8 Legit Tools and Utilities That Cybercriminals Commonly Misuse
Threat actors are increasingly 'living off the land,' using publicly available management and administration tools to conceal malicious activity.
July 18, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt4c83006c9b1601d6/64f0d3ee466ef75a45f1e0a1/1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Cybercriminals have long used legitimate management and administration tools to break into enterprise networks, move laterally within them, and maintain persistence.
Lately, though, use of these so-called living-off-the-land tactics has increased substantially.
Positive Technologies recently analyzed the tools that 29 advanced persistent threat groups are currently using in their campaigns worldwide. Its study shows that more than half of them leverage legitimate, publicly available penetration testing and systems administration tools to develop their attacks after gaining an initial foothold on a network.
The reason? Such tools allow attackers to hide their activities in a sea of legitimate traffic. "Threat actors increasingly leverage dual-use tools or tools that are already preinstalled on targeted systems to carry out cyberattacks," said Fortinet in a recent report.
This makes it harder for defenders to spot malicious activity and makes attack attribution much more difficult. "Unfortunately, adversaries can use a wide range of legitimate tools to accomplish their goals and hide in plain sight," Fortinet said.
Here, according to security experts, are eight of the mostly commonly abused legitimate utilities and tools.
Cobalt Strike and Metasploit Pro are pen-testing platforms that security teams use to look for unpatched vulnerabilities and misconfigurations on their networks and to conduct red-teaming exercises. Attackers routinely use these tools in conducting attacks on targeted organizations.
Vendors selling such products often vet their customers strictly, so attackers interested in using these tools have to obtain them from underground sources, according to the Positive Technologies report.
"For example, Cobalt Strike developers are checking buyers, so there is a demand for hacked or illegally obtained versions in the Dark Web market," says Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. "Criminals can purchase a modified version of the program, in which there are additional functions that make it difficult to detect."
Windows systems administrators use PowerShell to quickly automate tasks and configure systems using a command-line shell. It is a built-in feature in all versions of Windows, starting with Windows XP. PowerShell also can be run on Linux systems. In recent years, fileless attacks abusing PowerShell have gone through the roof.
"Tool suites like PowerSploit are written in PowerShell, allowing attackers to load code locally and remotely, bypass security controls, escalate privileges, pillage for credentials and sensitive data, and much more," says John Sawyer, associate director of red team services at IOActive.
PowerShell has been abused so heavily over the past eight years or so that Microsoft has had to go to great lengths to add in more security controls and monitoring within each new version, he says.
Administrators use Windows Sysinternals, a suite of more than 70 free utilities, to manage, troubleshoot, and diagnose problems with Windows systems and applications. The suite includes file and disk utilities, networking utilities, process utilities, and security utilities that, among other things, allow administrators to execute processes and run commands on remote systems. Just like administrators rely heavily on these tools for managing Windows environments, attackers routinely use them in their campaigns as well.
The most frequently abused Sysinternals utilities, according to Positive Technologies, include PsExec, for running commands and executing payloads on remote systems; ProcDump, for grabbing credentials from memory; PsList, for gathering information on all running processes on a system; SDelete, for erasing files; and NirCmd, for remote command execution.
"PsExec is one of the most abused tools in the set, allowing admins and attackers to run commands remotely against Windows hosts," IOActive's Sawyer says.
WMI scripts allow Windows administrators to automate certain tasks on remote computers. These scripts enable admins to collect data from other computers for managing configurations, setting system properties and permissions, and various other tasks. WMI is also used in a wide range of attacks.
"WMI is one of the easiest and most stealthy components of many modern attacks," the SANS Institute noted in an advisory earlier this year. WMI offers attackers a way to sneak past application whitelisting and host-based antimalware tools, turn off error logging, and easily obfuscate malicious scripts.
To exploit WMI, attackers need administrator-level access on the compromised devices. With that level of access, "every aspect of the post-exploit kill chain can be accomplished with built-in WMI capabilities and, unfortunately, minimal logging," according to SANS.
Mimikatz is one of the most widely used attacker tools in recent years. The tool was originally developed as a proof-of-concept to highlight vulnerabilities in Microsoft's authentication protocols, and pen testers use it probe for weak spots in enterprise networks.
For attackers, Mimikatz has become the preferred post-exploit tool for stealing credentials and for lateral movement on compromised networks. Mimikatz, according to security vendor Varonis, is "one of the most widely used and downloaded hacker tools of the past 20 years."
TeamViewer is another popular remote access and administration tool that threat actors frequently abuse to take control of host systems. One recent example was a targeted attack against individuals working at several embassies in Europe. In the campaign, the attacker first lured victims with a phishing email disguised as a top-secret US government document and then downloaded a malicious version of TeamViewer on the compromised system. The modified VNC contained functionality for hiding its interface so victims wouldn't know the utility was running on their systems.
The Living Off The Land Binaries and Scripts project (LOLBAS) lists dozens of legitimate binaries, scripts, and libraries that threat actors can, and often do, exploit in attacks. All of the items listed on the project's page have some unexpected functionality that makes them of use to adversaries. Among them are functions that allow for arbitrary code execution; file uploading, downloading, and copying; credential theft; compiling code; and achieving persistence on a compromised system.
The binaries, libraries, and scripts on the LOLBAS website are great example of trusted executables distributed with Windows that are being abused, IOActive's Sawyer says. "The project demonstrates ways to abuse these binaries to load executable code and scripts to bypass endpoint security products, elevate privileges, or maintain persistence," he says.
The Living Off The Land Binaries and Scripts project (LOLBAS) lists dozens of legitimate binaries, scripts, and libraries that threat actors can, and often do, exploit in attacks. All of the items listed on the project's page have some unexpected functionality that makes them of use to adversaries. Among them are functions that allow for arbitrary code execution; file uploading, downloading, and copying; credential theft; compiling code; and achieving persistence on a compromised system.
The binaries, libraries, and scripts on the LOLBAS website are great example of trusted executables distributed with Windows that are being abused, IOActive's Sawyer says. "The project demonstrates ways to abuse these binaries to load executable code and scripts to bypass endpoint security products, elevate privileges, or maintain persistence," he says.
Cybercriminals have long used legitimate management and administration tools to break into enterprise networks, move laterally within them, and maintain persistence.
Lately, though, use of these so-called living-off-the-land tactics has increased substantially.
Positive Technologies recently analyzed the tools that 29 advanced persistent threat groups are currently using in their campaigns worldwide. Its study shows that more than half of them leverage legitimate, publicly available penetration testing and systems administration tools to develop their attacks after gaining an initial foothold on a network.
The reason? Such tools allow attackers to hide their activities in a sea of legitimate traffic. "Threat actors increasingly leverage dual-use tools or tools that are already preinstalled on targeted systems to carry out cyberattacks," said Fortinet in a recent report.
This makes it harder for defenders to spot malicious activity and makes attack attribution much more difficult. "Unfortunately, adversaries can use a wide range of legitimate tools to accomplish their goals and hide in plain sight," Fortinet said.
Here, according to security experts, are eight of the mostly commonly abused legitimate utilities and tools.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024