How Criminals Abuse Common Security Tools – and Use Them Against You

istock 511598106

Criminals are exploiting the very tools used by security teams. Sophos researchers have recently observed an increase in attacks in which criminals target tools used by incident responders and penetration testers. These attacks involve very little or no malware, but instead harness the existing components of the operating system or popular software packages.

“We've been seeing this for years, and it's increasing now,” says Chester Wisniewski, principal research scientist at Sophos. “It makes sense because we've built a robust set of tools for good guys to hack into our networks.”

Now, however, criminals are stealing those same tools and using them to break into systems and steal data. With these types of “living off the land” attacks, criminals use a system’s native tools to launch an attack. Because the tools are commonly used legitimate programs, the attack is often undetectable.

“Most teams just see it as a legitimate tool that runs on the network and think, ‘Why would I be suspicious of that?’” says Wisniewski. “And now we know that you do need to be suspicious. Even if it seems like it might be authorized you may need to investigate.”

Some of the most commonly used and abused tools include Metasploit, BloodHound, mimikatz, PowerShell Empire, Cobalt Strike, Veil Evasion, Hydra THC, Enigma, Nishang, and Shellter. These exploits also usually involve automation in the form of native scripting, such as PowerShell, batch files, or VBScript scripts, collectively referred to as LOLscripts.

How can companies guard against their own tools being used against them? Wisniewski recommends implementing strategies that take behavior into consideration. For example, by raising an alert when a tool is used outside of its planned maintenance window, security teams can investigate and, if needed, take actions to mitigate the threat. These kinds of processes can go a long way in helping to improve the signal to noise ratio.

“A lot of teams will have a planned time for use and say ‘OK, next Saturday we're going to be doing maintenance.’ During that time window, you expect those tools to be used, because you know you're upgrading systems,” Wisniewski says. “That means the rest of the time, if you see any of those tools being used, you know it's potentially malicious.”

Active, living-off-the-land attacks often require human threat monitoring, detection and response. Sophos can assist you with Sophos Managed Threat Response. Learn more at


Copyright © 2021 IDG Communications, Inc.