The unrestricted publication of offensive security tools (OSTs) has become one of the most controversial talking points in the information security community. Some argue that releasing such tools to the Internet is irresponsible, as it allows adversaries to outsource the development of tools and techniques from the InfoSec community directly. Others believe the publication of these tools serves as a cornerstone to the education of both new researchers and good defense practices, allowing defenders to mitigate newly discovered techniques and probe their own systems. However, limited quantifiable data has been presented to support either argument.
This research was conducted in order to evaluate the extent of influence offensive security tools have on adversary operations, specifically the use of open-source OSTs. We gathered leading open-source projects such as Mimikatz and UACME and compiled them with various configurations and flags in order to generate all possible binary code patterns. We identified code reuse patterns across a database of millions of malware samples and created a map of open-source OST adoption by malware families.
In this paper, a comprehensive map of the relationship between various OST open-source projects and threat actors is presented, i.e. the use of code injection, privilege escalation, and lateral movement technique implementation projects. We also explain the steps taken to build the map. Finally, we explain how familiarity with these projects allows defenders to build YARA signatures based on code patterns and expose real, undetected malware campaigns that were discovered based on this technique, together with the relevant YARA signatures.