Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Communication Systems

SecureComm 2019: Security and Privacy in Communication Networks pp 406–425Cite as

SoK: ATT&CK Techniques and Trends in Windows Malware

  • Conference paper
  • First Online:

Abstract

In an ever-changing landscape of adversary tactics, techniques and procedures (TTPs), malware remains the tool of choice for attackers to gain a foothold on target systems. The Mitre ATT&CK framework is a taxonomy of adversary TTPs. It is meant to advance cyber threat intelligence (CTI) by establishing a generic vocabulary to describe post-compromise adversary behavior. This paper discusses the results of automated analysis of a sample of 951 Windows malware families, which have been plotted on the ATT&CK framework. Based on the framework’s tactics and techniques we provide an overview of established techniques within Windows malware and techniques which have seen increased adoption over recent years. Within our dataset we have observed an increase in techniques applied for fileless execution of malware, discovery of security software and DLL side-loading for defense evasion. We also show how a sophisticated technique, command and control (C&C) over IPC named pipes, is getting adopted by less sophisticated actor groups. Through these observations we have identified how malware authors are innovating techniques in order to bypass established defenses.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Barabosch, T., Bergmann, N., Dombeck, A.: Quincy: detecting host-based code injection attacks in memory dumps. In: LNCS (2017)

    Google Scholar 

  2. Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: Bee master: detecting host-based code injection attacks. In: LNCS (2014)

    Google Scholar 

  3. Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. USENIX Large-scale exploits and emergent threats (2009)

    Google Scholar 

  4. Binsalleeh, H., et al.: On the analysis of the Zeus botnet crimeware toolkit. In: 2010 Eighth International Conference on Privacy, Security and Trust (2010)

    Google Scholar 

  5. Chen, X., Andersen, J., Morley Mao, Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: International Conference on Dependable Systems and Networks (2008)

    Google Scholar 

  6. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44, 1–49 (2012)

    Article  Google Scholar 

  7. Grill, B., Bacs, A., Platzer, C., Bos, H.: “Nice boots!”-A large-scale analysis of bootkits and new ways to stop them. In: LNCS (2015)

    Google Scholar 

  8. Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: International Conference on Information Warfare & Security (2011)

    Google Scholar 

  9. Joe Security LLC: Joe Sandbox Cloud Community Edition

    Google Scholar 

  10. Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: LNCS (2015)

    Google Scholar 

  11. Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (2014)

    Google Scholar 

  12. Kirillov, I.A., Beck, D.A., Chase, M.P., Martin, R.A.: The Concepts of the Malware Attribute Enumeration and Characterization (MAEC) Effort (2009)

    Google Scholar 

  13. Laliberte, M.: A Twist On The Cyber Kill Chain: Defending Against A JavaScript Malware Attack (2016)

    Google Scholar 

  14. Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware (2007)

    Article  Google Scholar 

  15. Malpedia: win.pupy. malpedia.caad.fkie.fraunhofer.de/details/win.pupy

  16. Mansfield-Devine, S.: Fileless attacks: compromising targets without malware. Netw. Secur. 2017, 7–11 (2017)

    Google Scholar 

  17. Microsoft: Microsoft Security Bulletin MS14-027 (2014)

    Google Scholar 

  18. Nachreiner, C.: Kill Chain 3.0: Update the cyber kill chain for better defense (2015)

    Google Scholar 

  19. Obrst, L., Chase, P., Markeloff, R.: Developing an ontology of the cyber security domain. In: Semantic Technologies for Intelligence, Defense, and Security (2012)

    Google Scholar 

  20. O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Privacy 9, 41–47 (2011)

    Article  Google Scholar 

  21. Plohmann, D., Clauss, M., Enders, S., Padilla, E.: Malpedia: a collaborative effort to inventorize the malware landscape. J. Cybercrime & Dig. Investigations, 3 (2018)

    Google Scholar 

  22. Porras, P., Saidi, H., Yegneswaran, V.: An analysis of conficker’s logic and rendezvous points. Technical Report, Computer Science Laboratory, SRI International (2009)

    Google Scholar 

  23. Rossow, C., et al.: Prudent practices for designing malware experiments: status quo and outlook. In: IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  24. Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: LNCS (2008)

    Google Scholar 

  25. Sood, A.K., Enbody, R.J.: Crimeware-as-a-service-a survey of commoditized crimeware in the underground market. Int. J. Crit. Infrastruct. Prot. 6, 28–38 (2013)

    Article  Google Scholar 

  26. Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B.: MITRE ATT&CK: Design and Philosophy. The Mitre Corporation, McLean, VA, Technical report (2018)

    Google Scholar 

  27. Symantec Security Response: W32.Duqu: the precursor to the next Stuxnet. Symantec Security Response (2011)

    Google Scholar 

  28. The Mitre Corporation: ATT&CK JSON Library (2018)

    Google Scholar 

  29. The Mitre Corporation: Enterprise Matrix - Windows (2018). https://attack.mitre.org/matrices/enterprise/windows/

  30. Verizon: 2018 Data Breach Investigations Report. Technical report, New York, NY (2018)

    Google Scholar 

  31. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox (2007)

    Google Scholar 

Download references

Acknowledgments

The authors would like to thank the maintainers of Malpedia for providing access to their malware repository and Joe Security for provisioning the sandbox infrastructure. The authors would like to thank VirusTotal for providing access to their API. The ATT&CK mapping built for this research has been shared with Joe Security to develop ATT&CK mapping within their product.

Author information

Authors and Affiliations

  1. Delft University of Technology, Mekelweg 4, 2628 CD, Delft, The Netherlands

    Kris Oosthoek & Christian Doerr

Authors
  1. Kris Oosthoek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Doerr
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kris Oosthoek .

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Songqing Chen

  2. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  3. Boston University, Lowell, MA, USA

    Xinwen Fu

  4. Virginia Tech, Blacksburg, VA, USA

    Wenjing Lou

  5. University of Central Florida, Orlando, FL, USA

    Aziz Mohaisen

Rights and permissions

Reprints and permissions

Copyright information

© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Oosthoek, K., Doerr, C. (2019). SoK: ATT&CK Techniques and Trends in Windows Malware. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 304. Springer, Cham. https://doi.org/10.1007/978-3-030-37228-6_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-37228-6_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-37227-9

  • Online ISBN: 978-3-030-37228-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation