View MITRE-ATTACK on GitHub

Top most ATT&CK Techniques used in wild

List

  1. Command and Scripting Interpreter T1059
    1. PowerShell T1059.001
    2. Windows Command Shell T1059.003
  2. Signed Binary Proxy Execution T1218
    1. Rundll32 T1218.011
    2. Mshta T1218.005
  3. Create or Modify System Process T1543
    1. Windows Service T1543.003
  4. Scheduled Task/Job T1053
    1. Scheduled Task T1053.005
  5. OS Credential Dumping T1003
    1. LSASS Memory T1003.001
  6. Process Injection T1055
  7. Obfuscated Files or Information T1027
  8. Ingress Tool Transfer T1105
  9. System Services T1569
    1. Service Execution T1569.002
  10. Masquerading T1036
    1. Rename System Utilities T1036.003



Table

Percentage Technique Sub-Techniques Tactic Link
24% Command and Scripting Interpreter T1059 PowerShell T1059.001
Windows Command Shell T1059.003		 Execution TA0005 redcanary
19% Signed Binary Proxy Execution T1218 Rundll32 T1218.011
Mshta T1218.005		 Defense Evasion TA0005 redcanary
16% Create or Modify System Process T1543 Windows Service T1543.003 Persistence TA0003
Privilege Escalation TA0004		 redcanary
16% Scheduled Task/Job T1053 Scheduled Task T1053.005 Execution TA0002
Privilege EscalationTA0004		 redcanary
7% OS Credential Dumping T1003 LSASS Memory T1003.001 Credential Access TA0006 redcanary
7% Process Injection T1055 ALL Privilege Escalation TA0004
Defense Evasion TA0005		 redcanary
6% Obfuscated Files or Information T1027 ALL Defense Evasion TA0005 redcanary
5% Ingress Tool Transfer T1105 ALL Command and Control TA0011 redcanary
4% System Services T1569 Service Execution T1569.002 Execution TA0002 redcanary
4% Masquerading T1569 Rename System Utilities T1036.003 Defense Evasion TA0005 redcanary

Reference

ATT&CK Coverage with Sysmon

https://github.com/olafhartong/sysmon-modular/