In recent years, Living off the Land (LotL) attacks have been drawing attention due to their flexibility and difficulty in detection. These attacks exploit legitimate tools already in the system to conduct malicious activities, hiding their malicious intent behind normal benign programs. However, detection methods for such attacks largely rely on expert rules. While rule tags can effectively detect known attacks, this also leads to a high false positive rate, resulting in low detection accuracy for the models. To address these issues, we propose a detection system called LOTLDetector, which combines deep learning methods with expert rules to detect malicious command lines in LotL attacks from both data and knowledge perspectives. LOTLDetector learns the semantics of command line text through neural networks and combines rule tags from expert knowledge, enabling a more comprehensive detection of LotL attacks. We extensively evaluated our method, validated it on a Windows dataset containing 27,448 command lines and a Linux dataset containing 27,093 command lines, and compared it with existing methods. The results show that our method significantly outperforms existing methods in detecting malicious command lines. For the Linux dataset, the detection system achieved a detection performance with an accuracy of 0.9728; for the Windows dataset, the system’s detection accuracy also reached 0.9598, which is about 8% higher than the best existing method. In addition, our project has been open-sourced at https://github.com/csedikaf/LOTLDetector.