SoK

ATT&CK techniques and trends in windows malware

Conference paper (2019)

Authors

K. Oosthoek Cyber Security - EEMCS
C. Dörr Cyber Security - EEMCS
Research Group
Cyber Security (EEMCS) (TU Delft)
Classification Cyber threat intelligence Advanced persistent threats ATT&CK framework Malware analysis
More Info
expand_more

Published Date

2019

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Department

Intelligent Systems

Research Group

Cyber Security

Abstract

In an ever-changing landscape of adversary tactics, techniques and procedures (TTPs), malware remains the tool of choice for attackers to gain a foothold on target systems. The Mitre ATT&CK framework is a taxonomy of adversary TTPs. It is meant to advance cyber threat intelligence (CTI) by establishing a generic vocabulary to describe post-compromise adversary behavior. This paper discusses the results of automated analysis of a sample of 951 Windows malware families, which have been plotted on the ATT&CK framework. Based on the framework’s tactics and techniques we provide an overview of established techniques within Windows malware and techniques which have seen increased adoption over recent years. Within our dataset we have observed an increase in techniques applied for fileless execution of malware, discovery of security software and DLL side-loading for defense evasion. We also show how a sophisticated technique, command and control (C&C) over IPC named pipes, is getting adopted by less sophisticated actor groups. Through these observations we have identified how malware authors are innovating techniques in order to bypass established defenses.