Of all the tactics that an adversary will take on in their campaign, none will be more widely abused than, Execution (https://attack.mitre.org/wiki/Execution). When taking into consideration off-the-shelf malware, traditional ransomware, or state of the art advanced persistent threat actors, all of them have execution in common. There’s a great quote from Alissa Torres which says, “Malware can hide, but it must run.”
Since malware must run, that gives defenders an opportunity to either block it or detect it. However, not all malware is going to be a malicious executable that can easily be looked up on Virus Total. In some cases, the malware will use built-in or trusted tools, some of which are available to them on every endpoint already.
Some of the techniques such as Mshta or CMSTP allow an attacker to abuse pre-installed applications for malicious purposes. The recommended way to prevent this type of attack is to remove any unnecessary code from endpoints where possible. This can be as simple as removing unnecessary services, more involved by implementing hardening controls, or as complex as running hardened and stripped-down Docker containers.
Other techniques such as Command Line Interface or PowerS ..
Support the originator by clicking the read the rest link below.
