MITRE ATT&CK provides a framework for classifying attacker tactics, techniques, and procedures (TTPs). Each year, security researchers analyze real-world attacks to identify the most prevalent techniques and sub-techniques used by adversaries. By understanding these top techniques and sub-techniques, security professionals can prioritize their defenses and focus on the areas most likely to be targeted by attackers.

Top 10 Most Frequently Seen Techniques 2023

1T1059: Command and Scripting Interpreter
2T1027: Obfuscated Files or Information
3T1083: File and Directory Discovery
4T1021: Remote Services
5T1082: System Information Discovery
6T1070: Indicator Removal
7T1071: Application Layer Protocol
8T1033: System Owner/User Discovery
9T1140: Deobfuscate / Decode Files or Information
10T1190: Exploit Public-Facing Application
  • T1059: Command and Scripting Interpreter | Executes malicious code through a command shell or scripting language, allowing attackers to automate tasks, deploy malware, or steal data.
  • T1027: Obfuscated Files or Information | Hides malicious content, such as malware or exploit code, by employing techniques like encryption, packing, or encoding to evade detection by security scanners and analysts.
  • T1083: File and Directory Discovery | Identifies and locates files and folders on a system, which can be used by attackers to find sensitive data, configuration files, or potential hiding places for malware.
  • T1021: Remote Services | Interacts with remote systems to manage or exploit them. Attackers can use remote services to establish persistent access, launch denial-of-service attacks, or steal data from remote machines.
  • T1082: System Information Discovery | Gathers information about a system’s configuration, software, and hardware. This information can be used to identify vulnerabilities, plan attacks, or tailor exploits to specific systems.
  • T1070: Indicator Removal | Attempts to erase traces of malicious activity, such as logs, files, or registry entries, to impede forensic investigations and make it difficult to detect the attack.
  • T1071: Application Layer Protocol | Uses legitimate application protocols, such as HTTP or SMB, for malicious purposes. This technique can help attackers bypass security controls that are designed to detect suspicious network traffic.
  • T1033: System Owner/User Discovery | Identifies the users or administrators on a system. This information can be used by attackers to target specific individuals for spear phishing attacks or privilege escalation attempts.
  • T1140: Deobfuscate/Decode Files or Information | Reverses obfuscation techniques to reveal hidden malicious content. Deobfuscation can be a complex process, but it is essential for security analysts to understand the true nature of a threat.
  • T1190: Exploit Public-Facing Application | Targets vulnerabilities in publicly accessible applications, such as web servers or remote desktop services. These vulnerabilities can allow attackers to gain unauthorized access to a system, steal data, or deploy malware.

Top 5 Most Frequently Seen MITRE ATT&CK Sub-Techniques 2023

1T1059.001: PowerShell
2T1071.001: Web Protocols
3T1021.001: Remote Desktop Protocol
4T1569.002: Service Execution
5T1070.004: File Deletion
  • T1059.001: PowerShell | Executes commands using the PowerShell scripting language, a powerful tool for automating tasks and interacting with the Windows operating system. Attackers can leverage PowerShell to download malware, steal data, or manipulate system settings.
  • T1071.001: Web Protocols | Uses protocols like HTTP, HTTPS, FTP, or SMB to communicate with a remote system. These protocols are commonly used for legitimate web browsing and file transfer, but attackers can abuse them to exfiltrate data, deliver malware, or establish remote connections.
  • T1021.001: Remote Desktop Protocol | Leverages the Remote Desktop Protocol (RDP) to establish a remote connection to a system. RDP allows legitimate users to access their desktops remotely, but attackers can exploit vulnerabilities in RDP to gain unauthorized access to a system.
  • T1569.002: Service Execution | Executes commands through a service running on the target system. Services are programs that run in the background on a system and perform specific tasks. Attackers can exploit vulnerabilities in services or abuse legitimate functionalities to execute malicious commands.
  • T1070.004: File Deletion | Permanently removes files from the system. Attackers may delete files to destroy evidence of their activity, remove critical system files to disable security software, or free up disk space for malware.

Source : Mandiant M-Trends 2024 report
Sina SOC , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Defending Against Mail Spoofing: Technical Solutions for Enhanced Email Security & Disabling SMTP Relaying