Preamble
When prioritizing detection engineering efforts, it's essential to understand the most prevalent tactics, techniques, and procedures (TTPs) observed in the wild. This knowledge helps defenders make informed decisions about the most effective strategies to implement - especially where to focus engineering efforts and finite resources.
To highlight these prevalent TTPs, we analyzed over 100,000 Windows malware samples extracted over several months from one of our dynamic malware analysis tools, Detonate. To generate this data and alerts, we leveraged Elastic Defend behavior (mapped to MITRE ATT&CK) and memory threat detection rules. It should be noted that this dataset is not exhaustive, it may not represent the entire spectrum of malware behavior, and specifically does not include long-term or interactive activity.
Below an ES|QL query to summarize our dataset by file type:
Tactics
Beginning with tactics, we aggregated the alerts generated by this corpus of malware samples and organized them according to the counts of process.entity_id and alerts. As depicted in the image below, the most frequent tactics included defense evasion, privilege escalation, execution, and persistence. Certain tactics commonly linked with post-exploitation activities, such as lateral movement, provided an anticipated lower prevalence because these actions are commonly manually driven by the threat actor after the initial implant is established vs. being automated by the malware in our dataset.
In the following sections, we will delve into each tactic and the techniques and sub-techniques of each that exerted the most influence.
Defense Evasion
Defense Evasion involves methods employed by adversaries to avoid detection by security teams or capabilities. The foremost tactic detected was defense evasion, triggering 189 distinct detection rules (nearly 40% of our current Windows rules). The primary techniques noted are associated with code injection, defense tampering, masquerading, and system binary proxy execution.
When we pivot by sub-techniques, it becomes evident that certain advanced techniques such as DLL side-loading and Parent PID Spoofing have become increasingly popular, even among non-targeted malwares. Both are frequently linked with code injection and masquerading.
Furthermore, system binary proxies Rundll32 and Regsvr32 remain highly abused, with a notable rise in the utilization of malicious MSI installers for malware delivery. The practice of masquerading as legitimate system binaries, whether through renaming or process hollowing, remains prevalent as well, serving as a means to evade user suspicion.
Tampering with Windows Defender stands out as the most frequently observed defense evasion tactic, emphasizing the importance for defenders to acknowledge that adversaries will attempt to obscure their activities.
Process Injection is prevalent across various malware families, whether they target legitimate system binaries remotely to blend in or employ self-injection (sometimes paired with DLL side-loading through a trusted binary). Furthermore, there is a noticeable uptick in the use of NTDLL unhooking to bypass security solutions reliant on user-mode APIs monitoring (Elastic Defend is not impacted).
From our shellcode alerts we can clearly see that self-injection is more prevalent than remote:
Almost 50 unique vendors’ binaries abused for DLL side-loading, of which Microsoft is the top choice:
Defense evasion comprises various techniques and sub-techniques necessitating comprehensive coverage due to their frequent occurrence. For instance, apart from memory threat protection, half of our rules are specifically tailored to address this tactic.
Privilege Escalation
This tactic consists of techniques that adversaries use to gain greater permissions on a system or network. The most commonly used techniques relate to access token manipulation, execution through privileged system services, and bypassing User Account Control.
The most frequently observed sub-technique involved impersonation as the Trusted Installer service, which aligns closely with defense evasion and often precedes attempts to manipulate system-protected resources.
Concerning User Account Control bypass, the primary method we observed was elevation by mimicking trusted directories, which is also related to DLL side-loading. Additionally, other methods like elevation via extended startupinfo (elevated parent PID spoofing) are increasingly prevalent among commodity malware.
As evident from the list below, there's a notable rise in the use of vulnerable drivers (BYOVD) to manipulate protected objects and acquire kernel mode execution privileges.
Below, you'll find a list of the most commonly exploited drivers triggered by our YARA rules:
Execution
Execution encompasses methods that lead to running adversary-controlled code on a local or remote system. These techniques are frequently combined with methods from other tactics to accomplish broader objectives, such as network reconnaissance or data theft.
The most common techniques observed here involved Windows command and scripting languages, with the proxying of execution via the Windows Management Instrumentation (WMI) interface closely trailing behind.
Powershell remains a preferred scripting language for malware execution chains, followed by Javascript and VBscript. Multi-stage malware delivery routinely involves a combination of two or more scripting languages.
Here is a list of the most frequently triggered endpoint behavior detections for this tactic:
Windows' default scripting languages remain the top preference for malware execution. However, there has been a slight uptick in the shift towards using other third-party scripting interpreters like Python, AutoIt, Java and Lua.
Persistence
It's common for malware to install itself on an infected host. No surprises here: the most frequently observed persistence methods include scheduled tasks, the run key and startup folder, and Windows services (which typically require administrator privileges).
The top three persistence sub-techniques depicted in the list below are also commonly encountered in regular software installations. Therefore, it's necessary to dissect them into multiple detections with additional suspicious signals to reduce false positives and enhance precision.
Initial Access
Considering the dataset's composition, initial access was associated with primarily macro-enabled documents and Windows shortcut objects. Although a significant portion of the detonated samples also involved other formats, such as ISO/VHD containers with MSI installers extensively utilized for delivery, their genuine malicious behavior typically manifests in areas such as defense evasion and persistence.
The most frequently abused Microsoft-signed binaries originating from malicious Microsoft Office documents align closely with execution and defense evasion tactics, command and scripting interpreters, and system binary proxy execution.
Here is a list of the most frequently triggered detections for initial access, regarding phishing attachments:
Credential Access
Credential access in malware is frequently linked to information stealers. The most targeted credentials are typically associated with Windows Credential Manager and browser password stores. Domain and system-protected credentials require elevated privileges and are more likely a feature of a subsequent stage.
Below a breakdown of the endpoint behavior detections that triggered the most on credentials access:
The majority of credentials access behaviors resemble typical file access events. Therefore, it's essential to correlate and enrich them with additional signals to reduce false positives and enhance comprehension.
Conclusion
Even though this small dataset of about 100,000 malware samples represents only a fraction of the possible malware in the wild right now, we can still derive important insights from it about the most common TTPs using our behavioral detections. Those insights help us make decisions about detection engineering priorities, and defenders should make that part of their strategies.