Most common cyberattack techniques on Windows networks for 2020

Red Canary recently unveiled its 2021 Threat Detection Report. Included in the report is a mapping of many of the top cyberattack techniques to the MITRE ATT&CK framework. The findings presented by Red Canary researchers underscore the need to fully understand your network. Take the time to monitor what is normal in your firm. Review and document what scripts are used on a regular basis and what event IDs are thrown off in the event logs, especially those relevant to the most used attack techniques.

Deploy Sysmon and save the log files to an external location. Ensure that you are logging events that will expose what attackers might be doing in your network. The Australian Cyber Security Centre has documentation and guidance on setting up Windows event logging.

Here are the top attack techniques that Red Canary saw in 2020:

1. Command and scripting interpreters, better known as PowerShell (24%)

Red Canary’s customers were most impacted by attacks using PowerShell and Windows Command Shell. Because these tools are native to Windows, it is much harder for firms to determine that they are being attacked. This is called “living off the land,” where the attacker doesn’t have to bring attack tools to your network. Rather they use the existing PowerShell that is already installed. To monitor for PowerShell and command line-based attacks, use such tools as Sysmon to ensure that you are capturing the logging.

Look for suspicious cmdlets or any other obfuscated commands that need to be decoded to be investigated. Comparing normal PowerShell patterns to malicious ones may take time. Keep an eye out for Event 4688 – Process Creation – to alert you to new and malicious usage. Set a baseline understanding of the scripts and PowerShell processes that you use on a regular basis so you can filter these out as being normal. Look for commands that appear to be cmd.exe combined with obfuscation.

2. Signed binary process execution (19%)

The next attack sequence uses two techniques: Rundll32 and Mshta. Both allow the attacker to create malicious code through trusted signed binaries. Again, the attackers are using living off the land attack sequences and not bringing tools into your network that could be detected. You can set alerts for the malicious use of Rundll32, but it can be difficult to fine-tune your alerts given its normal use in your organization. Remember, establish a baseline in your organization.

3. Create and modify system process (16%)

Next up is Windows Service used by a single threat: Blue Mockingbird, which deploys a cryptocurrency mining payload. Review the logs for events 4697, 7045 and 4688 when new services and new processes are created. Once again, know your organization and its normal baseline.

4. Scheduled tasks/jobs (16%)

Attackers use scheduled tasks to introduce persistence. The Red Canary report indicated that you should review when a scheduled task is set to run as system as this is the most typical attack configuration they saw. Event ID 106 and 140 record when a new task is created or updated.

5. Credential dumping (7%)

The Local Security Authority Subsystem Service (LSASS) is often used to dump passwords with a little help from such tools as ProcDump and Mimikatz. Once again, Sysmon process access rules are your best toolkit. Look for event ID 10 in the Sysmon events. Also use Windows 10 Attack Surface Reduction settings to look for LSASS suspicious access once you’ve established a baseline in your organization to look for the unusual attack sequences.

6. Process injection (7%)

Attackers use a variety of injection methods to gain more access to your systems. Because of the myriad methodologies, you’ll once again want to use Sysmon in your alert toolkit.

7. Obfuscated files or information (6%)

Attackers clearly want to hide their actions and use tools such as Base64 encoding to hide their attack processes. Monitor for the use of PowerShell.exe or Cmd.exe in unusual ways. This attack sequence can be difficult to review as indicators of malicious activity can also look like normal administrative tasks. Have set policies for using PowerShell and only use signed script execution.

8. Ingress tool transfer (5%)

While most attack sequences living off the land techniques, sometimes attackers move tools into the platform. They often use bitsadmin.exe to transfer malicious tools used in attack sequences. Reviewing PowerShell command lines for keywords and patterns is a key way to find the sequence.

9. System services (4%)

Attackers use Windows Service Manager to run commands or install services. Monitor Sysmon event ID 7 for attack sequences.

10. Masquerading (4%)

Attackers attempt to trick detection by renaming system utilities to bypass controls and detection. For this look not for file names but processes, known paths to determine if attackers are attempting to use this technique to attack you. If you can, use systems that compare hash values of files as those will not deviate even if the file names are changed.