Top 10 post-exploitation tools threat actors use in real intrusions

All cyberattacks start the same way: with threat actors figuring out how to gain access to a network. A malicious payload, such as ransomware, can’t be delivered without a means of entry into a victim’s business environment. Gaining access hinges on finding something exploitable, be it an unpatched vulnerability, stolen credentials purchased on the dark web, or duping users through social engineering. Once exploited, attackers can then concentrate on their end goals by laterally moving across systems, establishing persistent access and exfiltrating sensitive data; usually, all of the above.

What “post-exploitation” means and why these tools matter

The tools used to facilitate this phase of the attack are specifically named for it: “post-exploitation.” Many post-exploitation tools are legitimate, commercially available, or open-source software packages used by businesses to diagnose network issues or, ironically, to simulate potential cyberattacks and highlight a securable, exploitable attack surface. These tools come prepackaged with lots of utilities to enable advanced attack techniques that permit threat actors to stay hidden and quiet until their job is done.

Cobalt Strike  

This tool is the long-running favorite for lateral movement, command and control (C2), and malicious payload delivery. Developed and sold as a fully featured attack simulation platform for security researchers and enterprise red teams to launch their tests through, it is frequently pirated and accessed through cracked license keys.  

Real-world example: How attackers used Cobalt Strike in a major supply chain breach

The SolarWinds (SUNBURST) espionage and supply chain attack campaign is one of the most heavily documented real-world cases where Cobalt Strike was used for lateral movement, C2, and payload delivery.

In brief: A Russian state linked group compromised SolarWinds’ Orion software build system, pushed an update through a backdoor they previously established to thousands of customers, then selectively dropped Cobalt Strike beacons on high-value customer networks to facilitate data theft orchestrated and executed remotely by hands-on actors.  

How the compromise started

Supply chain backdoor in SolarWinds Orion

Attackers tampered with SolarWinds’ development pipeline and inserted a malicious version of the file SolarWinds.Orion.Core.BusinessLayer.dll into legitimate Orion software updates.

Those updates were signed with SolarWinds’ real code signing certificate and shipped to customers, so the malware arrived inside what looked like normal, trusted software.

Deployment to victims

Compromised Orion updates were installed by customers across all industries and sizes, including government agencies and large enterprises.

Inside those environments, the trojanized DLL file, nicknamed SUNBURST, ran inside normal Orion processes such as SolarWinds.BusinessLayerHost.exe, which helped it blend in with expected behavior.

Long sleep and careful victim selection

SUNBURST did not immediately start deploying its malicious behavior. It used long, randomized delays and extensive conditional checks against each victim’s environment to avoid giving itself away within honeypots or sandboxes, generating too much log event noise, and altogether stay out of networks deemed not valuable enough to risk making itself known.

Only a fraction of infected Orion installs ever received a second- stage payload. Most victims were instead used as cover noise:. tThe more EDR software around the globe collected innocuous SUNBURST behavior, the less likely its malicious behavior would raise alarms.

Where Cobalt Strike comes in

Once a target passed SUNBURST’s checks, the operators moved to phase two.

Second stage loader and Cobalt Strike beacon

A memory -only loader known as TEARDROP, or its variant RAINDROP, decrypted and loaded a modified Cobalt Strike beacon directly in memory on selected hosts.

This beacon, included in Cobalt Strike, enables security testers to establish command-and-control communications with infected hosts and allowed the attackers to issue arbitrary tasks such as running commands, moving laterally, and staging data for exfiltration.

Cobalt Strike for lateral movement and privilege abuse

Public reconstructions of the attack campaign describe a textbook post-exploitation flow once Cobalt Strike was in place:

• Use the beacon to run discovery commands and map the network domain.
• Dump or steal authentication credentials and tokens, then abuse them for lateral movement using remote services such as WMI, WinRM, or RDP.
• Establish extra persistence with new or modified Windows services that launched additional in-memory loaders, when needed.
• Run malicious commands using “living off the land” techniques such as PowerShell, scheduled tasks, and legitimate admin tools, so most activity lookeds like standard Windows admin work driven from the Cobalt Strike console.

Why Cobalt Strike was a good fit for this operation

Independent academic work into Cobalt Strike notes that the framework’s beacon is a stealthy C2 implant that can encrypt traffic and mimic normal HTTP or DNS patterns. It has been widely used in “massive data breach attacks such as the SolarWinds attack in 2020.”.

That lines up with what incident responders observed in the SolarWinds case:

• Encrypted C2 that tried to look like benign application traffic.
• Sparse, well-controlled task scheduling that kept network noise low.
• In-memory payload loading, rather than loading onto drive storage, which left fewer disk artifacts to analyze.

Impacket

This open-source tool is the Swiss army knife of network packet and protocol exploration. It is widely used by threat actors to carry out authentication abuse, remote command execution, and lateral movement in victim networks.  

Real-world example: DIB intrusion and Impacket remote execution

An Advanced Persistent Threat (APT) campaign described in the joint CISA, NSA, and FBI advisory on a U.S. defense industrial base (DIB) organization is one of the clearest real-world cases where Impacket was used for lateral movement and remote command execution in support of data theft.  

How adversaries used Impacket for credential abuse and lateral movement

In brief: From November 2021 through January 2022, multiple  APT groups (collections of threat actors with a common malicious goal, usually industrial or political espionage backed by state sponsorship) maintained long-term access to a DIB organization’s network, and used Impacket tools such as wmiexec.py and smbexec.py to move laterally with stolen credentials. They paired Impacket with a custom exfiltration tool, CovalentStealer, to steal sensitive data. The DIB is a consortium of US defense industry enterprises, organized for the benefit of national security by enabling the sharing of cybersecurity information across competitors. DIB partners make for incredibly valuable attack targets, demanding a massive amount of expert reconnaissance and attack resources.

How the compromise started

APT actors first gained access to the victim’s Microsoft Exchange server and used compromised administrator and service accounts to move deeper into the environment.  

Once on the internal network, they relied on existing, legitimate Windows management protocols such as WMI and SMB, rather than noisy custom malware that would be obvious to endpoint detection software. This set the stage for Impacket to do the heavy lifting.

Where Impacket comes in

Using wmiexec.py and smbexec.py, the threat actors created semi-interactive shells on remote hosts over WMI and SMB, ran commands with stolen credentials, and moved laterally to higher- value systems.  

From those shells they staged archives of sensitive data on internal file shares, then handed the attack off to CovalentStealer to identify shares, categorize files, and upload selected data to attacker-controlled cloud storage.  

Why Impacket was a good fit

Impacket gave the operators low level access to Windows protocols that already existed in the environment, so most activity looked like normal remote management and file operations driven by valid accounts.

Because it is an open-source toolkit rather than a single, custom tool implant, it let attackers pluck out only the components they needed to mix credential abuse, remote command execution, and lateral movement without needing to drop a single, heavyweight backdoor on every host.  

Metasploit + Meterpreter

Over 20 years later, Metasploit is still a staple in both white-hat and black-hat security operations. Commonly described as an “attack framework,”, Metasploit provides a modular, sequential approach and complementary tools to architecting and deploying bespoke attacks from reconnaissance all the way to exploitation. Meterpreter, like Cobalt Strike, is Metasploit’s remote shell for C2 operations. Like other advanced malicious command shells, it runs in-memory, making it difficult to detect. Unlike other shells, it includes its own command interpreter (hence the “-terpreter” portion of its name). Meterpreter can understand and run commands sent by attackers on its own without relying on the underlying victim host’s OS, making it particularly stealthy and dangerous. Meterpreter gives operators an  feature-rich canvas for post-exploitation privilege escalation, persistence, and pivoting.

Real-world example: BumbleBee loader to Meterpreter

The BumbleBee loader intrusion documented by The DFIR Report is one of the clearest real- world cases where Meterpreter was used for privilege escalation, reconnaissance, and lateral movement ahead of potential ransomware deployment.

How threat actors deployed Meterpreter for post exploitation control

In brief: An ISO-based phishing lure delivered the BumbleBee loader, which contacted its C2 server, then dropped Meterpreter and Cobalt Strike beacons. From there, the operators used Meterpreter to recon the environment, bypass UAC, dump credentials, escalate privileges, and move laterally toward high-value systems.

How the compromise started

Initial access came from a user opening a malicious ISO file delivered through email.

Windows mounted the ISO as removable media and the victim executed a seemingly benign shortcut that in reality loaded the BumbleBee malware DLL. Once active, BumbleBee established command and control to the attacker’s infrastructure and then waited as the first stage payload loader.

Where Metasploit and Meterpreter come in

After a period of communication with C2, BumbleBee delivered a Meterpreter agent to the compromised host, alongside a Cobalt Strike beacon.

From the Meterpreter session, the operators:

• Ran system and domain discovery commands to map out the environment.
• Used multiple UAC bypass techniques to gain higher privileges on the initial host.
• Dumped credentials and tokens from memory, then used them to authenticate to other systems.
• Combined Meterpreter access with a ZeroLogon exploit to escalate their user sessions to domain administrator and pivot deeper into the network

Why in-memory shells are hard to catch

Meterpreter runs primarily in memory, supports encrypted communications, and exposes a large library of post-exploitation modules directly from the Metasploit console. That allows the attackers to chain discovery, privilege escalation, credential dumping, and lateral movement without constantly dropping new malicious binaries on victim hosts.

Because Metasploit is a standard offensive tool, much of the attack’s tradecraft was available off the shelf. The heavy lifting demanded of the attackers was found in the initial loader and access vector, not in developing bespoke post- exploitation capabilities.

Sliver

Sliver is a modern, actively abused open source C2 framework that has become a common alternative for attackers when Cobalt Strike is detected or blocked. It provides cross-platform malware implants, strong encryption, and multiple C2 channels that closely resemble legitimate traffic.

The Sliver activity described below by Microsoft and others, in which nation- state and ransomware- affiliated actors adopted Sliver alongside or in place of Cobalt Strike, is one of the best documented examples of Sliver used for interactive C2, privilege escalation, and lateral movement.

How attackers adopted Sliver as a stealthy C2 in real intrusions

In brief: As defenders improved detections against Cobalt Strike, multiple threat groups began deploying Sliver implants as their primary or backup C2, using Sliver shells to run discovery commands, steal credentials, escalate privileges, move laterally, and stage data for exfiltration in a way that blends into normal HTTPS and DNS traffic.

How the compromise started

In observed campaigns, initial access typically came from phishing, exploitation of internet-facing services, or abuse of valid credentials. That first stage deployed a lightweight loader or implant onto a workstation or server.

Once the loader contacted attacker infrastructure and determined the victim environment passed its checks, it downloaded and executed a Sliver implant as the second stage payload on selected systems.

Where Sliver comes in

The Sliver implant connected back to a Sliver C2 server and provided the operators with an interactive shell, plus a suite of post-exploitation features.

From this shell, threat actors:

• Executed commands and scripts to enumerate hosts, domains, users, and file shares.
• Deployed additional tools such as credential harvesters or network scanners.
• Used built-in pivoting features to route malicious network traffic through compromised hosts and reach internal systems that were not directly accessible.
• Escalated privileges and moved laterally toward domain controllers or file servers, where they could steal sensitive data or prepare ransomware deployment.

Why Sliver was a good fit

Sliver is open source and written in Go, so actors can easily compile custom builds for Windows, Linux, and macOS without relying on cracked commercial tools.

It supports mutual TLS, HTTP, DNS, and other transport options, which lets operators choose whichever network protocol best mimics normal traffic inside a particular victim environment. Combined with flexible implant configuration and extension mechanisms, Sliver makes an attractive fallback when Cobalt Strike is no longer viable.

Rubeus

Rubeus is a staple for Kerberos abuse. It automates post-exploitation cyberattack techniques such as Kerberoasting, AS REP roasting, ticket extraction, and ticket manipulation, and is heavily used in Active Directory intrusions.

The BlackSuit ransomware campaigns, analyzed by multiple security teams, are some of the clearest real-world attack examples where Rubeus was used to perform AS REP roasting and Kerberoasting against domain controllers as a precursor to full domain compromise and ransomware deployment.

How threat actors used Rubeus for Kerberos ticket attacks

In brief: After gaining an initial foothold and deploying Cobalt Strike beacons, BlackSuit operators executed Rubeus in memory on domain controllers, performed AS REP roasting and Kerberoasting to obtain crackable Kerberos ticket material, used the cracked credentials to escalate themselves to high-privilege accounts, then moved laterally and finally launched ransomware.

How the compromise started

Initial access for BlackSuit varied by victim, including phishing, exploitation of exposed services, and reuse of valid credentials. Once inside, the actors deployed Cobalt Strike for initial C2 and post-exploitation.

From compromised servers and workstations, attackers performed basic reconnaissance, harvested additional credentials, and worked their way toward domain controllers.

Where Rubeus comes in

When attackers reached domain controllers, Rubeus was executed in memory through their existing Cobalt Strike beacon.

Using Rubeus they:

• Carried out AS REP roasting to request and collect AS REP messages for accounts where pre-authentication has been disabled (allowing Kerberos tickets to be issued without first authenticating a user), permitting them to collect encrypted passwords they could then brute force offline.
• Performed Kerberoasting by requesting Kerberos tickets for service accounts and exporting the encrypted ticket material for cracking.
• Used cracked passwords to authenticate as high -privilege accounts, including service and domain admin accounts, which opened the door to full domain control and widespread lateral movement.

Why Rubeus was a good fit

Rubeus provides an all-in-one toolkit for interacting directly with Kerberos, from ticket requests to ticket manipulation and abuse, precluding the need for multiple separate tools for each step.

Running Rubeus in memory through an existing C2 implant reduced disk artifacts and helped the attackers keep their Kerberos abuse in the realm of normal looking authentication traffic, rather than noisy, obviously malicious binaries.

PowerSploit + PowerView

PowerSploit, and especially its PowerView module, remains a go-to toolkit for Active Directory reconnaissance and privilege escalation in Windows environments. PowerView’s ShareFinder functionality in particular is observed within many real-life intrusions.

The ShareFinder analysis by The DFIR Report is one of the strongest pieces of evidence for how widely PowerView is used. They found that Invoke ShareFinder, originally part of PowerView in PowerSploit, used for file share discovery and data staging, appeared in around 40 percent of the intrusion cases they studied.

How attackers used PowerView for active directory reconnaissance

In brief: After initial compromise and deployment of a C2 implant, threat actors frequently load PowerView into a PowerShell session, run the command Invoke ShareFinder and related functions to map out accessible network shares, and then use that knowledge to locate sensitive data, identify pivot points, and prepare for data exfiltration or ransomware deployment.

How the compromise started

In the intrusions The DFIR Report examined, initial access varied, but the pattern was consistent once the attackers had a foothold on a Windows host and some level of domain access.

From that host they established a PowerShell session, often through an existing C2 implant, and imported PowerView into memory without writing it permanently to disk.

Where PowerSploit and PowerView come in

The attackers then used PowerView functions for domain reconnaissance, with Invoke ShareFinder as a key step.

Concretely they would:

• Run Invoke ShareFinder to enumerate accessible network shares across the domain, sometimes saving results to files on disk for later use
• Combine share enumeration with user and group enumeration to understand where sensitive data might live and which accounts had access
• Use this map of shares to identify good locations to stage stolen data or additional tooling, and to plan lateral movement paths

Why these tools were a good fit

Because PowerView and other PowerSploit modules are purely comprised of PowerShell cmdlets and commands, they can be loaded entirely in memory and blend in with legitimate administrative scripting, especially in environments where PowerShell is widely used.

They also provide very high level, attacker-friendly abstractions for domain mapping and privilege analysis. Instead of needing to research and stitch together many native commands, operators provided a small number of functions that tell them where the interesting data and access paths are, which is exactly what you want in fast- moving intrusions.

Rclone

Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. It has become a favorite exfiltration tool in ransomware and extortion campaigns because it is reliable, scriptable, and often indistinguishable from legitimate cloud backup activity.

The Conti ransomware operations documented by CISA, MITRE, and others are among the best examples of Rclone being used for large scale data theft before encryption and extortion.

How adversaries used Rclone for large scale data exfiltration

In brief: After obtaining domain wide access, Conti operators collected large volumes of sensitive data on internal servers, then used Rclone to sync that data to attacker- controlled cloud storage. Only after exfiltration was complete did they encrypt systems and pressure victims with the additional threat of stealing it, an insidious ploy known as double extortion.

How the compromise started

Conti intrusions typically began with phishing, exploitation of remote services, or abuse of valid credentials. Once inside, the actors deployed common post -exploitation tools, moved laterally, and escalated privileges until they had access to key servers and file shares.

Before triggering ransomware encryption, attackers identified and staged files likely to contain sensitive business, financial, or personal data on central file servers.

Where Rclone comes in

At this point they configured Rclone on a compromised host to talk to an attacker- controlled cloud storage account, often using MEGA or another popular provider.

Rclone was used to:

• Sync staged directories of data from internal servers to the attacker’s cloud storage target.
• Run unattended for long periods to move large data sets over standard HTTPS.
• Provide a simple, scriptable way to resume or adjust data transfers as needed without custom tooling.

Why Rclone was a good fit

Rclone is legitimate open -source software that many organizations use for backup and cloud synchronization, so its presence on a system is not automatically suspicious.

It supports many network back ends and is controlled entirely through command line flags and configuration files, which aligns perfectly with how ransomware gangs use lightweight, console-based methods to automate data theft in double extortion operations. Combined with the fact that it uses normal HTTPS traffic, Rclonet gave Conti and similar groups a low -friction way to exfiltrate terabytes of data before anyone noticed.

CrackMapExec and NetExec

CrackMapExec and its successor NetExec are excellent open-source pentesting tools for credential spraying and lateral movement in Active Directory environments. They are often maliciously used, but they typically sit just outside most “top ten” rankings because their capabilities overlap so much with Impacket and other post -exploitation frameworks.

The “Navigating Through The Fog” intrusion from The DFIR Report describes the wider threat detection ecosystem around CrackMapExec and NetExec and provides a clear picture of how these tools are used for authentication abuse and movement within Windows networks.

How attackers used NetExec- style tooling for credential spraying

In brief: After initial access, attackers validated stolen credentials and moved laterally by abusing Windows protocols such as SMB, WinRM, and WMI. NetExec or CrackMapExec style tooling was used to spray credentials, enumerate shares and users, execute commands remotely, and pivot deeper into the domain without needing a custom implant on every host.

How this typically starts

Attackers begin with a foothold such as a compromised VPN account, exposed service, or phishing payload that gives them valid credentials in the target domain. With even a single set of working credentials, CrackMapExec or NetExec can immediately test that account across many hosts and protocols, looking for where it has local admin or other elevated privileges.

Once they see successful logons, they switch from “spray and test” into targeted use of SMB, WinRM, RDP, or WMI to execute commands and drop follow on tooling on those higher value machines.

Where CrackMapExec and NetExec come in

CrackMapExec and NetExec provide a single, consolidated platform to:

• Perform large scale credential spraying and validation across SMB, WinRM, RDP and other protocols.
• Enumerate domain users, groups, shares, and policies at scale.
• Execute commands on remote hosts, once valid credentials are found.
• Run Kerberos attacks such as Kerberoasting or AS REP-style enumeration through built- in modules.

Because they are “living off the land” through legitimate Windows protocols, most of the malicious network activity looks like legitimate, albeit noisy, administration traffic rather than typical malware behavior. Detection rules found in SIEM tools, like Splunk and Sigma, focus on characteristic command line usage of CrackMapExec and NetExec and have a harder time detecting behavior wrapped within those protocols.  

In practice, a lot of what CrackMapExec and NetExec do can also be accomplished with Impacket scripts, Cobalt Strike, or Sliver modules. Because of this overlap, analysts often discuss “credential spraying over SMB” or “Kerberoasting via LDAP” without naming these tools, even when something like NetExec is driving the commands. This results in less name recognition of NetExec compared to tools like Cobalt Strike, despite frequent, real-world use.

PowerShell Empire

PowerShell Empire was once one of the dominant open-source command and control frameworks but it is much less common today. Development has stalled and defenders have since built strong, specific detections for it. It is still seen in the wild, but it no longer sits in the same top tier of prevalence as Cobalt Strike or modern C2 frameworks like Sliver.

The joint advisory on APT28’s exploitation of Cisco routers, along with MITRE’s profile of Empire, show real world use of Empire by a Russian state-linked group as part of multi-stage intrusions. Empire was also explicitly identified by a Five Eyes joint report as one of the public hacking tools most commonly used by adversaries, which underscores how widespread it once was.

How threat actors used Empire for post exploitation and persistence

In brief: APT28 used public post-exploitation frameworks, including PowerShell Empire and its Python based agents, to conduct reconnaissance and maintain access in victim environments. Empire agents provided encrypted, asynchronous C2 and a ready supply of persistence, credential theft, and reconnaissance modules on top of built-in Windows features.

How the compromise started

In the campaigns covered by the advisory, APT28 initially compromised routers and other network infrastructure using weak SNMP configurations and known vulnerabilities. In other operations, they exploited Microsoft Outlook and related software to gain access to internal networks.

Once they had footholds, they needed a flexible way to move from initial command shells into long-lived, scriptable access on Windows systems. That is where PowerShell Empire came into play.

Where PowerShell Empire comes in

Empire provides:

• PowerShell agents for Windows that communicate over encrypted channels and do not require powershell.exe to run in suspicious, detectable ways.
• A wide set of post -exploitation modules, ranging from keyloggers and credential theft to lateral movement helpers.
• A control server that can manage many agents with asynchronous, slow tasking to reduce malicious log event noise.

CISA and other authorities note that APT28 used Empire for post- exploitation in real operations, and detection guides from SANS and Splunk show how defenders can now hunt for Empire stagers and scripts in script block logs and network traffic.

Why it is less prominent now

The original Empire project stopped active development around 2019, and although community forks exist, the brand lost momentum while tools like Cobalt Strike, Sliver, and Brute Ratel took the spotlight.

At the same time, defenders built specific analytics and signatures for Empire stagers and communications, which made it a noisier choice compared to newer frameworks. Today, Empire still appears in some intrusions and remains common in training and labs, but it is no longer the default, open- source C2 choice for many threat actors.

Brute Ratel

Brute Ratel is a commercial and stealthy red team framework, but its adoption in real attacks is still noticeably lower than Cobalt Strike or Sliver. Threat actors do occasionally use it, particularly in some ransomware and Qakbot related attack chains, but its overall prevalence is nowhere near the top, yet.

Trend Micro’s analysis of the Black Basta ransomware-group's operations, together with MITRE’s Brute Ratel profile and multiple independent write-ups, gives a well-documented example of Brute Ratel being used as a second-stage C2 in a criminal ransomware campaign, alongside more established tools like Cobalt Strike.

How adversaries deployed Brute Ratel for stealthy command and control

In brief: In observed Black Basta intrusions, Qakbot was used to gain an initial foothold and deliver a Brute Ratel C4 payload, which then provided interactive C2 on compromised hosts. From there, operators ran discovery, stole credentials, moved laterally, and sometimes deployed Cobalt Strike as an additional implant before finally launching ransomware.

How the compromise started

Victims received malicious emails that led to Qakbot infection through attachments or HTML smuggling. Once Qakbot established persistence and contacted its C2, it downloaded and executed a Brute Ratel C4 beacon as a follow-on payload on selected systems.

That Brute Ratel beacon then took over as the main hands-on keyboard access point for the attack operators.

Where Brute Ratel comes in

Brute Ratel C4 gives attackers:

• Highly configurable beacons designed to evade modern EDR and antivirus through techniques such as direct system calls, AMSI and ETW patching, and reflective loading.
• Multiple C2 channels over HTTP, HTTPS, DNS over HTTPS, SMB, and TCP, plus pivoting over protocols like WMI and WinRM.
• A post -exploitation feature set on par with other commercial frameworks, including credential theft, lateral movement, file operations, and in -memory execution of additional tooling.

In the Black Basta case, Brute Ratel sessions were used to map the environment, move laterally, and set up follow on C2 and ransomware stages, making it one component in a multi tool kill chain rather than the single star of the show.

Why adoption is still lower

Brute Ratel is commercial, which reduces casual uptake compared to free and open-source frameworks like Sliver. For many threat actors, cracked Cobalt Strike, and now Sliver, software builds already meet their needs, so there is less pressure to standardize on yet another new framework.

On the defender side, the novelty and stealth features of Brute Ratel have triggered focused research, and vendors have already published detection guidance and IoCs for its use. Combined, those factors mean Brute Ratel is a real threat, and dangerous when it appears, but it is not yet as ubiquitous as the older frameworks.

How to prevent post-exploitation activity through app control

Post-exploitation tools work because they look ordinary. Many are legitimate, commercially available, or open-source utilities that let attackers blend into everyday admin activity while they move laterally, steal credentials, establish persistence, and exfiltrate data.  

The strongest way to break that advantage is a Zero Trust posture built on deny by default. When only approved software is allowed to run, attackers lose the freedom to introduce new executables, scripts, and “latest” tooling, even when those tools are signed, widely used, or freshly repackaged.  

ThreatLocker Application Control puts that model into practice with layered controls: Allowlisting to stop unknown or unapproved applications and scripts from executing, Ringfencing to constrain what trusted tools can access and where they can connect, and Elevation Control to remove broad local admin rights while still letting approved tasks run when needed. Combined with scheduled execution for necessary utilities, you keep legitimate tools available for the business, but useless to an attacker. The result is simple: less room to hide, fewer paths to move, and far fewer chances for ransomware or data theft to ever get started.

Frequent asked questions

What are post-exploitation tools?
Post-exploitation tools help attackers operate after initial access. They are used for command execution, credential theft, lateral movement, persistence, and data exfiltration.

Are post-exploitation tools always malware?
No. Many are legitimate red team or admin tools that get abused by threat actors because they blend into normal enterprise activity.

Why is Cobalt Strike so common in real attacks?
Cobalt Strike provides a flexible beacon for command and control and a mature set of post-exploitation features. It is widely abused because cracked versions circulate and it supports stealthy, in-memory operations.

How did attackers use Cobalt Strike in the SolarWinds SUNBURST campaign?
In public reporting, SUNBURST was used to select high-value targets, then second-stage payloads deployed Cobalt Strike beacons to enable remote tasking, reconnaissance, and data theft.

What is Impacket most often used for during intrusions?
Impacket is commonly used to abuse Windows protocols like SMB and WMI for remote command execution and lateral movement, often with stolen credentials.

What is Meterpreter and why does it matter?
Meterpreter is Metasploit’s in-memory agent that gives attackers a feature-rich session for discovery, privilege escalation, credential access, and pivoting, often with fewer disk artifacts.

Why are Sliver and Brute Ratel showing up more often?
As detections for older tooling improve, attackers adopt alternatives. Sliver is attractive because it is open source and easy to customize, while Brute Ratel is built to evade many endpoint detections.

What is Rubeus used for in Active Directory attacks?
Rubeus is used for Kerberos abuse such as Kerberoasting and AS-REP roasting, helping attackers obtain crackable ticket material and escalate privileges.

Why is Rclone a favorite for data theft?
Rclone is legitimate software that can move large volumes of data to cloud storage over normal HTTPS, which helps attackers exfiltrate data before ransomware or extortion.