Description
This detector identifies the presence of hacking tools, exploit frameworks, attacker-oriented scripts, or security research repositories on a device used to access organizational systems. While endpoint security tools typically focus on detecting active malware, this detector targets a broader class of risk: tooling that indicates the device is configured for offensive activity, whether or not that activity has yet been directed at the organization.
This signal is collected via point-in-time device scan at the time of a verification event, or continuously via the deployed agent.
Common indicators include:
Exploit and penetration testing frameworks
Installed tools commonly associated with offensive security operations, including network scanners, password recovery utilities, packet capture software, or vulnerability exploitation platforms. While these tools have legitimate uses in security research, their presence on a claimed employee's device warrants scrutiny.
Credential harvesting and exfiltration tooling
Scripts or binaries designed to extract stored credentials from browsers, keychains, or password managers, as well as utilities for bulk data staging or exfiltration via cloud storage or encrypted channels.
Attacker-oriented code repositories
Cloned or downloaded repositories containing known offensive tooling, proof-of-concept exploits, or payloads from public sources such as Exploit-DB, GitHub security research repositories, or underground code sharing platforms.
Custom automation scripts targeting organizational systems
Scripts that reference internal organizational hostnames, APIs, or data formats in ways inconsistent with a standard employee role, suggesting reconnaissance, automation of access, or preparation for data exfiltration.
Anti-forensics or evidence destruction tools
Utilities designed to overwrite disk space, clear browser history, sanitize logs, or otherwise reduce forensic visibility, indicating awareness of and preparation for post-compromise investigation.
Relevance to Social Engineering Attacks
In social engineering operations involving insider threats, recruited accomplices, or long-dwell-time attackers, the device itself often serves as a staging platform for broader attack activity. The presence of offensive tooling on a device associated with a legitimate employee identity is a strong indicator that the device is being used beyond its authorized scope.
Key attacker behaviors include:
Insider threat preparation
A disgruntled employee or recruited insider downloads offensive tools in preparation for data theft, sabotage, or unauthorized access escalation. Detecting this tooling before it is deployed enables early intervention.
Compromised device as attack relay
Malware or unauthorized tooling installed by an external attacker transforms the employee's device into a relay or staging host. The employee may be unaware, while the attacker uses the device to move laterally, exfiltrate data, or maintain persistence.
Social engineering pretexts backed by technical access
In some operations, attackers with existing partial access augment their position by installing scripted automation that monitors internal communications, intercepts authentication tokens, or probes adjacent systems, while the employee continues normal activity on the same machine.
Examples of Detected Tooling and Techniques
This detector is effective at identifying environments equipped with:
Network and exploitation tools
Nmap, Metasploit, Burp Suite, sqlmap, Mimikatz, BloodHound, CrackMapExec.
Credential and session theft utilities
LaZagne, browser cookie dumpers, keyloggers, and tools that extract credentials from Windows Credential Manager or macOS Keychain.
Attacker infrastructure management
Cobalt Strike beacon artifacts, reverse shell scripts, command-and-control configuration files, or tunneling utilities such as Chisel or ligolo-ng.
Data staging and exfiltration tools
Rclone configured with external cloud destinations, bulk file compression scripts, or database dump utilities referencing internal data sources.