Top 20 Most Common Hacker Behaviors

Top 20 Most Common Hacker Behaviors

By Elizabeth Fichtner

When the OWASP Top 20 Vulnerabilities was first published it revolutionised our industry’s approach to vulnerability management. Instead of playing wack-a-mole with thousands of individual vulnerabilities every time a new one was discovered, we approached vulnerability management by primarily addressing these Top 20 Techniques.

Still considered “advanced”, behavioral detection has just begun to hit the mainstream. But, as the incident response (IR) cases we support continually confirm, adoption is still lagging for 90% of the mid- and SMB market. It’s in no way controversial anymore to state that, in order to detect and stop modern attacks, organisations need to have behavioral monitoring capabilities, especially on the endpoint.

One problem is that we’ve been led to believe that if we adopt behavioral detection, we need to spend a lot to maximise coverage of all the various attacker behaviors. This is a disservice.

Our intention in detection among most organisations (aka, the ones that don’t have a full-time threat intel team) should be to stop focusing on individual, novel attack techniques and concentrate defenses against the Top 20 most commonly observed ATT&CK techniques that are also achievable to monitor. These are the ones that actually matter, and the ones that will catch more bad guys, more often.

The following list is consolidated from our own data and cross-referenced with various forensic reports on observed attacks over the last few years:

TOP 20 ADVERSARY TECHNIQUES:

RankTacticIdTechnique
1ExecutionT1059Command Line Interface / Powershell
2Initial AccessT1078Valid Account Misuse
3DiscoveryT1082System Information Discovery
4PersistenceT1060Registry Run Keys
5Credential AccessT1003Credential Dumping
6Lateral MovementT1021Remote Services
7ExecutionT1055Process Injection
8PersistenceT1053Scheduled Tasks
9Defensive EvasionT1218Signed Binary Proxy Execution
10PersistenceT1547Boot/Logon Autostart Execution (esp. Shortcut Modification)
11ExecutionT1047Windows Management Instrumentation (WMI)
12Defense EvasionT1036Masquerading
13Privilege EscalationT1574Hijack Execution Flow
14Defense EvasionT1027Obfuscated Files or Information
15Defense EvasionT1497Virtualisation/Sandbox Evasion
16Lateral MovementT1544Remote File Copy
17Defense EvasionT1089Disabling Security Tools
18Initial AccessT1190Exploit Public Facing Application
19C2T1219Remote Access Software (e.g. RDP)
20C2T1505Webshells

When it comes to these these behaviors, common doesn’t mean commodity or “less advanced”, these are common because successful attackers use them to evade legacy protection/prevention. These are the techniques the advanced players are using and they are in the hands of the commodity players through frameworks like Cobalt Strike. 

Thus, making your detection capabilities robust against these 20 techniques will deliver more bang for your buck than any other approach while saving you time and money from hunting “Bluebird” techniques and behaviors you’re more than likely not going to see in your one network.

Is Top 20 enough?

Yes!

We respond to a lot of attacks and have been doing threat hunting and response in organisations large and small for over a decade. In that time, there have been very few attacks that don’t exhibit behaviors that overlap with the above list of 20 that you could be monitoring for today.

When SolarWinds Solarigate a.k.a. SUNBURST hit in December 2020, everyone said this was novel; and the entry vector certainly was. Once you dug in though, the same top 20 behaviors could be observed: The novel supply chain vulnerability was used to spawn malicious Powershell (T1059), scripts (T1059), memory injections (T1055), lateral movement (T1544) techniques, and credential dumping (T1003).

When Hafnium hit Exchange Servers using the latest Exchange zero-days we saw the same things: new novel entry vectors leading to many of the same top 20 common behaviors like WebShells (T1505) spawning PowerShell commands (T1059) and injecting Cobalt Strike into memory (T1055).

Everyone effectively monitoring for the top 20 attacker behaviors had the visibility to see these attacks unfold and my prediction is the next big vulnerability will be found by monitoring for them as well. 

Conclusion

Ultimately, the Top 20 approach is an acknowledgment that not all techniques are necessary to alert or monitor to detect attacks. Defense in Depth still works: every tactic and technique you have visibility into is a detection opportunity in the attack chain, and the top 20 is broad enough to cover you against even some of the most advanced attackers. We are all strapped for resources; don’t chase the highest coverage and focus on the top 20. With these 20, there are exceedingly few attacks that could ever get past your notice.

RMM is Key in the Fight Against Ransomware

Take a look at our infographic to learn more about how you can use a sophisticated RMM solution to mitigate ransomware risk.

View the Resource

Suggested Next Reads