Of all the tactics that an adversary will take on in their campaign, none will be more widely abused than Execution. When taking into consideration off-the-shelf malware, traditional ransomware, or state of the art advanced persistent threat actors, all of them have execution in common. There’s a great quote from Alissa Torres which says, “Malware can hide, but it must run.”
Since malware must run, that gives defenders an opportunity to either block it or detect it. However, not all malware is going to be a malicious executable that can easily be looked up on Virus Total. In some cases, the malware will use built-in or trusted tools, some of which are available to them on every endpoint already.
Some of the techniques such as Mshta or CMSTP allow an attacker to abuse pre-installed applications for malicious purposes. The recommended way to prevent this type of attack is to remove any unnecessary code from endpoints where possible. This can be as simple as removing unnecessary services, more involved by implementing hardening controls, or as complex as running hardened and stripped-down Docker containers.
Other techniques such as Command Line Interface or PowerShell are extremely useful for attackers. In fact, a lot of fileless malware leverage one or both of these two specifically. The power of these types of techniques to attackers is that they are both installed on the endpoints already but also because they are rarely if ever removed. System administrators and power users rely on some of these built-in tools every day.
Even the mitigation controls in ATT&CK state that they cannot be removed and can only be audited. Attackers are relying on the fact that they will be there and are hoping they are not being audited. To gain an advantage over attackers, simply enable auditing of these techniques and collect them into a centralized location for review.
Finally, nearly every technique within this tactic has one mitigation control in common. Application Whitelisting is the single most useful control when mitigating against malware attacks. Like any technology, it’s not a golden bullet that will solve everything.
However, application whitelisting is going to slow down an attacker and possible force them outside of their comfort zone and try other tactics and techniques. Just like everyone else, when an attacker is forced outside of their comfort zone, they will make mistakes.
If you are currently working towards applying the CIS Critical Security Controls, then this tactic very closely matches up with Control 2, inventory of authorized and unauthorized software. From a mitigating aspect, you cannot prevent what you do not know about, so getting an idea about what you have is the first step.
However, to properly leverage ATT&CK, you’ll need to dig deeper than just the installed applications. Inventory built-in tools or add-ons which can introduce additional risk to the organization. When you do all of these properly, malware can run, but it cannot hide.
There is also a mapping of CIS controls to the ATT&CK framework available. This can be helpful if you’re already adopting the CIS Controls and are starting down the path of adopting ATT&CK.
Read more about the MITRE ATT&CK Framework here:
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control