Top 20 Most Common Hacker Behaviors

The top MITRE ATT&CK™ behaviors to monitor for on your endpoints and servers

When the OWASP Top 20 Vulnerabilities was first published it revolutionized our industry’s approach to vulnerability management. Instead of playing wack-a-mole with thousands of individual vulnerabilities every time a new one was discovered, we approached vulnerability management by primarily addressing these Top 20 Techniques. (Yes, I know we’ve gotten away from that a bit with all the flashy vulnerability names we starting using…but that’s another post for another time.)

Still considered “advanced,” behavioral detection has just begun to hit the mainstream. But, as the incident response (IR) cases we support continually confirm, adoption is still lagging for 90% of the mid- and SMB market. It’s in no way controversial anymore to state that, in order to detect and stop modern attacks, organizations need to have behavioral monitoring capabilities.

Cloud Native Now

A problem, as I mentioned in my blog post “Why you’re going about MITRE ATT&CK coverage all wrong,” is that we’ve been led to believe that if we adopt behavioral detection, we need to spend a lot to maximize coverage of all the attacker behaviors. This is a disservice.

Our intention in detection among most organizations (aka, the ones that don’t have a full time threat intel team) should be to stop focusing on individual, novel attack techniques and concentrate defenses against the Top 20 most commonly observed ATT&CK techniques that are also achievable to monitor. These are the ones that actually matter, and the ones that will catch more bad guys, more often.

The following list is consolidated from Infocyte data and cross referenced with various forensic reports on observed attacks over the last 36 months:


Rank Tactic Id Technique
1 Execution T1059 Command Line Interface / Powershell
2 Initial Access T1078 Valid Account Misuse
3 Discovery T1082 System Information Discovery
4 Persistence T1060 Registry Run Keys
5 Credential Access T1003 Credential Dumping
6 Lateral Movement T1021 Remote Services
7 Execution T1055 Process Injection
8 Persistence T1053 Scheduled Tasks
9 Defensive Evasion T1218 Signed Binary Proxy Execution
10 Persistence T1547 Boot/Logon Autostart Execution (esp. Shortcut Modification)
11 Execution T1047 Windows Management Instrumentation (WMI)
12 Defense Evasion T1036 Masquerading
13 Privilege Escalation T1574 Hijack Execution Flow
14 Defense Evasion T1027 Obfuscated Files or Information
15 Defense Evasion T1497 Virtualization/Sandbox Evasion
16 Lateral Movement T1544 Remote File Copy
17 Defense Evasion T1089 Disabling Security Tools
18 Initial Access T1190 Exploit Public Facing Application
19 C2 T1219 Remote Access Software (e.g. RDP)
20 C2 T1505 Webshells
2021 Top 20 MITRE ATT&CK Techniques (Infocyte)**

Making your detection capabilities robust against these techniques will deliver more bang for the buck than any other approach while saving you time and money from hunting “Bluebird” techniques.

Is Top 20 enough?


We respond to a lot of attacks and have been doing threat hunting and response in organizations large (e.g. USAF) and small for over a decade. In that time, there have been very few attacks that don’t exhibit behaviors that overlap with the 20 most common that you could be monitoring for today.

When SolarWinds Solarigate a.k.a. SUNBURST hit in December 2020, everyone said this was novel; and the entry vector certainly was. Once you dug in though, the same top 20 behaviors could be observed: The novel supply chain vulnerability was used to spawn malicious Powershell (T1059), scripts (T1059), memory injections (T1055), lateral movement (T1544) techniques and credential dumping (T1003).

When Hafnium hit Exchange Servers using the latest Exchange zero-days we saw the same things: new novel entry vectors leading to many of the same top 20 common behaviors like WebShells (T1505) spawning PowerShell commands (T1059) and injecting Cobalt Strike into memory (T1055).

Everyone effectively monitoring for the top 20 attacker behaviors had the visibility to see these attacks unfold and my prediction is the next big vulnerability will be found by monitoring for them as well.

**Notes on Infocyte's Top 20 MITRE ATT&CK Techniques Ranking Methodology:
1. The top techniques change rankings as threats evolve - though these have all mostly stayed high for the last decade.
2. Rankings of the top observed techniques are skewed by the ability to observe those techniques. Example: you'll never see registry manipulation with a network sensor or a non-EDR AV engine; you need endpoint behavioral monitoring to see most of these. 
3. To produce this ranking, we cross referenced our endpoint behavioral data with notes on hundreds of external forensics reports on historical attacks and several consolidated industry reports. 
4. We omitted some techniques from the list that were common but not practical to monitor for in modern networks due to false positives, impracticality and/or costs. Example: Encrypted Channels (TLS) are used in almost every attack but it's not, by itself, a behavior that is distinguishible from normal encrypted traffic. 


Ultimately, the Top 20 approach is an acknowledgement that not all techniques are necessary to alert or monitor to detect attacks. Defense in Depth still works: every tactic and technique you have visibility on is a detection opportunity in the attack chain, and the top 20 is broad enough to cover you against even some of the most advanced attackers. We are all strapped for resources; don’t chase the highest coverage and focus on the top 20. With these 20, there are exceedingly few attacks that could ever get past your notice.

On the next post, we’ll dive into the details of how Infocyte defends against these techniques using our new behavioral analytics engine and our unique historical forensic capabilities.

Try it out for yourself with a free self-service assessment here or try our endpoint detection and response platform for free just by signing up here

The post Top 20 Most Common Hacker Behaviors appeared first on Infocyte.

*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Chris Gerritz. Read the original post at:

Avatar photo

Chris Gerritz

Chris is a retired Air Force cybersecurity officer and veteran who pioneered defensive cyber threat hunting operations for the U.S. Air Force — standing up their first interactive Defensive Counter Cyberspace (DCC) practice.

chris-gerritz has 12 posts and counting.See all posts by chris-gerritz