SoK: ATT&CK techniques and trends in windows malware

Kris Oosthoek*, Christian Doerr

*Corresponding author for this work

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

18 Citations (Scopus)

Abstract

In an ever-changing landscape of adversary tactics, techniques and procedures (TTPs), malware remains the tool of choice for attackers to gain a foothold on target systems. The Mitre ATT&CK framework is a taxonomy of adversary TTPs. It is meant to advance cyber threat intelligence (CTI) by establishing a generic vocabulary to describe post-compromise adversary behavior. This paper discusses the results of automated analysis of a sample of 951 Windows malware families, which have been plotted on the ATT&CK framework. Based on the framework’s tactics and techniques we provide an overview of established techniques within Windows malware and techniques which have seen increased adoption over recent years. Within our dataset we have observed an increase in techniques applied for fileless execution of malware, discovery of security software and DLL side-loading for defense evasion. We also show how a sophisticated technique, command and control (C&C) over IPC named pipes, is getting adopted by less sophisticated actor groups. Through these observations we have identified how malware authors are innovating techniques in order to bypass established defenses.

Original languageEnglish
Title of host publicationSecurity and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings
EditorsSongqing Chen, Kim-Kwang Raymond Choo, Xinwen Fu, Wenjing Lou, Aziz Mohaisen
PublisherSpringer
Pages406-425
Number of pages20
Volume304
ISBN (Print)9783030372279
DOIs
Publication statusPublished - 2019
Event15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019 - Orlando , United States
Duration: 23 Oct 201925 Oct 2019

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume304 LNICST
ISSN (Print)1867-8211

Conference

Conference15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019
Country/TerritoryUnited States
CityOrlando
Period23/10/1925/10/19

Keywords

  • Advanced persistent threats
  • ATT&CK framework
  • Classification
  • Cyber threat intelligence
  • Malware analysis

Fingerprint

Dive into the research topics of 'SoK: ATT&CK techniques and trends in windows malware'. Together they form a unique fingerprint.

Cite this