Top 10 post-exploitation tools threat actors use in real intrusions

This report catalogs commonly abused post-exploitation tools (Cobalt Strike, Impacket, Metasploit/Meterpreter, Sliver, Rubeus, PowerSploit/PowerView, Rclone, CrackMapExec/NetExec, PowerShell Empire, Brute Ratel), ties them to real-world intrusions and campaigns (SolarWinds SUNBURST, DIB intrusion, Conti, BlackSuit, Black Basta, BumbleBee), explains typical attack chains (initial access, in-memory loaders, credential theft, lateral movement, staging and exfiltration), and recommends defensive measures such as deny-by-default application control, ringfencing, and elevation control to limit attackers’ ability to run post-exploitation tooling.