Double Your Threat Blocking in 90 Days
Read More
Picus Labs | May 13, 2020
Welcome to the Picus 2023 Attack Techniques Report, which is based on in-depth research from Picus Labs, the research arm of Picus Security. As a result of the comprehensive analysis of tens of thousands of real-world threat samples collected from numerous sources, Picus Labs revealed the most prevalent ATT&CK techniques and tactics to help you focus on what significantly improves your security.
In 2022, Picus Labs analyzed 507,912 malware samples to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 5,388,946 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.
This research has found that T1059 Command and Scripting Interpreter was the most prevalent technique, and Lateral Movement was the dominating tactic observed in 2022. The findings of this research provide insights for better prioritization of risks and security operations by presenting the most prevalent attack techniques, threat actors using these techniques, and red and blue team exercises for them.
Attackers are increasingly using techniques to perform Lateral Movement, a tactic to move from one compromised system in a network to another. In addition to Command and Scripting Interpreter and OS Credential Dumping, which are widely prevalent, new techniques such as Remote Services, Remote System Discovery, and WMI are also increasingly being leveraged to discover remote systems, execute commands on remote systems, and obtain account credentials.
Data Encrypted for Impact has maintained its position as the third most commonly used technique by adversaries for the second consecutive year. This technique, exhibited by nearly a quarter of all malware analyzed, encrypts files and highlights the ongoing threat of ransomware to organizations.
New techniques, Remote System Discovery and Remote Services, also feature in this year’s Red Report Top Ten. These techniques involve abusing built-in tools and protocols in operating systems, such as net, ping, RDP, SSH, and WinRM for malicious purposes. This allows attackers to gather information about targets, including Windows, Linux, and macOS systems in a compromised network, and move laterally throughout the network without being detected by security controls. This trend indicates that attackers are increasingly utilizing legitimate remote discovery and access tools and services.
T1003 OS Credential Dumping has moved up the Red Report list since last year’s report and is now the second most prevalent technique observed. This technique allows attackers to obtain account login and credential information from compromised machines. Any information obtained can then be used to move laterally in a network, elevate privileges, and access restricted information.
The Red Report 2023 reveals the extent to which adversaries prefer using legitimate tools over custom-developed ones. This is highlighted by the most common technique in the Red Report Top Ten list being, T1059 Command and Scripting Interpreter, which involves the abuse of legitimate interpreters such as PowerShell, AppleScript, and Unix shells to execute arbitrary commands. Other examples of legitimate tools that are commonly abused by adversaries include utilities for OS Credential Dumping, System Information Discovery, Remote Services, WMI, Scheduled Task/Job, and Remote System Discovery.
According to our analysis, on average, malware uses 11 different TTPs (Tactics, Techniques, and Procedures). One-third of malware (32%) leverages more than 20 TTPs, and one-tenth of malware employs more than 30 TTPs. These findings suggest that malware developers behind these attacks are highly sophisticated. They have likely invested significant resources into researching and developing a wide range of techniques for evading detection and compromising systems.
MITRE ATT&CK is an open-source knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common taxonomy of tactics and techniques to better classify adversary behaviors. While a tactic specifies a goal that an adversary is trying to achieve, a technique represents how an adversary accomplishes the tactic by performing an action.
The MITRE ATT&CK Matrix for Enterprise [1] consists of 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. There may be many techniques to achieve a tactic, so there are multiple techniques in each tactic category. Similarly, a technique may be categorized into multiple tactics. For example, the Process Injection technique is used by attackers for Defense Evasion and also Privilege Escalation. Currently, the ATT&CK Enterprise Matrix includes 196 techniques and 411 sub-techniques.
Picus simulates adversarial TTPs in networks and endpoints by mimicking the actions of threat actors and their malware without adversely affecting any network or systems. To build adversarial attack scenarios, Picus Labs analyzes hundreds of malicious files with the help of internal tools and open-source and commercial sandboxes. Sources of these files include but are not limited to commercial and open-source threat intelligence services, blogs and white papers of security vendors and researchers, social media, malware sandboxes, and forums.
The red team analysts of Picus Labs evaluate the results and examine indicators to identify malicious actions for building attack scenarios. Then, our blue team analysts examine the effects of these malicious actions on security controls and endpoints and develop actionable prevention signatures and detection rules for them. As building blocks of attack scenarios, each malicious action is mapped to a technique of the MITRE ATT&CK framework to ground the scenarios in a common taxonomy.
In 2022, Picus Labs analyzed 556,107 unique files. 507,912 of them (91%) were categorized as ‘malicious’. 5,388,946 actions were extracted from these files, which means an average of 11 actions per malware on average. Since multiple actions may be relevant to the same technique, they were mapped to an average of 9 MITRE ATT&CK techniques per malware. Therefore, a dataset of 4,329,142 MITRE ATT&CK techniques is used for this report.
Click on a technique to explore how to simulate the technique (red team exercise), how to detect and mitigate the technique (blue team exercise), and which threat actors and malware use these techniques on which target
![]()
|
#1
|
|
T1059 Command and Scripting Interpreter
|
![]()
|
#2
|
![]()
|
T1003 OS Credential Dumping
|
![]()
|
#3
|
![]()
|
T1486 Data Encrypted for Impact
|
![]()
|
#4
|
![]()
|
T1055 Process Injection
|
![]()
|
#5
|
![]()
|
T1082 System Information Discovery
|
![]()
|
#6
|
![]()
|
T1021 Remote Services
|
![]()
|
#7
|
![]()
|
T1047 Windows Management Instrumentation
|
![]()
|
#8
|
![]()
|
T1053 Scheduled Task/Job
|
![]()
|
#9
|
![]()
|
T1497 Virtualization/Sandbox Evasion
|
![]()
|
#10
|
![]()
|
T1018 Remote System Discovery
|
Apart from our report, there are valuable studies on top ATT&CK techniques. The following table presents the top 10 lists prepared by Red Canary [2], MITRE CTID [3], and Mandiant [4] and the common techniques between these lists. In these lists, various techniques will be listed differently, but diversity does not necessarily signify inaccuracy or incompleteness. Since different methodologies and threat samples were used when creating the lists, it is natural to see different results.
![]() |
|
|
|
|
1 |
T1059 - Command and Scripting Interpreter
|
T1059:003 - Command and Scripting Interpreter: Windows Command Shell
|
T1059 - Command and Scripting Interprete
|
T1059 - Command and Scripting Interpreter
|
2 |
T1003 - OS Credential Dumping
|
T1059:001 - Command and Scripting Interpreter: PowerShell
|
T1047 - Windows Management Instrumentation
|
T1027 - Obfuscated Files or Information
|
3 |
T1486 - Data Encrypted for Impact
|
T1047 - Windows Management Instrumentation
|
T1053 - Scheduled Task/Job
|
T1071 - Application Layer Protocol
|
4 |
T1055 - Process Injection
|
T1027 - Obfuscated Files or Information |
T1574 - Hijack Execution Flow
|
T1082 - System Information Discovery
|
5 |
T1082 - System Information Discovery
|
T1218.011 - System Binary Proxy Execution: Rundll32
|
T1543 - Create or Modify System Process
|
T1070 - Indicator Removal
|
6 |
T1021 - Remote Services
|
T1105 - Ingress Tool Transfer
|
T1562 - Impair Defenses
|
T1083 - File and Directory Discovery
|
7 |
T1047 - Windows Management Instrumentation
|
T1055 - Process Injection
|
T1055 - Process Injection
|
T1140 - Deobfuscate/Decode Files or Information
|
8 |
T1053 - Scheduled Task/Job
|
T1569.002 - System Services: Service Execution
|
T1036 - Masquerading
|
T1021 - Remote Services
|
9 |
T1497 - Virtualization/Sandbox Evasion |
T1036.003 - Masquerading: Rename System Utilities
|
T1021 - Remote Services
|
T1105 - Ingress Tool Transfer |
10 |
T1018 - Remote System Discovery
|
T1003.001 - OS Credential Dumping: LSASS Memory
|
T1003 - OS Credential Dumping
|
T1543 - Create or Modify System Process
|
The reader should bear in mind that this research is based on malicious activities of malware after infecting target systems. Therefore, the research is unable to encompass techniques in the Initial Access tactic, which are used by adversaries to gain a foothold in the target network. It should be noted that Initial Access techniques such as Phishing (T1566) and Exploit Public-Facing Application (T1190) are also frequently used by attackers.
Due to the design of the MITRE ATT&CK framework, a malicious action may be mapped to multiple techniques, and some techniques are overlapped. For example, BlackByte ransomware uses an obfuscated PowerShell command that stops Windows Defender from executing on startup [5]. This adversary use can be mapped to Command and Scripting Interpreter (T1059), Command Obfuscation (T1027.010), and Impair Defenses (T1562). However, malware sandboxes map a malicious action to a single technique.
This research has shown that the Top 10 ATT&CK techniques concentrate on techniques used in Lateral Movement attacks. Sophisticated adversaries use techniques in Discovery and Credential Access tactics to collect information about their victims’ environment and weaponize the collected information to compromise the entire network without being detected. Recent large-scale ransomware attacks show how threat actors utilize the Top 10 ATT&CK techniques masterfully to their benefit.
Cyber threat actors endlessly develop new adversary techniques and tools while perfecting the use of existing ones. Effective mitigation of these techniques requires challenging each security control in your security stack with the same attack techniques and tools used by adversaries, finding gaps in your security controls, and improving defense by closing these gaps.
The Picus Continuous Security Validation Platform continuously challenges your security controls in production with thousands of real attack techniques and identifies gaps in your security stack. Moreover, Picus provides actionable prevention signatures and detection rules to remedy security controls against unblocked and undetected attacks. As a result, organizations can prevent and detect adversarial TTPs, including Top 10 ATT&CK techniques, get the maximum benefit from their security investments, quantify their risks, and increase their resilience.
[1] “Matrix - Enterprise.” [Online]. Available: https://attack.mitre.org/versions/v13/matrices/enterprise/. [Accessed: May 23, 2023]
[2] “MITRE ATT&CK Techniques - Red Canary Threat Detection Report,” Red Canary, Mar. 20, 2023. [Online]. Available: https://redcanary.com/threat-detection-report/techniques/.[Accessed: May 23, 2023]
[3] “Top ATT&CK Techniques.” [Online]. Available: https://top-attack-techniques.mitre-engenuity.org/calculator. [Accessed: May 23, 2023]
[4] “M-Trends 2023: Cybersecurity Insights From the Frontlines,” Mandiant, Oct. 03, 2021. [Online]. Available: https://www.mandiant.com/resources/blog/m-trends-2023. [Accessed: May 23, 2023]
[5] H. C. Yuceel, “TTPs used by BlackByte Ransomware Targeting Critical Infrastructure,” Feb. 21, 2022. [Online]. Available: https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure. [Accessed: May 23, 2023]