Which term describes attackers who use legitimate tools for malicious purposes?

Using legitimate tools already present on a system to carry out malicious actions is a Living-off-the-Land Technique. This approach lets attackers exploit trusted components—like PowerShell, WMI, certutil, bitsadmin, or mshta—so their behavior blends with normal administrator activity and leaves fewer obvious malware traces. Because these tools are part of the operating system or standard software, security alerts can be quieter unless you monitor for unusual usage patterns, such as excessive PowerShell invocations, abnormal WMI activity, or unexpected data transfers performed by trusted utilities. This concept highlights why defenders focus on behavior and context, not just the presence of new software. Fileless Attacks describe malware that operates in memory and leaves no traditional files, which is related but not the exact idea here since LOtL covers using legitimate tools whether or not memory-residency is involved. Indicators of Attack are signals or artifacts used to detect threats, not a technique attackers use. Threat Hunting Service is a service offering to search for threats, not a method attackers employ.