Which term describes techniques that use legitimate tools to carry out wrongdoing on endpoints?

The main idea being tested is that attackers often use tools that are already present on the endpoint to carry out wrongdoing. Living-off-the-Land Techniques describe this approach: they leverage legitimate system utilities (such as PowerShell, WMI, certutil, bitsadmin, regsvr32, and other built‑in tools) to perform malicious actions like downloading payloads, executing commands, moving laterally, or exfiltrating data. Because these tools are trusted and commonly used for legitimate admin tasks, their misuse can blend in with normal activity, making detection harder if you’re only looking for new or unknown malware. Understanding this helps explain why traditional malware-signature defenses can miss these attacks; the “malware” isn’t a new bad file, it’s a trusted tool being misused in a malicious way. To detect LOLT-style activity, you look for unusual or out-of-context use of these trusted tools: odd command-line patterns, encoded or obfuscated commands, unexpected scripting, abnormal automation, or actions that don’t align with the user’s normal role and duties. Implementing controls like least privilege, application control to limit what tools can run, and enhanced monitoring of legitimate utilities with behavior analytics strengthens defenses against this technique. Other terms don’t describe this specific tactic of abusing legitimate endpoint tools to do harm; they refer to different concepts, such as general malware behavior, proactive threat-hunting services, or broader security trial programs.