Top Attack Techniques

Top ATT&CK Techniques provides defenders with a systematic approach to prioritizing ATT&CK techniques. Our open methodology considers technique prevalence, common ATT&CK choke points, and actionability to enable defenders to focus on the ATT&CK techniques that are most relevant to their organization.

Calculator

Use the calculator to generate a prioritized top 10 list of techniques. You can tailor your top 10 list to your system characteristics and security controls.

Top 10 lists

Browse top 10 lists created by our ATT&CK experts. These lists are tailored to threat area such as ransomware and are based on detailed analysis.

Methodology

We calculate the Actionability, Choke Point, and Prevalence scores for each technique which are then weighted and combined to form the total technique score.

Help

Read the FAQ to answer any questions you might have about this site. Get step-by-step instructions about how to use the Top ATT&CK Techniques Calculator.

Want to Learn More?

The methodology page outlines the rationale behind the ATT&CK technique scores and ranking. A technique’s score is calculated by the three core components: Actionability, Choke Point, and Prevalence.

The help page contains the answers to common questions and issues that may pop up for users of Top ATT&CK Techniques. It also has a step by step guide to learning your top ATT&CK techniques customized to your system.

Ransomware Top 10 Techniques

Description

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)

Subtechniques

Mitigations

  • M1049 - Antivirus/Antimalware

    Use signatures or heuristics to detect malicious software.

  • M1040 - Behavior Prevention on Endpoint

    Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

  • M1045 - Code Signing

    Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

  • M1042 - Disable or Remove Feature or Program

    Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

  • M1038 - Execution Prevention

    Block execution of code on a system through application control, and/or script blocking.

  • M1026 - Privileged Account Management

    Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

  • M1021 - Restrict Web-Based Content

    Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Detections

Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.

If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Top Attack Techniques

The Center for Threat-Informed Defense is a non-profit, privately funded research and development organization. Our mission is to advance the state of the art and the state of the practice in threat-informed defense globally.

Center for Threat Informed Defense