The RED REPORT 2023 – The Top 10 Most Prevalent MITRE ATT&ACK Techniques Used by Adversaries by PICUS


Welcome to The Red Report 2023, a comprehensive analysis of the most prevalent MITRE ATT&CK® tactics and techniques used in 2022 and how they were leveraged by threat actors. This research was conducted by Picus Labs, the research arm of Picus Security, and is based on an in-depth analysis of over
500,000 real-world malware samples collected from a wide range of sources.
The goal of this report is to share our knowledge about the most commonly used attack techniques and their use cases, so that security teams can adopt a more threat-centric approach and prioritize threat prevention, detection, and response efforts.

Executive Summary
Picus Labs analyzed over 500,000 malware samples between January 2022 and December 2022 to identify the tactics, techniques, and procedures (TTPs) they exhibited. Each observed TTP was categorized using the MITRE ATT&CK®
Framework. In total, Picus Labs observed more than 4.3 million ATT&CK techniques and used this data to identify the most prevalent.
The Red Report 2023 highlights the ten most common ATT&CK techniques identified and provides insights to help security teams prioritize their defensive actions accordingly.

Highlighting Lateral Movement of Adversaries
The most significant insight from this year’s report is that attackers are increasingly leveraging malware to perform Lateral Movement. Lateral Movement is a tactic that attackers use to move from one compromised system in a network to another, helping them to further their objectives.
T1021 Remote Services and T1018 Remote System Discovery are new techniques in this year’s Red Report Top Ten that are primarily used for Lateral Movement. The third newcomer in the list, T1047 Windows Management Instrumentation, is abused by attackers to execute files and commands in remote systems.
In addition to the techniques above, attackers also leverage T1059 Command and Scripting Interpreter and T1003 OS Credential Dumping, the first and second most prevalent techniques identified, to execute commands on remote systems and obtain account credentials. These also aid Lateral Movement.
An increase in the prevalence of techniques being performed to conduct lateral movement highlights the importance of enhancing threat prevention and detection both at the security perimeter as well as inside networks.
The Red Report Top 10 ATT&CK Techniques
T1059 Command and Scripting Interpreter
T1003 OS Credential Dumping
T1486 Data Encrypted for Impact
T1055 Process Injection
T1082 System Information Discovery
T1021 Remote Services
T1047 Windows Management Instrumentation
T1053 Scheduled Task/Job
T1497 Virtualization/Sandbox Evasion
T1018 Remote System Discovery

Leave a Reply

Your email address will not be published. Required fields are marked *