How CrowdStrike Stops Living-off-the-Land Attacks

Adversaries have shifted their tactics away from traditional malware and toward approaches that exploit the very tools organizations rely on. Instead of introducing malicious files that can be blocked outright, attackers weaponize legitimate applications such as built-in Windows utilities, remote monitoring and management (RMM) tools, file transfer software, and administrative programs. These trusted applications allow them to blend seamlessly into business operations, establish persistence, conduct reconnaissance, and move laterally through networks.

Unauthorized use of RMM tools has become especially dangerous: Throughout 2024, eCrime actors frequently used RMM tools in their campaigns, the CrowdStrike 2025 Global Threat Report found. eCrime adversaries including CURLY SPIDER, CHATTY SPIDER, and PLUMP SPIDER all used RMM tools in their operations.

Adversaries are even deploying multiple RMM applications in quick succession, so that if one is discovered, another remains in place. In at least one recent incident response engagement, CrowdStrike observed a single adversary dropping 30+ different RMM tools in the target environment, all at once.

Because these tools are essential for IT teams, it’s difficult to distinguish legitimate activity from malicious abuse. Traditional anti-malware software is often ineffective because these applications are not malware. Behavioral detection alone can also struggle to expose the subtle differences between authorized and unauthorized use, especially if stolen credentials are used.

Here, we discuss how the CrowdStrike Falcon® platform, including the new Anomalous Process Execution (APEX) capability in CrowdStrike Falcon® Insight XDR, fights back against the abuse of legitimate tools in customer environments. APEX is a new machine learning model trained on living-off-the-land binary (LOLbin) abuse to stop attackers from weaponizing trusted software.

Stopping the Abuse of Legitimate Tools 

CrowdStrike already provides strong detection against RMM tool abuse and other application misuse through multiple layers of defense in the Falcon platform. Behavioral indicators of attack (IOAs) supply critical context to identify when otherwise legitimate tools are being used with malicious intent, including living-off-the-land binaries (LOLbins). Custom IOAs and indicator of compromise (IOC) management give organizations proactive control to block known or disallowed applications. CrowdStrike Falcon® Exposure Management offers visibility into installed applications across the environment to uncover risky or unauthorized tools.

These capabilities combine visibility with behavioral context to help defenders separate normal administration from malicious activity. In practice, this means the Falcon platform can already detect RMM tools misused as command-and-control, identify suspicious combinations of activity that would otherwise appear benign, and block specific unwanted tools based on customer-defined policies.

How APEX Detects Abuse in Action 

APEX, now generally available for Windows systems, augments this arsenal with a breakthrough in command-line threat detection. APEX uses supervised machine learning to analyze execution patterns that could indicate an attempt to evade defenses by evaluating command syntax, parameter combinations, process lineage, timing, and system context together. This multi-dimensional analysis enables APEX to uncover subtle anomalies that reveal malicious intent even when attackers rely exclusively on trusted system tools.

By complementing existing IOAs, machine learning detections, and proactive controls, APEX strengthens defense in depth. On average, it delivers a more than 25% novel detection rate against sophisticated intrusions with over 99% precision,1 reducing false positives, cutting analyst workload, and giving defenders confidence in one of the hardest areas of detection: malicious behavior that looks like normal IT activity at first glance.

Looking Ahead: Application Abuse Prevention

While APEX strengthens detection and investigation today, CrowdStrike is also preparing to give organizations greater preventive control in the future. Application Abuse Prevention, an upcoming CrowdStrike Falcon® Prevent capability, will allow customers to define which applications are trusted and block unauthorized or dual-use tools before attackers can exploit them. Unlike traditional application control solutions that enforce a rigid default-deny model across everything, this capability is targeted and context-aware, focusing on high-risk categories like RMM tools that adversaries often abuse.2

Other controls on the market attempt to address this problem, but most are limited in scope or granularity. Features such as potentially unwanted application (PUA) or potentially unwanted program (PUP) blocking, prevalence tracking, and broad attack surface reduction rules can provide some visibility or coarse restrictions, but they lack the specificity and flexibility needed to distinguish legitimate RMM usage from malicious abuse. Application Abuse Prevention is being designed to close that gap, giving defenders a simple and more effective way to precisely reduce the attack surface without disrupting essential operations or relying on tedious configurations.

Achieve Layered Defense on the Falcon Platform

CrowdStrike is delivering the critical protection that organizations need today, and we continue to innovate and build the next layer of defense for tomorrow. APEX provides advanced behavioral detection against the misuse of trusted tools, providing high-fidelity insights that cut through the noise. Application Abuse Prevention will add a preventive layer, allowing organizations to stop unapproved applications from executing in the first place. Together, they form a defense-in-depth strategy that combines precise detection with proactive control. The result is stronger application-aware security that helps organizations outpace evolving adversary tradecraft and stop breaches with confidence.

Additional Resources

1. Performance claims such as detection rate and precision are based on internal CrowdStrike data on APEX detections in controlled testing environments and real-world deployments. Actual results may vary depending on specific environments, configurations, and threat landscapes. These metrics are not guarantees of performance and should not be interpreted as such.

2. This blog about CrowdStrike products is intended for informational purposes. Please do not rely on this information in making your purchasing decisions. The development, release, and timing of any products, features or functionality not yet generally available remain at the sole discretion of CrowdStrike, and are subject to change.

Similar Posts