The 84% Blind Spot: Why Attackers Love Your 'Trusted' Admin Tools

The 84% Blind Spot: Why Attackers Love Your 'Trusted' Admin Tools

Because if they encrypt, you must decrypt.

Introduction

The modern enterprise security perimeter has morphed into a complex fabric of identity-centric access and administrative protocols. The most significant risk to organizational integrity resides in the abuse of legitimate, built-in operating system functions known as “Living Off The Land Binaries, Scripts and Libraries” (LOLBAS).[1] Attackers are increasingly leveraging legitimate, privileged tools and protocols to obscure their malicious activities, with reports indicating 84% of 2025 attacks utilized LOLBAS techniques.[2] By using these techniques, attackers effectively conceal their movements within the "trusted noise" of everyday administrative operations.

Among the most abused LOLBAS are Microsoft PowerShell and the WMI framework[3] over RPC/MS-RPC or WSMan/WinRM[4] protocols. These essential tools are the core of Windows management, handling everything from configuration and monitoring to software and Active Directory deployment, and are vital for administrative tasks like managing GPO. Unfortunately, they should not be disabled and their built-in encryption masks malicious activities, including lateral movement, making it more difficult to defend against abuse.

WMI Technology and Transport Mechanisms

What is WMI?

Windows Management Instrumentation (WMI) is a core Windows management tool that provides a standardized method for accessing and modifying nearly every aspect of the operating system. This functionality allows both system administrators and attackers to monitor, alter, and interact with various system components, including settings and active applications. The most common WMI technique abused by attackers involves the Win32_Process class. By calling the Create method of this class,[5] an attacker can spawn an arbitrary process (like cmd.exe or powershell.exe) on a remote system. This allows attackers to bypass security mechanisms, such as those hard-coded to monitor only the default Win32_Process class or using PowerShell to disable the Windows Antimalware Scan Interface (AMSI).

How is WMI Transported?

WMI communication utilizes two potential transport methods: Remote Procedural Call (RPC)/MS-RPC or the Web Services for Management (WSMan)/WinRS protocol.

• MS-RPC: MS-RPC is Microsoft’s version of RPC and is the underlying technology used by WMI via the Distributed Component Object Model (DCOM).
• RPC functions by connecting to specific interfaces and then utilizing operation numbers (opnums) to execute designated functions on a target server.
• WMI over RPC movement requires port 135 (RPC Endpoint Mapper) and a dynamic range of high ports (49152–65535) for DCOM communication.
• WSMan and WinRM: WSMan is an industry-standard, SOAP-based protocol for managing systems via HTTP/HTTPS. WinRM is Microsoft’s implementation of this protocol. In addition to utilizing WinRM, WMI can also be carried over PowerShell Remoting Protocol (PSRP).
• WMI commands are passed over WSMan through built-in functionality within Windows such as WinRS or WinRM.
• The communication is encrypted with Kerberos/NTLM (port 5985) or TLS (port 5986).

Table 1: Comparison between key terms used in this report.

PowerShell: The Execution Engine

Attackers frequently leverage PowerShell, a powerful task-automation framework, because it’s a LOLBAS tool, pre-installed on every Windows machine, default trusted by the host and capable of performing almost any administrative task. While widely adopted by professionals for system management and security automation, attackers also leverage it to gain unauthorized access and execute malicious code. Because PowerShell is a legitimate part of the OS, attackers favor it to blend in with normal administrative traffic.

PowerShell frequently interacts directly with WMI via MS-RPC/WSMan, and various Windows APIs. Attackers leverage PowerShell to execute obfuscated scripts, load malware directly into memory using reflection (a technique that evades disk-based security tools), and coordinate remote operations through native cmdlets[6] like Invoke-Expression, Invoke-Command, and Invoke-WmiMethod.

Attackers typically leverage PowerShell for several key activities which can also bypass security controls:

• Fileless Execution: PowerShell is used to execute code directory into memory, without leaving malicious file traces on the system. An attacker could run a command to connect to a C2 server to download and execute a script using the Invoke-Expression cmdlet. Since this leaves no file traces on the system, it remains invisible to antivirus software.
• Obfuscate and Evade: Attackers leverage the Base64 encoding and the -Encoded Command to conceal their PowerShell commands. This technique effectively allows the malicious commands to evade basic, text-based security filters.
• Lateral Movement and Post-Exploitation: Attackers often employ PowerShell for lateral movement, utilizing the PSRP with commands such as Enter-PSSession or Invoke-Command. To escalate privileges, frameworks like Mimikatz or PowerSploit can be used to perform credential dumping to elevate privileges. Persistence can then be established by scheduling a task or making modifications to the Windows Registry.
• Bypass Execution Policies: Default policies prevent most users from executing scripts using PowerShell. An attacker can easily bypass this by using the -executionpolicy bypass command.[7]

Attacker Abuse of WMI

State-sponsored actors and cybercriminals favor the encrypted nature of the protocols and PowerShell’s powerful functions, as it blends with administrative traffic. Reports from 2025–2026 show notable APT and cybercriminal groups employing these tactics.

• State-sponsored and affiliated groups:
• Iranian-sponsored groups, such as MuddyWater,[8] commonly use WMI and PowerShell for remote code execution. Their ongoing campaigns, exemplified by reports from March 6, 2026, about "pre-planted backdoors" in Gulf state infrastructure, confirm their continued use of LOLBAS for maintaining stealthy persistence.
• Ransomware:
• The NightSpire ransomware group’s prolific activities in 2025, conducted global ransomware attacks across diverse sectors, including retail and healthcare. Post-compromise, NightSpire employed a range of techniques for privilege escalation, lateral movement, and data exfiltration, utilizing LOLBAS (including PowerShell, PsExec, WinSCP, and WMI), in addition to credential dumping tools like Mimikatz.[9], [10]
• Unattributed Opportunistic Targeting:
• A ClickFix campaign deploying newly identified malware, DeepLoad, was identified on March 30, 2026,[11], [12] targeting enterprise environments. DeepLoad uses a multi-stage infection starting with a "ClickFix" lure, leading to a stager that leverages WMI for payload execution and lateral movement with administrative privileges. The malware employs AI-assisted obfuscation and process injection to evade detection and immediately exfiltrate credentials, passwords, and sessions.
• On April 16, 2026, opportunistic targeting was detected using adware, including Chromstera, Chromnius, and WorldWideWeb, which impersonated legitimate browsers. These Potentially Unwanted Programs (PUPs), signed with valid digital signatures Dragon Boss Solutions LLC, bypassed initial security checks. The PUPs deployed malicious payloads with system privileges to disable installed antivirus (AV) products via a PowerShell script. Persistence is achieved through WMILoad tasks and WMI event subscriptions which are configured to execute at boot, logon, and every 30 minutes to ensure ongoing AV neutralization.[13]

Unmasking Lateral Movement

As attackers continue to use LOLBAS tactics, the traditional security stack faces a fundamental visibility gap. Because native tools, frameworks and protocols are functionally indistinguishable from routine administration at the protocol level, network defenders must shift their strategy from perimeter defense to deep-packet payload inspection.

Securing the modern enterprise necessitates the adoption of strong defensive postures:

• Decryption of East-West Traffic: Attackers are using native encryption protocols (Kerberos, NTLM, and TLS) to hide their activities. To identify lateral movement, defenders must have the capability to decrypt and inspect internal traffic in real-time.
• Beyond the Metadata: Simple flow logs (NetFlow) or encrypted packet headers are insufficient for detecting sophisticated attackers. Defenders need to see the "ground truth" inside the protocol to distinguish between legitimate administrative traffic and malicious activities.
• Verification of Identity vs. Intent: In an identity-centric perimeter, "trusted" credentials does not guarantee "trusted" activity. Decrypted network behavior can validate an identity and expected behaviors.
• Bridging the EDR "Unmanaged" Gap: While Endpoint Detection and Response (EDR) is essential, its visibility is limited. Advanced Network-based Detection and Response (NDR) appliances, such as ExtraHop's RevealX, offer a critical advantage: they can inspect decrypted network traffic. This capability allows defenders to detect lateral movement originating from these devices, which would otherwise completely bypass host-based security solutions.

For a technical, in-depth look at how PowerShell use is concealed within WMI traffic, refer to: Decrypting the Shadows: Adversaries Hiding Lateral Movements in the Modern Enterprise

MITRE ATT&CK Mappings

To effectively counter the sophisticated use of LOLBAS techniques, security teams must align their visibility strategies with industry-standard frameworks. The following table maps common lateral movement activities involving WMI, PowerShell, and WinRM/WSMan to the MITRE ATT&CK framework.

Table 2: MITRE ATT&CK Mappings and ExtraHop NDR Detections

Conclusion

Attackers often abuse powerful and trusted LOLBAS tools and protocols native to operating systems. Windows to move secretly across a company's network. Because these tools are necessary for system administrators, simply blocking them isn't an option. To catch these sophisticated attacks, security defenses must go beyond just looking at simple traffic logs. Instead, security teams need to analyze decrypted network communications to tell the difference between a normal administrator's work and an attacker’s movements.

By turning the network into a source of ground truth, organizations can cut through the mask of encryption, shrink attacker dwell time, and contain threats before they escalate into material breaches. In the modern enterprise, visibility is the only true defense against the enemies that are already inside.

[1] https://lolbas-project.github.io/

[2] https://www.bitdefender.com/content/dam/bitdefender/business/campaign/assessment/Official-2025-Cybersecurity-Assessment-Report.pdf

[3] https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page

[4] https://www.extrahop.com/resources/protocols/wsman

[5] https://www.cybereason.com/blog/wmi-lateral-movement-win32

[6] https://redcanary.com/threat-detection-report/techniques/powershell/

[7] https://www.blackfog.com/fileless-powershell-protection/

[8] https://socradar.io/blog/cyber-reflections-us-israel-iran-war/

[9] https://hivepro.com/threat-advisory/nightspire-ransomware-expands-reach-with-aggressive-extortion-deadlines/

[10] https://www.huntress.com/blog/nightspire-ransomware

[11] https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html

[12] https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/

[13] https://www.rescana.com/post/dragon-boss-solutions-signed-software-abused-to-disable-antivirus-protection-in-global-malware-campa/

[14] https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.5