LOLs (Living off the Land)
Rather than always creating their own malware, cyber criminals can often make use of an organization's infrastructre, and use it for their own ends. This act is called 'Living Off the Land' - cyber criminals will try to blend into the environment and use utilities readily available to them. APTs in particular prefer this method, as their main priority is to evade and work 'behind the scenes'.
The best chance of identifying a LOL attack is to use an NGAV with AI, which can help recognize any suspicious behavior.