PowerShell ranked first among MITRE ATT&CK techniques used by cybercriminals over the past five years, according to a study of approximately 10,000 cyber threats conducted by MSSP Red Canary.
In addition, scripting ranked second among MITRE ATT&CK techniques used by cybercriminals over the past five years, followed by regsvr32, connection proxy and spear phishing attachment.
PowerShell automates tasks that manage operating systems and processes. As such, system administrators frequently use PowerShell, which likely makes the shell and scripting language a popular target for cybercriminals.
Also, PowerShell's source code is readily available worldwide. This ensures hackers can easily access PowerShell's source code to deliver payloads that are difficult to identify and address, Red Canary pointed out.
How to Combat PowerShell Attacks
Security teams should prioritize PowerShell detection, Red Canary recommended. That way, security teams can determine the steps they need to take to consistently detect PowerShell attacks.
Furthermore, security teams should work their way through the most commonly used MITRE ATT&CK techniques. This enables security teams to find ways to minimize the risks associated with scripting, regsvr32 and other prominent MITRE ATT&CK techniques.
What Is MITRE ATT&CK?
MITRE ATT&CK is a global knowledge base of cyberattack techniques based on real world observations. It is available free of charge and often provides a foundation for the development of threat models and methodologies in various industries.
MSSPs can use MITRE ATT&CK to learn about prominent cyberattack techniques and plan accordingly. By doing so, MSSPs can offer services to help customers keep pace with cyberattacks based on MITRE ATT&CK techniques.