In this environment, a threat actor who gains valid credentials and uses trusted system tools may operate quietly for extended periods before being detected.

Why Traditional Detection Models Struggle

Traditional security tools were designed for a different era of cyber threats.

Signature-based detection works well when malware has identifiable characteristics. Antivirus platforms and many intrusion detection systems rely on recognizing known patterns associated with malicious software.

Living Off the Land attacks challenge that model.

When attackers use legitimate tools such as PowerShell or remote administration utilities, the behavior may not match any known signatures. Even advanced detection systems can struggle to distinguish between a legitimate administrator and a malicious actor using the same tools.

For healthcare security teams responsible for protecting both clinical operations and patient data, this creates a difficult problem. The threat is real, but the signals are subtle.

A Different Approach: Detecting Behavior, Not Malware

Defending against LOTL attacks requires a shift in mindset.

Instead of focusing exclusively on identifying malicious software, security teams must focus on detecting abnormal behavior within legitimate activity.

That means looking at patterns across users, devices, and network activity. It means understanding how systems normally interact and recognizing when those interactions deviate from established patterns.

Behavioral monitoring and anomaly detection are increasingly becoming essential components of modern cybersecurity strategies. By continuously analyzing network activity and behaviors, these approaches can identify suspicious actions even when the tools being used are legitimate.

In other words, the goal is no longer just to detect malware. It is to detect misuse.

How Personam Helps Detect LOTL Activity

Personam approaches this challenge through a model focused on simple detection of active threats inside the network.

Rather than relying on static signatures or predefined baselines, Personam continuously models behavior across users, devices, and network activity. By correlating these signals, the system can identify when legitimate tools are being used in ways that do not match normal operational patterns.

This approach is particularly valuable in environments where endpoint monitoring is limited or impossible. Medical devices, IoT/OT equipment, and shared systems can still be effectively monitored through their network behavior.

When unusual activity emerges, such as unexpected lateral movement or remote administrative commands executed from an unfamiliar context, the system flags the behavior and reconstructs the potential attack chain.

For security teams responsible for protecting large healthcare networks, this kind of visibility can make the difference between discovering an attack early and discovering it post-breach months later.

The Bottom Line

Living Off the Land attacks represent a shift in how cyber threats operate.

Instead of breaking into systems with obvious malware, attackers increasingly rely on the tools already present inside the environment. They blend into routine activity, exploit trusted utilities, and move quietly through networks.

Healthcare organizations, with their complex infrastructure and device ecosystems, are particularly vulnerable to this style of attack.

Defending against these threats requires more than traditional detection methods. It requires the ability to see behavioral outliers inside legitimate system activity.

In a world where attackers increasingly hide behind trusted tools and valid credentials, visibility into network behavior may be the most important cyber defense healthcare security teams can deploy.