Cybercriminals love this little-known Microsoft tool a lot - but not as much as this CLI utility for network management

• Netsh.exe is the most abused Windows tool, and it still hides in plain sight
• PowerShell shows up on 73% of endpoints, not just in admin hands
• WMIC’s surprising comeback shows attackers favor tools no one’s watching anymore

A new analysis of 700,000 security incidents has revealed just how extensively cybercriminals exploit trusted Microsoft tools to breach systems undetected.

While the trend of attackers using native utilities, known as Living off the Land (LOTL) tactics, is not new, the latest data from Bitdefender’s GravityZone platform suggests it’s even more widespread than previously believed.

A staggering 84% of high-severity attacks involved the use of legitimate system binaries already present on machines. This undermines the effectiveness of conventional defenses, even those marketed as the best antivirus or best malware protection.

Abuse of trusted system tools - netsh.exe tops the list

Some of the tools most commonly abused ...