Blog post

RATs, Mimikatz and other domestic pests

Created:  11 Oct 2018
Updated:  11 Oct 2018
Author:  Lucy P
Part of:  Cyber attacks
Joint report on hacking tools

On 1 October this year, the Canadian Centre for Cyber Security was launched, bringing together a number of parts of the Canadian system that deal with threat intelligence, incident response and public engagement under one big cyber umbrella. Earlier this year, the merging of CERT Australia into the Australian Cyber Security Centre aimed to do the same, with the new ACSC moving into a dedicated multi-classification building near Canberra airport, with industry-focused regional offices across the country.

It is no coincidence that our partners across the world are moving towards the NCSC model of creating a 'one stop shop' for cyber security, serving everyone from individual citizens to critical infrastructure and government. The NCSC maintains frequent dialogue with other countries, sharing ideas and experiences about what’s going well and the challenges we encounter. Our regular group exchanges with cyber security authorities in the US, Canada, Australia and New Zealand are some of the most valuable. Despite having different resources, serving different communities and being scattered across the world, we all share the same overall goal of keeping our countries safe and secure online. And given the interconnectedness of everything cyber, that means helping each other to do our jobs, and the rest of the world too.

A few months ago, we decided to take our collaboration one step beyond regular conversations, product exchanges and the occasional beer in a far-flung country. Why not pool our expertise to produce something together, that would reflect our collective picture of the cyber threat, and provide guidance agreed across our systems? You can read the finished report now on the NCSC website, or (if you prefer) on the websites of our four partner contributors. Laying out five common categories of hacking tools that are used by cyber actors worldwide, it provides network defenders with an insight into some of the incidents that we and our partners are managing, as well as some advice for the best ways to protect organisations.

The report, is a snapshot, rather than a compendium. It is certainly not a handy list of everything you need to worry about; that would take a lot more than a few pages. But it does give an indication of how wide the market is for tools that can enable actors to get into a network, execute commands and steal data. Very often these tools are not inherently malicious in nature either. They are designed to help pen testers identify vulnerabilities and fix problems, and are used legitimately every day. This makes detecting and attributing malicious usage even harder. But our report can at least provide a starting point for understanding the problem and keeping attackers on their toes.

The tools described by the report are listed broadly in line with the order they would be used against a network.

  • We start with Remote Access Trojans (RATs), stealthy programmes that allow an attacker to carry out a range of remote functions on a network, including installing backdoors and exfiltrating data.
  • We then look at web shells, malicious scripts that can be uploaded to a web server and, similarly, offer remote administrative control.
  • Next are credential stealers, notably mimikatz, a tool invented by a French programmer with the intention of demonstrating to Microsoft a serious flaw in Windows password security – and is now widely used by attackers to hoover up credentials stored in memory.
  • We also cover frameworks that enable lateral movement, focusing on the popular pen testing tool PowerShell Empire.
  • Finally we cover command and control obfuscation tools; privacy tools that are used to disguise an attacker’s location.

Many of these tools are used in conjunction with each other, presenting a formidable challenge for the network defender. The NCSC and our partners have seen them used in incidents led by hostile state actors and criminals of widely varying capability. But there are some simple steps that can help build the resilience of any organisation, and help to protect against malicious activity of this kind. Key measures like using multi-factor authentication, segregating networks, setting up a security monitoring capability and keeping systems and software up to date are listed at the end of the report, with links to more detailed guidance elsewhere on our website. We’ve also included links to the core security advice guidelines of our contributing international partners.

We at the NCSC know that we can never solve problems on our own, and that is why we are working harder and harder to link up with international partners and experts from industry and academia. We’re very keen to hear thoughts on the product from the network defence community globally, as we begin to consider what we might collaborate on next.


Lucy P
NCSC Operations


Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No