Actu
Exploitation for privilege escalation surges in Q1 - new report from ReliaQuest
May 2024 by ReliaQuest
ReliaQuest analyzed a select group of true-positive customer incidents that had the potential to result in data breaches or theft (e.g., involving extortion, espionage, custom malware, hands-on-keyboard operations, commodity threats) categorized as “critical security incidents.” We aligned these incidents with the MITRE ATT&CK framework to identify trends and unique behaviors across the kill chain to provide an understanding of the threat landscape.
Phishing, Drive-by Compromise, and Exploitation Remain Top Techniques - The most common initial access technique, holding its top spot from the fourth quarter last year, was phishing with a malicious link (T1566.002), appearing in 27.2% of critical security incidents recorded by ReliaQuest.
Attackers Continue to Prefer PowerShell for Execution – Windows Command Shell or cmd.exe (T1059.00) continues to lead as the top execution technique, accounting for 33.3% of
incidents. The next most common execution technique this quarter was PowerShell (T1059.001), often used for malware installation, executing ingressed tools, or for hands-on-keyboard activity. PowerShell was used in 19.4% of observed incidents this quarter, moving up from the third spot in the fourth quarter of 2023.
Scheduled Tasks Fall, Registry Keys, and Startup Folder Favored for Persistence - Altering Windows registry keys or adding malware to a startup folder (T1547.001) moved from second to first place this quarter among persistence methods, seen in 34.8% of incidents.
Exploitation Tops for Privilege Escalation - In the fourth quarter of last year, we most commonly observed the use of valid accounts or exploitation. Citrix Bleed (CVE-2023-4966) exploitation in
particular was common—it occasionally granted higher privileges dependent on the target account. In the first quarter of this year, exploitation for privilege escalation (T1068) increased significantly, from 7.1% to 46.6% of incidents involving privilege escalation. This surge is likely due to the two vulnerabilities in ScreenConnect (CVE-2024-1709 and CVE-2024-1708) identified this quarter, which, upon successful exploitation, provided administrator credentials.
Command Obfuscation and LNK Files Used for Defense Evasion - In the last quarter of 2023, we observed the use of command obfuscation and abuse of the Windows RunDLL32 utility as the top defense evasion techniques. Holding its top spot was command obfuscation (T1027.010) for defense evasion in 22.06% of
incidents.
Malware trends - SocGholish shot to the top spot in the first quarter of this year despite having been relatively uncommon in Q4 2023. SocGholish is delivered via drive-by compromise, masquerading as a fake browser update in the form of a malicious JavaScript file. Last quarter, the top spot was occupied by “AsyncRAT,” a remote access trojan, which now sits in second place.
