1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

5/24/2021

0 Comments

Top 3 Tools Used by Cyberattackers in 2020 and Early 2021

 
tools used by cyberattackers

Top 3 Tools Used by Cyberattackers in 2020 and Early 2021

Three legitimate pentesting tools – PowerShell, Cobalt Strike, and PsExec – topped the list of tools used by cyberattackers in breaking into victims’ networks in 2020 and early 2021, according to Sophos’ report based from frontline threat hunters and incident responders.

In the report “The Active Adversary Playbook 2021,” Sophos found that PowerShell, followed by Cobalt Strike, and PsExec are the top 3 tools used by cyberattackers in 2020 and early 2021.

PowerShell, Cobalt Strike, and PsExec are legitimate tools used by IT administrators and security professionals for penetration testing, also known as pentesting – an authorized simulated cyberattack against an organization’s computer system to examine exploitable vulnerabilities. Threat actors, however, have been using these same pentesting tools to break into victims’ networks.

According to Sophos report, correlations emerge among the top 3 tools found in victims’ networks. The report added that when PowerShell is used in an attack, Cobalt Strike was seen in 58% of cases, and PsExec in 49% of cases; Cobalt Strike and PsExec were used together in 27% of attacks; and the combination of Cobalt Strike, PowerShell, and PsExec occurs in 12% of all attacks.

PowerShell

PowerShell is a task-based command-line shell and scripting language designed for system administration in the Windows operating system. Attackers use PowerShell to conduct a number of malicious activities, including executing malicious code, creating new tasks on remote machines, identifying configuration settings, pulling Active Directory information from the target environment, evading defenses, exfiltrating data, and executing other commands.

The malicious software called “Emotet” has used PowerShell to retrieve the malicious payload and download additional resources like Mimikatz – ranked fourth in the tools used by cyberattackers in 2020 and early 2021 in the Sophos report. Mimikatz is capable of obtaining plaintext Windows account logins and passwords.

PsExec

PsExec is a free Microsoft tool that is used by IT administrators to execute a program on another computer. This tool has been used by attackers to download or upload a file over a network share.

Cobalt Strike

Cobalt Strike is a commercially available pentesting tool that’s marketed as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors."

This commercial pentesting tool was developed by researcher Raphael Mudge in 2012. This tool was recently acquired by HelpSystems. In 2020, the source code of Cobalt Strike version 4.0 was leaked to the public. Adversaries often use the purchased and pirated/cracked versions of Cobalt Strike.

This tool is capable of executing a payload on a remote host with PowerShell and using PsExec to execute a payload on a remote host. Cobalt Strike’s Beacon is used to perform actions such as collecting information on process details, reaching out to the command-and-control server on an arbitrary and random interval, breaking large data sets into smaller chunks for exfiltration, and capturing screenshots.

Real-World Examples

The tools PowerShell and Cobalt Strike were used in the recently unraveled supply chain attack on SolarWinds.

In the SolarWinds supply chain attack, attackers compromised the code update of SolarWinds’s product Orion, which gave the attackers the opportunity to attack customers that applied the compromised SolarWinds Orion update. The SolarWinds supply chain attack victims include cybersecurity firm FireEye and Microsoft.

In the blog post "Raindrop: New Malware Discovered in SolarWinds Investigation," security researchers at Symantec reported that the malicious software (malware) called "Raindrop" enabled the delivery of Cobalt Strike into the victims’ networks. Security researchers at Symantec reported that in the victim’s computer where the Raindrop malware was found, it was observed that several days later, PowerShell commands were executed on that computer, attempting to execute further instances of Raindrop malware on additional computers in the organization.

The top 3 tools, PowerShell, Cobalt Strike, and PsExec, used by cyberattackers in 2020 and early 2021 were all used by the group behind the ransomware called “DoppelPaymer.” Similar to modern-day ransomware, DoppelPaymer encrypts victims’ files, locking these victims out from accessing their files, and demands from victims to pay ransom in exchange for the decryption tool that would unlock the encrypted files.

Similar to other modern ransomware, the group behind DoppelPaymer threatens victims with the publication of their stolen files on the data leak site as part of the ransomware’s extortion scheme. In DoppelPaymer ransomware, PowerShell, Cobalt Strike, PsExec, and Mimikatz – ranked fourth in the tools used by cyberattackers in 2020 and early 2021 in the Sophos report – were used to stealing credentials, moving laterally inside the network, and executing different commands.

In the blog post "Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk," Microsoft 365 Defender Threat Intelligence Team said that defenders should pay attention to malicious “PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities.”

“Security teams can defend their organization by monitoring and investigating suspicious activity,” Sophos in the “The Active Adversary Playbook 2021” said. “The difference between benign and malicious is not always easy to spot. Technology in any environment, whether cyber or physical, can do a great deal but it is not enough by itself. Human experience and the ability to respond are a vital part of any security solution.”

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2025
    February 2025
    January 2025
    November 2024
    October 2024
    September 2024
    July 2024
    June 2024
    April 2024
    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    AI Security
    Artificial Intelligence
    ATP
    Awareness Training
    Blockchain
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cybercrime
    Cyber Espionage
    Cyber Insurance
    Cyber Security
    Cybersecurity
    Cybersecurity Audit
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    Data Privacy
    DDoS
    Email Security
    Endpoint Protection
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    Incident Management
    Insider Threat
    IoT
    Machine Learning
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third Party Risk
    Third-Party Risk
    VCISO
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
SME CyberShield
​Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2025 Driz Group Inc. All rights reserved.
Photo from GotCredit