Q1 2024 Attacker Trends and Mitigations

Key Points

• Phishing, drive-by compromise, and exploitation continue to be the most popular initial access techniques.
• PowerShell remains a preferred method for attackers to execute malware or malicious tools.
• Adversaries are continually employing defense evasion strategies to bypass security controls and detection.
• Exploitation for privilege escalation surged due to several critical severity vulnerabilities released this quarter.
• Organizations need to implement technical controls and ensure adequate logging for detection and response. In depth technical controls and logging recommendations are provided on pages 5 through 7 to counter current attacker trends.

The first quarter of 2024 (Q1 2024) witnessed a series of impactful cybersecurity events, including critical vulnerabilities affecting Ivanti, Citrix, Team City, and ScreenConnect. The ongoing evolution of threat actors continues, notably with the adoption of Python for persistence in the “SocGholish” malware, as reported by ReliaQuest. Additionally, the I-Soon data leak provided rare insight into the operations of a Chinese advanced persistent threat (APT) group, enhancing the cybersecurity community’s understanding of Chinese-state-sponsored actors. A law enforcement operation provided hope that the “LockBit” ransomware group would dissipate, but despite the initial takedown, the group resurfaced and continued its operations.

This Threat Spotlight report highlights growing trends, such as exploitation for initial access and adversaries’ continued use of defense evasion techniques to remain undetected. We provide security teams and executives with insights into attacker behaviors to improve their understanding of the threat landscape. Finally, we’ll provide curated, actionable recommendations to help counter these techniques

Q1 2024 Data Driven Insights

ReliaQuest analyzed a select group of true-positive customer incidents that had the potential to result in data breaches or theft (e.g., involving extortion, espionage, custom malware, hands-on-keyboard operations, commodity threats) categorized as “critical security incidents.” We aligned these incidents with the MITRE ATT&CK framework to identify trends and unique behaviors across the kill chain to provide an understanding of the threat landscape.

MITRE Trends

Phishing, Drive-by Compromise, and Exploitation Remain Top Techniques

Initial access involves an adversary attempting to gain a foothold in an organization’s network. The most common initial access technique, holding its top spot from the fourth quarter last year, was phishing with a malicious link (T1566.002), appearing in 27.2% of critical security incidents recorded by ReliaQuest. Dependent on the attack, the link will either download malware or lead targets to a website to capture credentials. In second place, also maintaining its spot from the fourth quarter of last year, was drive-by compromise (T1189), appearing in 25.7% of incidents. This technique relies on users downloading malware unknowingly from either attacker-owned infrastructure or a compromised legitimate website: Attackers target websites with high search engine rankings to increase their chances of successful malware download. Lastly, the exploitation of public-facing applications (T1190) held its third place spot from last quarter for initial access, turning up in 16.9% of incidents this quarter. This technique involves an adversary targeting a vulnerable, publicly accessible application such as a virtual private network (VPN) gateway and aligns with the frequency of critical vulnerabilities released this quarter.

Attackers Continue to Prefer PowerShell for Execution

After gaining initial access, adversaries then run code or commands on the compromised system. Windows Command Shell or cmd.exe (T1059.00) continues to lead as the top execution technique, accounting for 33.3% of incidents. The use of Windows Command line is common to execute malware or commands post-access for discovery purposes. The next most common execution technique this quarter was PowerShell (T1059.001), often used for malware installation, executing ingressed tools, or for hands-on-keyboard activity. PowerShell was used in 19.4% of observed incidents this quarter, moving up from the third spot in the fourth quarter of 2023. In third, we saw the execution of malicious files (T1204.002) in 11% of incidents, replacing the third-most common technique of Q4 2023, user execution: malicious link. Malicious files are commonly delivered in executable (.exe) or compressed (.zip) formats by a phishing email with an attachment, downloaded via drive-by compromise, or downloaded with a malicious link sent in a phishing email.

Scheduled Tasks Fall, Registry Keys, and Startup Folder Favored for Persistence

Altering Windows registry keys or adding malware to a startup folder (T1547.001) moved from second to first place this quarter among persistence methods, seen in 34.8% of incidents. In Q4 2023, attackers relied on valid domain accounts for persistence. But this quarter, attackers more commonly created accounts (T1136) after gaining access to an environment—their chosen tactic in 13.95% of incidents. Lastly, we observed a rise in the use of web shells (T1505.003) for persistence, observed in 11.63% of incidents. This technique is commonly employed following the exploitation of a web server, whether public-facing or internal.

Exploitation Tops for Privilege Escalation

Once they’ve established persistence, an adversary turns to privilege escalation. In the fourth quarter of last year, we most commonly observed the use of valid accounts or exploitation. Citrix Bleed (CVE-2023-4966) exploitation in particular was common—it occasionally granted higher privileges dependent on the target account. In the first quarter of this year, exploitation for privilege escalation (T1068) increased significantly, from 7.1% to 46.6% of incidents involving privilege escalation. This surge is likely due to the two vulnerabilities in ScreenConnect (CVE-2024-1709 and CVE-2024-1708) identified this quarter, which, upon successful exploitation, provided administrator credentials. Continuing from last quarter, we observed adversaries exploiting valid domain accounts (T1078.002) to escalate privileges in 20% of incidents. In Q1 2024, we observed an uptick in adversaries modifying the Setuid and Setgid bits (T1548.001), a technique used in 6.6% of incidents with privilege escalation observed. Setuid and Setgid bits are file permissions in Linux which can be exploited to execute commands with elevated privileges. The uptick in modifications of Setuid and Setgid bits is likely due to the increase of exploitation for initial access rising due to these devices using the Linux operating system.

Command Obfuscation and LNK Files Used for Defense Evasion

Defense evasion involves the adversary attempting to evade technical controls and detections. In the last quarter of 2023, we observed the use of command obfuscation and abuse of the Windows RunDLL32 utility as the top defense evasion techniques. Holding its top spot was command obfuscation (T1027.010) for defense evasion in 22.06% of incidents. Command obfuscation involves adding characters, strings, and encoding to malware or when executing commands. We then observed LNK icon smuggling (T1027.012) in 10.29% of incidents. Icon smuggling entails hiding the payload in the metadata of shortcut (.lnk) files. The execution of various malware families, such as Gootloader and Dorkbot, involved this behavior during either the initial or subsequent payload downloads. Lastly, we observed files being deleted (T1070.004) by adversaries to remove traces of the intrusion in 7.35% of incidents. This technique was most often used by malware to delete the initial file after successful installation, though we also observed this behavior occurring when an adversary has hands-on-keyboard access and manually deletes files to remove their tracks.

Exploitation for Credential Access Surpasses Keylogging

Credential access involves an adversary attempting to obtain sensitive account credentials. In the last quarter of 2023, the primary methods of credential access we observed were credential theft from password stores, keylogging, and security account manager (SAM) dumping. In Q1 2024, we primarily observed adversaries gaining access to credentials through exploitation (T1212) in 24% of incidents. Credential theft from password stores (T1555), such as web browsers or password managers, fell to the second spot and occurred in 16% of incidents, a tactic often seen in malware infection chains that exfiltrate stolen credentials. Surpassing SAM dumping, access to Linux password storage files “/etc/passwd” and “/etc/shadow” (T1003.008) was noted in 12% of incidents, enabling attackers to conduct password cracking to acquire credentials.

System and Process Discovery Rise in Adoption

Once an adversary gains access to the environment and establishes persistence, they need to identify information like current permissions and accessible remote systems. In Q4 of last year, the top discovery technique we observed was the execution of system owner commands. This quarter, however, system information (T1082) was the most common, deployed in 15.3% of incidents, unveiling details of the current system, including its version, patches, architecture, and more. A formerly less common technique also arose this quarter—the discovery of processes running on a system (T1057)—was observed in 12.8% of incidents, putting it in second place. This technique is common during malware execution to relay back to the attacker what applications are running on the system. Remaining in the third spot from last quarter, discovering domain accounts (T1087.002) occurred in 7.8% of incidents. This technique, often utilized with the Net utility on Windows operating systems, can uncover a list of domain accounts for subsequent attacks.

Internal Phishing and Remote Windows Utilities Abused for Lateral Movement

After gaining a foothold and discovering information about the environment, adversaries aim to compromise other systems to move laterally through the environment. In the last quarter of 2023, we saw attackers largely using server message block (SMB) shares for lateral movement, employing tools such as PsExec. This quarter, the most common technique we observed was internal spearphishing (T1534), in 17.6% of incidents. Surpassing lateral movement with tool transfer, remote desktop protocol (T1021.001) tied with Windows remote management (T1021.006) for the next most common technique at 11.7%. Both techniques exploit Windows utilities to remotely interact with and execute commands on systems.

Malware Trends

• SocGholish – 38.8%
• AsyncRAT – 16.6%
• DorkBot – 11.1%
• GootLoader – 11.1%

ReliaQuest closely monitors the malware featured in all critical security incidents. SocGholish shot to the top spot in the first quarter of this year despite having been relatively uncommon in Q4 2023. SocGholish is delivered via drive-by compromise, masquerading as a fake browser update in the form of a malicious JavaScript file. Last quarter, the top spot was occupied by “AsyncRAT,” a remote access trojan, which now sits in second place. It is primarily distributed in phishing emails as an attachment. “Dorkbot” and “Gootloader” malware were tied for the next most prevalent malware families, surpassing SolarMarker, which was in third place last quarter. Dorkbot is typically introduced to devices via USB, and Gootloader is deployed when users click on phishing links.

Protect Your Organization

Inflicting Pain on the Adversary

To inflict pain on an attacker, slow them down as much as possible while maintaining detection and response capabilities. Having covered the most common adversary techniques, let’s discuss how to effectively hinder a threat actor’s efforts.

Consider technical controls as an addition to defense-in-depth—they serve to restrict the adversary’s abilities throughout their intended kill chain. For example, if SocGholish is successfully downloaded through drive-by compromise, implement a group policy that forces JavaScript files to open in Notepad instead of executing. This strategic move effectively blocks the adversary from gaining execution on the system. Below, we examine a case study to highlight the importance of utilizing technical controls and ensuring adequate visibility.

Case Study: Successful Gootloader Execution

In February 2024, ReliaQuest responded to a detection triggered by obfuscated PowerShell executing in a customer environment.

In this incident, a user received a phishing email containing a Dropbox link. The user clicked the link and downloaded a file named “List of Required items and services.zip,” which contained the shortcut file “List of Required items and services.lnk”. When the user clicked the shortcut file, obfuscated PowerShell executed successfully on the host and downloaded the next stages of Gootloader, including a PDF file with an embedded payload loaded into a Visual Basic Script (VBS) file and executed. We observed the malware making successful outbound connections to its command-and-control (C2) infrastructure and establishing persistence. ReliaQuest quarantined the impacted host until the customer could restore it from a known good backup.

By mapping this incident to the MITRE ATT&CK framework, we observed the following techniques:

Initial Access

• Phishing: Spearphishing Link – 002

Execution

• User Execution: Malicious Link – 001
• User Execution: Malicious File – 002
• Command and Scripting Interpreter: PowerShell – T1059.001
• Command and Scripting Interpreter: Visual Basic – 005
• Command and Scripting Interpreter: Windows Command Shell – 003

Persistence

• Scheduled Task/Job: Scheduled Task – T1053.005

Defense Evasion

• Obfuscated Files or Information: Command Obfuscation – 010
• Obfuscated Files or Information: LNK Icon Smuggling – 012
• Indicator Removal: File Deletion – 004
• Obfuscated Files or Information: Embedded Payloads – 009

Command and Control

• Application Layer Protocol: Web Protocols – 001
• Ingress Tool Transfer – T1105

Main Takeaways

• No technical control policies were in place to hinder or block the attacker, allowing execution, persistence, and C2 activities to proceed successfully. We have previously observed Gootloader used as an initial access tool to facilitate lateral movement, credential access, and data exfiltration. Failing to impose restrictions that hinder a threat actor allows them free rein within a network. Restricting PowerShell execution with Windows Attack Surface Reduction rules (ASR) and Windows Defender Application Control (WDAC) would have prevented Gootloader from being installed successfully.
• Despite the lack of technical controls to prevent the attack chain, the host had sufficient logging, including PowerShell script block logging. This allowed ReliaQuest to detect and respond to the event by isolating the impacted host, emphasizing the critical role of logging in enabling effective responses

Recommendations

Given the importance of technical controls and adequate visibility, we identified several recommendations to enhance your organization’s security posture.

Initial Access

Technical Controls

• Implement Windows Defender Attack Surface Reduction (ASR) rules to block malicious files and harden endpoints. ASR rules can be configured with Intune, Microsoft Configuration Manager, Group Policy, or PowerShell. Rules can be implemented in Audit mode before migrating to Block. In addition, rules can be set to Warn to notify the end user but provide the ability to bypass the block. ReliaQuest recommends the following ASR rule to mitigate initial access:
  • Block executable content from email client and webmail.
• Enable mail flow rules to block messages with executables (.exe), JavaScript files (.js), ZIP files (.zip), and hypertext application (.hta) files.
• Implement a firewall in front of applicable external devices to block malicious traffic.
• Segment externally facing devices at risk for exploitation from the rest of the network with a demilitarized zone (DMZ).

Visibility

• Implement web proxy logging to provide visibility into web traffic.
• Utilize email server logging to enable email event observation.
• Ensure adequate logging is present for firewalls.

Execution

Technical Controls

• ReliaQuest recommends setting the following ASR rules to mitigate execution:
  • Block execution of potentially obfuscated scripts.
  • Block JavaScript or VBScript from launching downloaded executable content.
  • Block Adobe Reader from creating child processes.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
  • Block untrusted and unsigned processes that run from USB.
• Configure Windows Defender Application Control (WDAC) to the most restrictive level possible. WDAC enables organizations to limit the access and features available to applications and drivers. For example, WDAC forces PowerShell to run in constrained language mode, which severely hinders common malware behavior like loading arbitrary C# code and reflective code loading.
• Use AppLocker to deploy application control policies. Rules can be assigned based on file attributes and assigned to groups or individual users. We recommend using AppLocker to create a whitelist and disallow executables from running, including unauthorized remote management and monitoring (RMM) tools, which are commonly abused by adversaries.
• Verify that current antimalware products are integrated with Windows Antimalware Scan Interface (AMSI). AMSI defends against “fileless malware,” which includes malicious files that are not in executable format (.exe). Fileless malware is favored by all the leading malware families for its ability to evade antivirus detection by avoiding writing malicious files to the system’s disk.
• Ensure PowerShell execution policies are not set to unrestricted or undefined to prevent the execution of malicious scripts.
• Implement a group policy to open JavaScript files (.js) with Notepad by default.
• Visual Basic Script (.vbs) is set to be deprecated and not included in future Windows versions. However, we recommend implementing a group policy to open VBS files with Notepad by default until deprecation.

Visibility

• We recommend the following configurations to provide visibility into PowerShell execution:
  • Upgrade PowerShell to the latest version to implement enhanced logging. Verify that older PowerShell versions are removed to prevent downgrade attacks.
  • Activate PowerShell script block logging to capture both the initial command and the full source of any executed script.
  • Enable module logging to provide more information, including PowerShell pipeline execution.
  • Enable transcription logging to capture all input and output from PowerShell sessions.
• We recommend the following configurations to provide visibility into command lines and processes:
  • Enable process creation auditing.
  • Enable “include command line in process creation events”.

Credential Access

Technical Controls

• We recommend implementing the following ASR rule:
  • Block credential stealing from the Windows Local Security Authority Subsystem Service (lsass.exe).
• Enable Windows Credential Guard using Intune or Group Policy or directly through the registry. Credential Guard isolates the Windows LSASS (lsass.exe), which can be dumped to obtain credentials.
• Disable the ability for users to store passwords in web browsers.
• Encrypt the Windows Domain Controller database file “NTDS.dit” and access control restrictions for this file.
• Deploy antivirus solutions (AV) capable of quarantining successfully dumped (.dmp) files.
• Restrict access to the SAM database file on Windows hosts strictly to authorized users.

Visibility

• Enable Audit SAM access on workstations to monitor for possible credential dumping activities.
• Monitor access attempts to the Windows Domain Controller database file “NTDS.dit”.
• Implement command line logging covered previously and monitor for commands attempting to access lsass.exe.

Lateral Movement

Technical Controls

• The following ASR rule is recommended:
  • Block process creations originating from PSExec and Windows Management Instrumentation (WMI) commands.
• Add firewall rules to restrict WMI, Windows Remote Management (WinRM), remote desktop protocol (RDP), and SMB across segmented networks and limit access to these utilities strictly to authorized accounts only.
• Implement password policies to prohibit password reuse across accounts and enforce complexity.

Visibility

• Ensure that authentication events for RDP are monitored.
• Monitor for the use of WinRM and WMI.
• Ensure Windows Event ID 5145 “A network share object was checked to see whether client can be granted desired access” is actively logged to monitor for suspicious SMB activity.

• Enable Windows Credential Guard using Intune or Group Policy or directly through the registry. Credential Guard isolates the Windows LSASS (lsass.exe), which can be dumped to obtain credentials.
• Disable the ability for users to store passwords in web browsers.
• Encrypt the Windows Domain Controller database file “NTDS.dit” and access control restrictions for this file.
• Deploy antivirus solutions (AV) capable of quarantining successfully dumped (.dmp) files.
• Restrict access to the SAM database file on Windows hosts strictly to authorized users.

Threat Forecast

ReliaQuest forecasts with high confidence that phishing and drive-by downloads will continue to be the primary techniques for initial access in the immediate future because commodity-based malware such as SocGholish relies on these methods for delivery. Financially motivated adversaries will keep exploiting vulnerabilities that provide initial access, capitalizing on the window of opportunity before organizations can implement mitigations or patches. For that reason, it’s important to add technical controls that counter initial access and hinder attackers’ abilities to execute code on systems. Implementing a defense-in-depth model is paramount in the event an adversary gains access to restrict their movements and provide visibility to respond.

What ReliaQuest Is Doing

ReliaQuest actively tracks threat actors’ tactics, techniques, and procedures (TTPs) to provide insights into trends and new behaviours. We use these observations to create custom detection rules to improve customers’ security posture.