Threat actors are known to use various features of operating systems to achieve their goals. However, sometimes it is not enough, so they may employ legitimate third‑party tools that are most unlikely to be detected by security solutions. For example, to perform Active Directory reconnaissance, an adversary may apply AdFind, or use DiskCryptor instead of ransomware.

The report will explore some legitimate third‑party tools abused by real threat actors at various stages of the attack life cycle. The speaker will draw on the examples from his own experience investigating incidents.