The following chart represents the most prevalent MITRE ATT&CK® techniques observed in confirmed threats across the Red Canary customer base in 2022. To briefly summarize what’s explained in detail in the Methodology section, we have a library of roughly 3,500 detection analytics that we use to surface potentially malicious and suspicious activity across our customers’ environments. These are mapped to corresponding MITRE ATT&CK techniques whenever possible, allowing us to associate the behaviors that comprise a confirmed threat detection with the industry standard for classifying adversary activity.
When counting techniques, we filter out detections associated with potentially unwanted programs and authorized testing in order to make this list as reflective of actual adversary behavior as possible.
In addition to the top 10, read our analysis of these six featured techniques:
T1112: Modify Registry
T1553.001: Gatekeeper Bypass
T1553.005: Mark-of-the-Web Bypass
T1548.001: Setuid and Setgid
T1021.002: SMB/Windows Admin Shares
T1621: Multi-Factor Authentication Request Generation
What’s included in this section?
We’ve written extensive analyses of 16 ATT&CK techniques and sub-techniques. Each technique-specific section includes:
- analysis of how and why adversaries leverage a given technique
- descriptions of data sources that offer visibility into the technique
- guidance on the tooling or logs that will enable you to collect those data sources
- specific examples of how you can use that telemetry to detect adversaries abusing the technique
- individual tests for emulating how adversaries abuse the technique to validate that you can observe or detect it
- mitigation advice for limiting an adversary’s ability to abuse the technique
How to use our analysis
Implementing the guidance in this report will help security teams improve their defense-in-depth against the adversary actions that often lead to a serious incident. Readers will gain a better understanding of common adversary actions and what’s likely to occur if an adversary gains access to your environment. You’ll learn what malicious looks like in the form of telemetry and the many places you can look to find that telemetry. You’ll gain familiarity with the principles of detection engineering by studying our detection opportunities. At a bare minimum, you and your team will be armed with hyper-relevant and easy-to-use Atomic Red Team tests that you can leverage to ensure that your existing security tooling does what you think it’s supposed to do. More strategically, this report can help you identify gaps as you develop a road map for improving coverage, and you can assess your existing sources of collection against the ones listed in this report to inform your investments in new tools and personnel.