The Top Ten MITRE ATT&CK Techniques

Picus Labs | 12 MIN READ

LAST UPDATED ON FEBRUARY 24, 2026

Picus 10 Critical MITRE ATT&CK Techniques

Welcome to the Picus Red Report 2026, which is based on in-depth research from Picus Labs, the research arm of Picus Security. As a result of the comprehensive analysis of hundreds of thousands of real-world threat samples collected from numerous sources, Picus Labs revealed the most prevalent ATT&CK techniques and tactics to help you focus on what significantly improves your security.

GET THE RED REPORT

Executive Summary

In 2025, Picus Labs analyzed 1,084,718 malware samples to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 13,321,128 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.

This research has found that T1055 Process Injection was the most prevalent technique, and Defense Evasion and Persistence were the dominating tactics observed in 2025. The findings of this research provide insights for better prioritization of risks and security operations by presenting the most prevalent attack techniques, threat actors using these techniques, and red and blue team exercises for them.

Key Findings

The Rise of the Digital Parasite:
From Predators to Persistent Infections

Adversaries have fundamentally shifted their operational philosophy from "predatory" smash-and-grab attacks to more "parasitic" long-term infections. The Red Report 2026 confirms that attackers are prioritizing techniques that allow them to burrow into legitimate processes and hide from the organization's "immune system." For the third consecutive year, Process Injection (T1055) holds the #1 spot on the list. This dominance signals that blending in is now more critical to attackers than breaking in.

AI Hype vs. Reality:
Evolution, Not Revolution

Despite widespread speculation about AI transforming the malware landscape, our research shows no notable uptick yet in the use of AI-driven malware techniques. The dominance of 1990s-era techniques like Command and Scripting Interpreter (#2) and Process Injection (#1) proves that adversaries don't need AI to beat modern defenses. While malware like LameHug uses LLM APIs, it is merely to fetch hardcoded commands, a technique classified as "superficial" rather than functionally justified AI use. AI enhances productivity, but it has not yet redefined the mechanics of the "Digital Parasite."

Ransomware Encryption Loses Center Stage:
Encryption Prevalence Drops by 38% in Just One Year

The data shows a massive statistical decline in the deployment of ransomware payloads. In 2025, Data Encrypted for Impact (T1486) appeared in 21.00% of samples; in 2026, it plummeted to 12.94%. This represents a 38% relative decrease. This sharp drop-off provides concrete evidence that threat actors are shifting their business model away from "locking data" (Encryption) toward "stealing data" (Extortion) to keep the host alive for long-term exploitation.

The Rise of "Self-Aware" Malware:
Malware Now Does Math to Prove You Are Human

Virtualization/Sandbox Evasion (T1497) saw the year's most explosive growth, surging to #4. Modern malware doesn't just check for files; it analyzes human behavior using geometry. For example, LummaC2 now calculates the Euclidean distance and angles of mouse movements. If the mouse moves in a straight line (typical of sandboxes) rather than a human-like curve (calculated via trigonometry), the malware refuses to detonate. If the threat detects it is being watched, it simply plays dead.

The "Physical" Insider Threat:
State-Sponsored Laptop Farms

For the first time, Remote Access Tools (T1219) have gone physical. The 2026 report exposes how North Korean (DPRK) operatives are using Remote Access Hardware (T1219.003), specifically IP-KVM devices like PiKVM, to control massive laptop farms. By connecting directly to HDMI and USB ports, attackers gain BIOS-level control that sits completely below the operating system, rendering EDRs and traditional security software totally blind to the intrusion.

The "Living Off the Cloud" Phenomenon:
Adversaries Are Turning Cloud APIs into C2 Channels

The 2026 report reveals a disturbing evolution in how attackers communicate: they are "living off the cloud." A prime example is the SesameOp backdoor, which routed all traffic through OpenAI's Assistants API, masking C2 communications as legitimate AI development work to evade firewalls. Similarly, threat groups like Storm-0501 were observed directly querying cloud secrets stores (e.g., AWS Secrets Manager) via API to harvest credentials, avoiding endpoint detection entirely.

The "Identity" Crisis:
Credential Theft Targets 1 in 4 Organizations

The "Digital Parasite" does not need to break down the door; it simply logs in. While "noisy" credential dumping (T1003) has statistically vanished from the Top 10, Credentials from Password Stores (T1555) remains stubbornly high, appearing in 23.49% of samples in the 2026 report. This means that nearly 1 in 4 attacks involves an adversary attempting to silently extract saved passwords from browsers or managers. The data suggests that identity theft is no longer a preliminary step but a primary objective, with prevalence rates that now double those of data encryption.nfo.

The Stealth Epidemic:
80% of Top Techniques Are Now Dedicated to Evasion & Persistence

The 2026 Top 10 list reveals a staggering imbalance: the vast majority of attacker tradecraft is now focused primarily on staying hidden. By categorizing the 2026 Top 10 techniques, we found that 8 out of 10 are specifically designed for Defense Evasion, Persistence, or stealthy Command & Control (T1055, T1555, T1497, T1071, T1036, T1547, T1562, T1219). This 80% dominance of stealth tradecraft marks the highest concentration of evasion tactics we have ever recorded, proving that the modern adversary's primary metric for success is now dwell time, not immediate destruction.

Blinding the Immune System:
Why Killing Defenses is the First Move

Before a parasite can safely feed, it must neutralize the host's defenses. Impair Defenses (T1562) remains a core technique at Rank #8 (14.18%), used to disable antivirus, delete logs, and kill EDR agents. The consistency of this technique across recent years, ranking #3 in 2024 and #5 in 2025, proves that "blinding the target" is not an optional step but a fundamental prerequisite for modern intrusions. The parasite ensures the host is defenseless before it begins its primary operations.

Hiding in Plain Sight:
The Art of Masquerading

To survive within the host without triggering an immune response, adversaries are mastering the art of camouflage. Masquerading (T1036) has entered the top tier at Rank #6, utilized in 16.59% of attacks. By renaming malicious files to look like legitimate system processes (e.g., svchost.exe or update.exe), attackers ensure that even if a defender looks directly at the infection, they often see nothing but "normal" system activity, effectively hiding in plain sight.

Persistence Ensures Immortality:
Surviving the Reboot

A parasite cannot afford to be flushed out by a simple system restart. Boot or Logon Autostart Execution (T1547) has risen from at or near the bottom of the list in previous years to Rank #7 in the 2026 report. This upward trajectory indicates that longevity is the new priority. Attackers are modifying the host's DNA (registry keys) to ensure they are resurrected every time the machine reboots.

The Convergence of Crime and Espionage:
Ransomware Groups Have Adopted APT Tradecraft

The historical dividing line between "smash-and-grab" cybercriminal gangs and "low-and-slow" nation-state (APT) actors has effectively vanished. The data shows that financially motivated ransomware groups have adopted the stealth, evasion, and living-off-the-land techniques previously reserved for sophisticated espionage operations.

MITRE ATT&CK Framework

MITRE ATT&CK is an open-source knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common taxonomy of tactics and techniques to better classify adversary behaviors. While a tactic specifies a goal that an adversary is trying to achieve, a technique represents how an adversary accomplishes the tactic by performing an action.

The MITRE ATT&CK Matrix for Enterprise [1] consists of 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. There may be many techniques to achieve a tactic, so there are multiple techniques in each tactic category. Similarly, a technique may be categorized into multiple tactics. For example, the Process Injection technique is used by attackers for Defense Evasion and also Privilege Escalation. Currently, the ATT&CK Enterprise Matrix includes 216 techniques and 475 sub-techniques.

Methodology

Picus-RedReport2026-methodology-PR-1

Picus simulates adversarial TTPs in networks and endpoints by mimicking the actions of threat actors and their malware without adversely affecting any network or systems. To build adversarial attack scenarios, Picus Labs analyzes hundreds of malicious files with the help of internal tools and open-source and commercial sandboxes. Sources of these files include but are not limited to commercial and open-source threat intelligence services, blogs and white papers of security vendors and researchers, social media, malware sandboxes, and forums.

The red team analysts of Picus Labs evaluate the results and examine indicators to identify malicious actions for building attack scenarios. Then, our blue team analysts examine the effects of these malicious actions on security controls and endpoints and develop actionable prevention signatures and detection rules for them. As building blocks of attack scenarios, each malicious action is mapped to a technique of the MITRE ATT&CK framework to ground the scenarios in a common taxonomy.

In 2025, Picus Labs analyzed 1,153,683 unique files. 1,084,718 of them (94%) were categorized as 'malicious'. 15,544,909 actions were extracted from these files, which means an average of 14 actions per malware. Since multiple actions may be relevant to the same technique, they were mapped to an average of 12 MITRE ATT&CK techniques per malware. Therefore, a dataset of 13,321,128 MITRE ATT&CK techniques is used for this report.

Picus 10 Critical MITRE ATT&CK Techniques

Click on a technique to explore how to simulate the technique (red team exercise), how to detect and mitigate the technique (blue team exercise), and which threat actors and malware use these techniques on which targets.

	#1 2025:1		T1055 Process Injection
	#2 2025:2		T1059 Command and Scripting Interpreter
	#3 2025:3		T1555 Credentials from Password Stores
	#4 New		T1497 Virtualization/Sandbox Evasion
	#5 2025:4		T1071 Application Layer Protocol
	#6 New		T1036 Masquerading
	#7 2025:9		T1547 Boot or Logon Autostart Execution
	#8 2025:5		T1562 Impair Defenses
	#9 New		T1219 Remote Access Tools
	#10 2025:6		T1486 Data Encrypted for Impact

Comparison With Other Top ATT&CK Techniques Lists

Apart from our report, there are valuable studies on the top ATT&CK techniques. The following table presents the top 10 lists prepared by Red Canary [2], MITRE CTID [3], and Mandiant [4], and the common techniques between these lists. In these lists, various techniques will be listed differently, but diversity does not necessarily signify inaccuracy or incompleteness. Since different methodologies and threat samples were used when creating the lists, it is natural to see different results.


1	T1055 - Process Injection	T1078.004: Cloud Accounts	T1059 Command and Scripting Interpreter	T1059: Command and Scripting Interpreter
2	T1059 - Command and Scripting Interpreter	T1059:003: Windows Command Shell	T1078 - Valid Accounts	T1027: Obfuscated Files or Information
3	T1555 - Credentials from Password Stores	T1114.003: Email Forwarding Rule	T1021:001 Remote Desktop Protocol	T1021: Remote Services
4	T1497 Virtualization/Sandbox Evasion	T1059.001: PowerShell	T1047 Windows Management Instrumentation	T1083: File and Directory Discovery
5	T1071 Application Layer Protocol	T1564.008: Email Hiding Rules	T1490 Inhibit System Recovery	T1070: Indicator Removal
6	T1036 Masquerading	T1569.002: Service Execution	T1105 Ingress Tool Transfer	T1082: System Information Discovery
7	T1547 Boot or Logon Autostart Execution	T1112: Modify Registry	T1083 File and Directory Discovery	T1140: Deobfuscate/Decode Files or Information
8	T1562 Impair Defenses	T1047: Windows Management Instrumentation	T1486 Data Encrypted for Impact	T1486: Data Encrypted for Impact
9	T1219 Remote Access Tools	T1218.005: Mshta	T1190 Exploit Public-Facing Application	T1071: Application Layer Protocol
10	T1486 Data Encrypted for Impact	T1105: Ingress Tool Transfer	T1489 Service Stop	T1133: External Remote Services

Limitations

The limitations outlined below are imperative to consider when interpreting the Red Report 2026:

Sample Size Representation: Despite analyzing an extensive dataset of over 1,100,000 malware samples, it encompasses a subset of the vast malware landscape. This limitation may introduce a bias in the visibility of malware types and behaviors.
Focus on Post-Compromise Tactics: Our research focused primarily on post-compromise activities, thus excluding TA0043 Reconnaissance, TA0042 Resource Development, and TA0001 Initial Access techniques. Understanding that these initial access techniques, such as T1566 Phishing and T1190 Exploit Public-Facing Applications, were not covered is critical, as they are crucial steps in the attack chain.

Reflecting on these points provides a balanced view of the findings, acknowledging the scope of analysis while recognizing aspects not addressed within the study

Conclusion

The findings of The Red Report 2026 demonstrate a clear and accelerating concentration of adversary activity around Defense Evasion, Persistence, and stealthy Command and Control, with 80% of the Top 10 MITRE ATT&CK techniques now dedicated to enabling long-term, low-visibility access rather than immediate disruption. Modern adversaries have largely abandoned noisy, smash-and-grab tactics in favor of operating as "digital parasites," embedding themselves within trusted processes, abusing legitimate tools, and weaponizing identity and cloud infrastructure to remain undetected for extended periods.

As adversaries continue to refine existing techniques while introducing new, context-aware tradecraft, effective defense can no longer rely on static assumptions of protection. Organizations must continuously validate how their security controls perform against the same techniques and tools used in real-world attacks. This requires systematically challenging prevention and detection layers, identifying security gaps, and prioritizing remediation based on actual adversarial behavior rather than theoretical coverage.

The Picus Platform continuously challenges your security controls in production with thousands of real attack techniques and identifies gaps in your security stack. Moreover, Picus provides actionable prevention signatures and detection rules to remedy security controls against unblocked and undetected attacks. As a result, organizations can prevent and detect adversarial TTPs, including Top 10 ATT&CK techniques, get the maximum benefit from their security investments, quantify their risks, and increase their resilience.