Seemingly Benign Programs used for Hacking
Hackers use seemingly benign programs for Nefarious Purposes. Hackers manipulate and repurpose software and applications, originally designed for harmless tasks, to serve their malicious goals. The crazy thing about this alarming trend is that it blurs the distinction between everyday software and potential instruments of cyberattacks.
Some of the software uses are obvious, some of the software is used every day. Others on the list were created specifically for “Administrative” Purposes, things like password recovery or Remote Management.
All these programs require one thing and that is access. A Security Professional would see these programs are on their network, would probably do some further research on why they are being used.
This information is available as well at https://attack.mitre.org/versions/v13/software/S0430/
The list that follows highlights some of these ordinary programs and their darker, hidden capabilities.
| Tool | Intended Use | Repurposed Use by Hackers | MITRE ATT&CK ID |
| 7-zip | Compresses files into an archive. | Compresses data to avoid detection before exfiltration. | T1562
Impair Defenses |
| AdFind | Searches Active Directory (AD) and gathers information. | Gathers AD information used to exploit a victim’s network, escalate privileges, and facilitate lateral movement. | S0552
AdFind |
| Advanced Internet Protocol (IP) Scanner | Performs network scans and shows network devices. | Maps a victim’s network to identify potential access vectors. | T1046
Network Service Discovery |
| Advanced Port Scanner | Performs network scans. | Finds open Transmission Control Protocol (TCP) and User Data Protocol (UDP) ports for exploitation. | T1046
Network Service Discovery |
| AdvancedRun | Allows software to be run with different settings. | Enables escalation of privileges by changing settings before running software. | TA0004
Privilege Escalation |
| AnyDesk | Enables remote connections to network devices. | Enables remote control of victim’s network devices. | T1219
Remote Access Software |
| Atera Remote Monitoring & Management (RMM) | Enables remote connections to network devices. | Enables remote control of victim’s network devices. | T1219
Remote Access Software |
| Backstab | Terminates antimalware-protected processes. | Terminates endpoint detection and response (EDR)- protected processes. | T1562.001
Impair Defenses: Disable or Modify Tools |
| Bat Armor | Generates .bat files using PowerShell scripts. | Bypasses PowerShell execution policy. | T1562.001
Impair Defenses: Disable or Modify Tools |
| Bloodhound | Performs reconnaissance of AD for attack path management. | Enables identification of AD relationships that can be exploited to gain access onto a victim’s network. | T1482
Domain Trust Discovery |
| Chocolatey | Handles command-line package management on Microsoft Windows. | Facilitates installation of Hackers actors’ tools. | T1072
Software Deployment Tools |
| Defender Control | Disables Microsoft Defender. | Enables Hackers to bypass Microsoft Defender. | T1562.001
Impair Defenses: Disable or Modify Tools |
| ExtPassword | Recovers passwords from Windows systems. | Obtains credentials for network access and exploitation. | T1003
Operating System (OS) Credential Dumping |
| FileZilla | Performs cross-platform File Transfer Protocol (FTP) to a site, server, or host. | Enables data exfiltration over FTP to the Hackers actors’ site, server, or host. | T1071.002
Application Layer Protocol: File Transfer Protocols |
| FreeFileSync | Facilitates cloud-based file synchronization. | Facilitates cloud-based file synchronization for data exfiltration. | T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
| GMER | Removes rootkits. | Terminates and removes EDR software. | T1562.001
Impair Defenses: Disable or Modify Tools |
| Impacket | Collection of Python classes for working with network protocols. | Enables lateral movement on a victim’s network. | S0357
Impacket |
| LaZagne | Recovers system passwords across multiple platforms. | Collect credentials for accessing a victim’s systems and network. | S0349
LaZagne |
| Ligolo | Establishes SOCKS5 or TCP tunnels from a reverse connection for pen testing. | Enables connections to systems within the victim’s network via reverse tunneling. | T1095
Non-Application Layer Protocol |
| LostMyPassword | Recovers passwords from Windows systems. | Obtains credentials for network access and exploitation. | T1003
OS Credential Dumping |
| MEGA Ltd MegaSync | Facilitates cloud-based file synchronization. | Facilitates cloud-based file synchronization for data exfiltration. | T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
| Microsoft Sysinternals ProcDump | Monitors applications for central processing unit (CPU) spikes and generates crash dumps during a spike. | Obtains credentials by dumping the contents of Local Security Authority Subsystem Service (LSASS). | T1003.001
OS Credential Dumping: LSASS Memory |
| Microsoft Sysinternals PsExec | Executes a command-line process on a remote machine. | Enables Hackers actors to control victim’s systems. | S0029
PsExec |
| Mimikatz | Extracts credentials from a system. | Extracts credentials from a system for gaining network access and exploiting systems. | S0002
Mimikatz |
| Ngrok | Enables remote access to a local web server by tunnelling over the internet. | Enables victim network protections to be bypassed by tunnelling to a system over the internet. | S0508
Ngrok |
| PasswordFox | Recovers passwords from Firefox Browser. | Obtains credentials for network access and exploitation. | T1555.003
Credentials from Web Browsers |
| PCHunter | Enables advanced task management including system processes and kernels. | Terminates and circumvents EDR processes and services. | T1562.001
Impair Defenses: Disable or Modify Tools |
| PowerTool | Removes rootkits, as well as detecting, analyzing, and fixing kernel structure modifications. | Terminates and removes EDR software. | T1562.001
Impair Defenses: Disable or Modify Tools |
| Process Hackers | Removes rootkits. | Terminates and removes EDR software. | T1562.001
Impair Defenses: Disable or Modify Tools |
| PuTTY Link (Plink) | Automates Secure Shell (SSH) actions on Windows. | Enables Hackers actors to avoid detection. | T1572
Protocol Tunneling |
| Rclone | Manages cloud storage files using a command-line program. | Facilitates data exfiltration over cloud storage. | S1040
Rclone |
| Seatbelt | Performs numerous security-oriented checks.
|
Performs numerous security-oriented checks to enumerate system information. | T1082
System Information Discovery |
| ScreenConnect (also known as ConnectWise) | Enables remote connections to network devices for management. | Enables Hackers actors to remotely connect to a victim’s systems. | T1219
Remote Access Software |
| SoftPerfect Network Scanner | Performs network scans for systems management. | Enables Hackers actors to obtain information about a victim’s systems and network. | T1046
Network Service Discovery |
| Splashtop | Enables remote connections to network devices for management. | Enables Hackers actors to remotely connect to systems over Remote Desktop Protocol (RDP). | T1021.001
Remote Services: Remote Desktop Protocol |
| TDSSKiller | Removes rootkits. | Terminates and removes EDR software. | T1562.001
Impair Defenses: Disable or Modify Tools |
| TeamViewer | Enables remote connections to network devices for management. | Enables Hackers actors to remotely connect to a victim’s systems. | T1219
Remote Access Software |
| ThunderShell | Facilitates remote access via Hypertext Transfer Protocol (HTTP) requests. | Enables Hackers actors to remotely access systems while encrypting network traffic. | T1071.001
Application Layer Protocol: Web Protocols |
| WinSCP | Facilitates file transfer using SSH File Transfer Protocol for Microsoft Windows. | Enables data exfiltration via the SSH File Transfer Protocol. | T1048
Exfiltration Over Alternative Protocol |
Reference:
https://attack.mitre.org/versions/v13/software/S0430/
2
