The Red Report 2024: The Top 10 Most Prevalent MITRE ATT&CK Techniques
Suleyman Ozarslan, PhD | October 16, 2020
The Top 10 MITRE ATT&CK Techniques Used by Adversaries
In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Impair Defenses was the tenth most prevalent ATT&CK technique used by adversaries in their malware.
Disabling, modifying, or blocking defensive security controls is one of the most common behaviors of adversaries. The MITRE ATT&CK Framework categorizes this type of malicious actions under the “T1562 Impair Defenses” technique. This technique contains, impairing preventive security controls, detection capabilities, and other mechanisms that assist in preventing and detecting, such as Windows Event Logging. Our research has found that Impair Defenses is the tenth most prevalent ATT&CK technique used by adversaries 
Defensive security controls prevent or detect adversaries’ malicious actions by determining the attack indicators, from the hash level to TTPs (Tactics, Techniques and Procedures) level of the pyramid of pain . Adversaries frequently use defense evasion techniques to stay under the radar of security controls and achieve their goals. It came as no surprise that the most prevalent ATT&CK tactics are Defense Evasion and Execution, according to our analysis of 48813 malware samples .
Our research shows that the most used Defense Evasion technique is T1055 Process Injection, which is also a Privilege Escalation technique used in 19% of analyzed malware samples. The second most prevalent Defense Evasion technique is T1036 Masquerading. This technique includes changing features of malicious artifacts such as malware files and processes, with legitimate software and processes to evade detection by users and security controls.
T1562 Impair Defenses is the last Defense Evasion technique in our 10 Critical ATT&CK Techniques list, which includes disabling or blocking defensive security controls by modifying the victim environment. This technique involves impairing
In this article, we review:
Changes in the New Version of the MITRE ATT&CK Framework
The July 2020 (v7) ATT&CK release is the first non-beta release of Enterprise ATT&CK represented with sub-techniques . A MITRE ATT&CK sub-technique is a way to describe a specific implementation of a technique in more detail.
In the new sub-technique version of the MITRE ATT&CK Framework, the T1562 Impair Defenses technique includes five sub-techniques:
The most prevalent “Impair Defenses” sub-technique is Disable or Modify Tools. Adversaries use the following methods to disable or modify security tools:
As an interesting example, the NetWalker ransomware includes uninstallers of endpoint security products to completely remove them, such as ESET AV Remover, Trend Micro’s Security Agent Uninstall Tool, and Microsoft Security Client Uninstall .
Windows event logs record the operating system, application, security, setup, hardware, and user events that are used by the administrators to diagnose system problems and are used by security tools and analysts to analyze security issues. Logged Windows events, such as application installations, login attempts (success and failures), elevated privileges, and created processes, are great sources for detecting anomalies that may indicate cyber attacks.
Disabling Windows event logging decreases collected logs for security audits; accordingly, the detection rate. Thus, adversaries use this technique to impair defenses by targeting:
Histcontrol is a bash variable that controls how commands are saved on the history list . It includes a colon-separated list of values, which are:
Ignorespace: In the history list, lines starting with a space character are not saved.
Ignoredups: Lines matching the previous history entry are not saved.
Ignoreboth: Shorthand for ‘ignorespace’ and ‘ignoredups’.
Erasedups: All previous lines matching the current line are deleted from the history list.
Therefore, export HISTCONTROL="ignorespace" command prevents the saving of commands that start with space. So, the " cat /etc/passwd" command (note the space character) will not be saved, but the "cat /etc/passwd" command will be saved by history. Therefore, prepending a space to commands allows adversaries to run commands without leaving traces on the command history list.
Adversaries may disable or modify system firewalls to enable:
Adversaries use the following utilities to disable or modify system firewall :
netsh advfirewall firewall add rule name=CoreNetworkingHTTPS dir=in action=allow Protocol=TCP
MpsSvc, which is the Windows Defender Firewall service. For example, DarkHotel’s Asruex malware attempts to Disable Windows Firewall service using the following command
Since disabling or stopping a security control can be detected easily, some adversaries prefer blocking indicators or events that are used to detect malicious behavior instead. Adversaries use the following methods for indicator blocking:
Blocking traffic: Some malware block traffic associated with reporting to prevent analysis. For example, they create a host-based firewall rule to block traffic to SIEMs or event aggregator products.
In addition to host-based firewalls, adversaries may modify firewall rules within a cloud environment. For example, adversaries used Python scripts that include AWS Command Line Interface (CLI) commands to add backdoors to all cloud security groups for allowing any TCP/IP access into the victim’s environment