Top most ATT&CK Techniques used in wild
List
- Command and Scripting Interpreter T1059
- Signed Binary Proxy Execution T1218
- Create or Modify System Process T1543
- Windows Service T1543.003
- Scheduled Task/Job T1053
- Scheduled Task T1053.005
- OS Credential Dumping T1003
- LSASS Memory T1003.001
- Process Injection T1055
- Obfuscated Files or Information T1027
- Ingress Tool Transfer T1105
- System Services T1569
- Service Execution T1569.002
- Masquerading T1036
- Rename System Utilities T1036.003
Table
Percentage | Technique | Sub-Techniques | Tactic | Link |
---|---|---|---|---|
24% | Command and Scripting Interpreter T1059 | PowerShell T1059.001 Windows Command Shell T1059.003 |
Execution TA0005 | redcanary |
19% | Signed Binary Proxy Execution T1218 | Rundll32 T1218.011 Mshta T1218.005 |
Defense Evasion TA0005 | redcanary |
16% | Create or Modify System Process T1543 | Windows Service T1543.003 | Persistence TA0003 Privilege Escalation TA0004 |
redcanary |
16% | Scheduled Task/Job T1053 | Scheduled Task T1053.005 | Execution TA0002 Privilege EscalationTA0004 |
redcanary |
7% | OS Credential Dumping T1003 | LSASS Memory T1003.001 | Credential Access TA0006 | redcanary |
7% | Process Injection T1055 | ALL | Privilege Escalation TA0004 Defense Evasion TA0005 |
redcanary |
6% | Obfuscated Files or Information T1027 | ALL | Defense Evasion TA0005 | redcanary |
5% | Ingress Tool Transfer T1105 | ALL | Command and Control TA0011 | redcanary |
4% | System Services T1569 | Service Execution T1569.002 | Execution TA0002 | redcanary |
4% | Masquerading T1569 | Rename System Utilities T1036.003 | Defense Evasion TA0005 | redcanary |
![](./images/Pasted image 20210726175152.png)
ATT&CK Coverage with Sysmon
https://github.com/olafhartong/sysmon-modular/
![](./images/sysmon-modular.png)