The Top Ten MITRE ATT&CK Techniques

PICUS 10 CRITICAL MITRE ATT&CK TECHNIQUES 

Welcome to the Picus 2023 Attack Techniques Report, which is based on in-depth research from Picus Labs, the research arm of Picus Security. As a result of the comprehensive analysis of tens of thousands of real-world threat samples collected from numerous sources, Picus Labs revealed the most prevalent ATT&CK techniques and tactics to help you focus on what significantly improves your security.

  red-report-mockup-small  

The Red Report 2023
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD NOW!

Executive Summary

In 2022, Picus Labs analyzed 507,912 malware samples to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 5,388,946 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.

This research has found that T1059 Command and Scripting Interpreter was the most prevalent technique, and Lateral Movement was the dominating tactic observed in 2022. The findings of this research provide insights for better prioritization of risks and security operations by presenting the most prevalent attack techniques, threat actors using these techniques, and red and blue team exercises for them.

Key Findings

Lateral Movement on the Rise:
     Attackers Utilize New As Well As  Tried and Tested Techniques

Attackers are increasingly using techniques to perform Lateral Movement, a tactic to move from one compromised    system in a network to another.   In addition to Command and Scripting Interpreter and OS Credential Dumping, which are widely prevalent, new techniques such as Remote Services, Remote System Discovery, and WMI are also increasingly being leveraged to discover remote systems, execute commands on remote systems, and obtain account credentials.

Ransomware Remains Rife:
      Data Encryption Is a Top Threat

Data Encrypted for Impact has maintained its position as the third most commonly used technique by adversaries for the second consecutive year. This technique, exhibited by nearly a quarter of all malware analyzed, encrypts files and highlights the ongoing threat of ransomware to organizations.

Abuse of Remote Discovery and Access:
      Attackers Leverage Windows, Linux, and macOS Built-in Tools 

New techniques, Remote System Discovery and Remote Services, also feature in this year’s Red Report Top Ten. These techniques involve abusing built-in tools and protocols in operating systems, such as net, ping, RDP, SSH, and WinRM for malicious purposes. This allows attackers to gather information about targets, including Windows, Linux, and macOS systems in a compromised network, and move laterally throughout the network without being detected by security controls. This trend indicates that attackers are increasingly utilizing legitimate remote discovery and access tools and services.

Identity and Credentials Are the New Perimeter:
     Traditional Perimeter Security Is No Longer Enough

T1003 OS Credential Dumping has moved up the Red Report list since last year’s report and is now the second most prevalent technique observed. This technique allows attackers to obtain account login and credential information from compromised machines. Any information obtained can then be used to move laterally in a network, elevate privileges, and access restricted information.

Uncovering the Dark Side of Legitimate Tools:
     Adversaries Are Weaponizing Legitimate Software in Cyberattacks

The Red Report 2023 reveals the extent to which adversaries prefer using legitimate tools over custom-developed ones. This is highlighted by the most common technique in the Red Report Top Ten list being, T1059 Command and Scripting Interpreter, which involves the abuse of legitimate interpreters such as PowerShell, AppleScript, and Unix shells to execute arbitrary commands. Other examples of legitimate tools that are commonly abused by adversaries include utilities for OS Credential Dumping, System Information Discovery, Remote Services, WMI, Scheduled Task/Job, and Remote System Discovery.

Malware Continues to Evolve Rapidly:
      The Rise of Multi-faceted Tactics in Cyber Attacks

According to our analysis, on average, malware uses 11 different TTPs (Tactics, Techniques, and Procedures). One-third of malware (32%) leverages more than 20 TTPs, and one-tenth of malware employs more than 30 TTPs. These findings suggest that malware developers behind these attacks are highly sophisticated. They have likely invested significant resources into researching and developing a wide range of techniques for evading detection and compromising systems.

MITRE ATT&CK Framework

MITRE ATT&CK is an open-source knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common taxonomy of tactics and techniques to better classify adversary behaviors. While a tactic specifies a goal that an adversary is trying to achieve, a technique represents how an adversary accomplishes the tactic by performing an action.  

The MITRE ATT&CK Matrix for Enterprise [1] consists of 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.  There may be many techniques to achieve a tactic, so there are multiple techniques in each tactic category. Similarly, a technique may be categorized into multiple tactics. For example, the Process Injection technique is used by attackers for Defense Evasion and also Privilege Escalation. Currently, the ATT&CK Enterprise Matrix includes 196 techniques and 411 sub-techniques.

Methodology

Picus simulates adversarial TTPs in networks and endpoints by mimicking the actions of threat actors and their malware without adversely affecting any network or systems.  To build adversarial attack scenarios, Picus Labs analyzes hundreds of malicious files with the help of internal tools and open-source and commercial sandboxes. Sources of these files include but are not limited to commercial and open-source threat intelligence services, blogs and white papers of security vendors and researchers, social media, malware sandboxes, and forums. 

The red team analysts of Picus Labs evaluate the results and examine indicators to identify malicious actions for building attack scenarios. Then, our blue team analysts examine the effects of these malicious actions on security controls  and endpoints and develop actionable prevention signatures and detection rules for them. As building blocks of attack scenarios, each malicious action is mapped to a technique of the MITRE ATT&CK framework to ground the scenarios in a common taxonomy.

In 2022, Picus Labs analyzed 556,107 unique files. 507,912 of them (91%) were categorized as ‘malicious’. 5,388,946 actions were extracted from these files, which means an average of 11 actions per malware on average. Since multiple actions may be relevant to the same technique, they were mapped to an average of 9 MITRE ATT&CK techniques per malware. Therefore, a dataset of 4,329,142 MITRE ATT&CK techniques is used for this report.

methodology-graphic

 

Picus 10 Critical MITRE ATT&CK Techniques

Click on a technique to explore how to simulate the technique (red team exercise), how to detect and mitigate the technique (blue team exercise), and which threat actors and malware use these techniques on which target

Simulate the Top 10 Techniques in minutes and See your Readiness for Top Attack Techniques NOW!

Comparison With Other Top ATT&CK Techniques Lists

Apart from our report, there are valuable studies on top ATT&CK techniques. The following table presents the top 10 lists prepared by Red Canary [2], MITRE CTID [3],  and Mandiant [4] and the common techniques between these lists. In these lists, various techniques will be listed differently, but diversity does not necessarily signify inaccuracy or incompleteness. Since different methodologies and threat samples were used when creating the lists, it is natural to see different results.

  picus-attack-table

red-canary-attack-table

mitre-engenuity-attack-table

mandiant-attack-table

1

T1059 - Command and Scripting Interpreter
T1059:003 - Command and Scripting Interpreter: Windows Command Shell
T1059 - Command and Scripting Interprete
T1059 - Command and Scripting Interpreter

2

T1003 - OS Credential Dumping
T1059:001 - Command and Scripting Interpreter: PowerShell
T1047 - Windows Management Instrumentation
T1027 - Obfuscated Files or Information

3

T1486 - Data Encrypted for Impact
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1071 - Application Layer Protocol

4

T1055 - Process Injection
T1027 - Obfuscated Files or Information
T1574 - Hijack Execution Flow
T1082 - System Information Discovery

5

T1082 - System Information Discovery
T1218.011 - System Binary Proxy Execution: Rundll32
T1543 - Create or Modify System Process
T1070 - Indicator Removal

6

T1021 - Remote Services
T1105 - Ingress Tool Transfer
T1562 - Impair Defenses
T1083 - File and Directory Discovery

7

T1047 - Windows Management Instrumentation
T1055 - Process Injection
T1055 - Process Injection
T1140 - Deobfuscate/Decode Files or Information

8

T1053 - Scheduled Task/Job
T1569.002 - System Services: Service Execution
T1036 - Masquerading
T1021 - Remote Services

9

T1497 - Virtualization/Sandbox Evasion
T1036.003 - Masquerading: Rename System Utilities
T1021 - Remote Services
T1105 - Ingress Tool Transfer

10

T1018 - Remote System Discovery
T1003.001 - OS Credential Dumping: LSASS Memory
T1003 - OS Credential Dumping
T1543 - Create or Modify System Process

Limitations

The reader should bear in mind that this research is based on malicious activities of malware after infecting target systems. Therefore, the research is unable to encompass techniques in the Initial Access tactic, which are used by adversaries to gain a foothold in the target network. It should be noted that Initial Access techniques such as Phishing (T1566) and Exploit Public-Facing Application (T1190) are also frequently used by attackers.

Due to the design of the MITRE ATT&CK framework, a malicious action may be mapped to multiple techniques, and some techniques are overlapped. For example, BlackByte ransomware uses an obfuscated PowerShell command that stops Windows Defender from executing on startup [5]. This  adversary use can be mapped to Command and Scripting Interpreter (T1059), Command Obfuscation (T1027.010), and Impair Defenses (T1562). However, malware sandboxes map a malicious action to a single technique.

Conclusion

This research has shown that the Top 10 ATT&CK techniques concentrate on techniques used in Lateral Movement attacks. Sophisticated adversaries use techniques in Discovery and Credential Access tactics to collect information about their victims’ environment and weaponize the collected information to compromise the entire network without being detected. Recent large-scale ransomware attacks show how threat actors utilize the Top 10 ATT&CK techniques masterfully to their benefit.

Cyber threat actors endlessly develop new adversary techniques and tools while perfecting the use of existing ones. Effective mitigation of these techniques requires challenging each security control in your security stack with the same attack techniques and tools used by adversaries, finding gaps in your security controls, and improving defense by closing these gaps. 

The Picus Continuous Security Validation Platform continuously challenges your security controls in production with thousands of real attack techniques and identifies gaps in your security stack. Moreover, Picus provides actionable prevention signatures and detection rules to remedy security controls against unblocked and undetected attacks. As a result, organizations can prevent and detect adversarial TTPs, including Top 10 ATT&CK techniques, get the maximum benefit from their security investments, quantify their risks, and increase their resilience.

References

[1] “Matrix - Enterprise.” [Online]. Available: https://attack.mitre.org/versions/v13/matrices/enterprise/. [Accessed: May 23, 2023]

[2] “MITRE ATT&CK Techniques - Red Canary Threat Detection Report,” Red Canary, Mar. 20, 2023. [Online]. Available: https://redcanary.com/threat-detection-report/techniques/.[Accessed: May 23, 2023]

[3] “Top ATT&CK Techniques.” [Online]. Available: https://top-attack-techniques.mitre-engenuity.org/calculator. [Accessed: May 23, 2023]

[4] “M-Trends 2023: Cybersecurity Insights From the Frontlines,” Mandiant, Oct. 03, 2021. [Online]. Available: https://www.mandiant.com/resources/blog/m-trends-2023. [Accessed: May 23, 2023]

[5] H. C. Yuceel, “TTPs used by BlackByte Ransomware Targeting Critical Infrastructure,” Feb. 21, 2022. [Online]. Available: https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure. [Accessed: May 23, 2023]

RELATED RESOURCES