Abstract
In an ever-changing landscape of adversary tactics, techniques and procedures (TTPs), malware remains the tool of choice for attackers to gain a foothold on target systems. The Mitre ATT&CK framework is a taxonomy of adversary TTPs. It is meant to advance cyber threat intelligence (CTI) by establishing a generic vocabulary to describe post-compromise adversary behavior. This paper discusses the results of automated analysis of a sample of 951 Windows malware families, which have been plotted on the ATT&CK framework. Based on the frameworkâs tactics and techniques we provide an overview of established techniques within Windows malware and techniques which have seen increased adoption over recent years. Within our dataset we have observed an increase in techniques applied for fileless execution of malware, discovery of security software and DLL side-loading for defense evasion. We also show how a sophisticated technique, command and control (C&C) over IPC named pipes, is getting adopted by less sophisticated actor groups. Through these observations we have identified how malware authors are innovating techniques in order to bypass established defenses.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barabosch, T., Bergmann, N., Dombeck, A.: Quincy: detecting host-based code injection attacks in memory dumps. In: LNCS (2017)
Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: Bee master: detecting host-based code injection attacks. In: LNCS (2014)
Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. USENIX Large-scale exploits and emergent threats (2009)
Binsalleeh, H., et al.: On the analysis of the Zeus botnet crimeware toolkit. In: 2010 Eighth International Conference on Privacy, Security and Trust (2010)
Chen, X., Andersen, J., Morley Mao, Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: International Conference on Dependable Systems and Networks (2008)
Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44, 1â49 (2012)
Grill, B., Bacs, A., Platzer, C., Bos, H.: âNice boots!â-A large-scale analysis of bootkits and new ways to stop them. In: LNCS (2015)
Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: International Conference on Information Warfare & Security (2011)
Joe Security LLC: Joe Sandbox Cloud Community Edition
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: LNCS (2015)
Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (2014)
Kirillov, I.A., Beck, D.A., Chase, M.P., Martin, R.A.: The Concepts of the Malware Attribute Enumeration and Characterization (MAEC) Effort (2009)
Laliberte, M.: A Twist On The Cyber Kill Chain: Defending Against A JavaScript Malware Attack (2016)
Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware (2007)
Malpedia: win.pupy. malpedia.caad.fkie.fraunhofer.de/details/win.pupy
Mansfield-Devine, S.: Fileless attacks: compromising targets without malware. Netw. Secur. 2017, 7â11 (2017)
Microsoft: Microsoft Security Bulletin MS14-027 (2014)
Nachreiner, C.: Kill Chain 3.0: Update the cyber kill chain for better defense (2015)
Obrst, L., Chase, P., Markeloff, R.: Developing an ontology of the cyber security domain. In: Semantic Technologies for Intelligence, Defense, and Security (2012)
OâKane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Privacy 9, 41â47 (2011)
Plohmann, D., Clauss, M., Enders, S., Padilla, E.: Malpedia: a collaborative effort to inventorize the malware landscape. J. Cybercrime & Dig. Investigations, 3 (2018)
Porras, P., Saidi, H., Yegneswaran, V.: An analysis of confickerâs logic and rendezvous points. Technical Report, Computer Science Laboratory, SRI International (2009)
Rossow, C., et al.: Prudent practices for designing malware experiments: status quo and outlook. In: IEEE Symposium on Security and Privacy (2012)
Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: LNCS (2008)
Sood, A.K., Enbody, R.J.: Crimeware-as-a-service-a survey of commoditized crimeware in the underground market. Int. J. Crit. Infrastruct. Prot. 6, 28â38 (2013)
Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B.: MITRE ATT&CK: Design and Philosophy. The Mitre Corporation, McLean, VA, Technical report (2018)
Symantec Security Response: W32.Duqu: the precursor to the next Stuxnet. Symantec Security Response (2011)
The Mitre Corporation: ATT&CK JSON Library (2018)
The Mitre Corporation: Enterprise Matrix - Windows (2018). https://attack.mitre.org/matrices/enterprise/windows/
Verizon: 2018 Data Breach Investigations Report. Technical report, New York, NY (2018)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox (2007)
Acknowledgments
The authors would like to thank the maintainers of Malpedia for providing access to their malware repository and Joe Security for provisioning the sandbox infrastructure. The authors would like to thank VirusTotal for providing access to their API. The ATT&CK mapping built for this research has been shared with Joe Security to develop ATT&CK mapping within their product.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Âİ 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Oosthoek, K., Doerr, C. (2019). SoK: ATT&CK Techniques and Trends in Windows Malware. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 304. Springer, Cham. https://doi.org/10.1007/978-3-030-37228-6_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-37228-6_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37227-9
Online ISBN: 978-3-030-37228-6
eBook Packages: Computer ScienceComputer Science (R0)