Living Off the LLM: How LLMs Will Change Adversary Tactics

Abstract---In living off the land attacks, malicious actors use legitimate tools and processes already present on a system to avoid detection. In this paper, we explore how the on-device LLMs of the future will become a security concern as threat actors integrate LLMs into their living off the land attack pipeline and ways the security community may mitigate this threat. LOTL involves malicious actors using legitimate tools and processes already present on a system, often referred to as living off the land binaries or LOLBins. These techniques allow threat actors to blend in with normal system activity, making their actions difficult to detect and potentially bypassing basic security measures. LOTL attacks leverage legitimate system tools like WMI and PowerShell that are typically allowlisted, making them difficult to detect and attribute since they leave no malware signatures. These attacks allow adversarie s extended dwell time to execute sophisticated operations, while the lack of malicious signatures enables repeated use of the same tactics and complicates both prevention and incident response.