Red Report 2025

Between January and December 2024, Picus Labs analyzed 1,094,744 unique files, identifying 1,027,511 (93.86%) as malicious. These files executed 14,010,853 malicious actions, averaging 14 per sample, with 11,984,156 mapped to the MITRE ATT&CK framework. Out of those techniques, we observed the following top 10 techniques being used in the corresponding order: Process Injection, Command and Scripting Interpreter, Credentials from Password Stores, Application Layer Protocol, Impair Defenses, Data Encrypted for Impact, System Information Discovery, Input Capture, Boot or Logon Autostart Execution, and Data from Local System.

Mapping adversaries' TTPs is essential for identifying their attack patterns, including initial access exploits, access control bypass techniques, and other sophisticated methods. By proactively mitigating these security weaknesses—whether through patches, configurations, or other defensive measures—we disrupt the adversary’s kill chain, effectively preventing or delaying their progression. This strategic approach strengthens security posture and reduces the likelihood of a successful breach.

To effectively conduct adversary emulation using the MITRE ATT&CK framework, security teams should first select a threat actor whose tactics, techniques, and procedures (TTPs) align with their organization's threat profile. By mapping these TTPs to the ATT&CK framework, teams can develop detailed emulation plans that replicate the adversary's behavior within a controlled environment. Executing these plans allows organizations to assess their detection and response capabilities against realistic attack scenarios, identify gaps in their defenses, and implement improvements to enhance their overall security posture.

The best way to approach MITRE ATT&CK mapping is to analyze the entire kill chain, from initial access to discovery, credential access, lateral movement, privilege escalation, and impact. The goal is to identify the specific techniques used by the malware or adversary and map each one to the MITRE ATT&CK framework, building a complete picture of the attack. This makes it easier to understand how the attack progresses and where to disrupt it, creating choke points that can stop or slow down the adversary.

Adversaries use info stealer malware to secretly extract sensitive information such as login credentials, financial details, and personal data from compromised systems by leveraging phishing attacks, malicious downloads, and software exploits. Once installed, these malware variants harvest data from browsers, email clients, and stored credentials, often incorporating keylogging and clipboard monitoring. The stolen data is then exfiltrated to attacker-controlled servers via encrypted channels, enabling cybercriminals to use it for financial fraud, identity theft, or to sell on the dark web, posing serious risks to individuals and organizations alike.

Process injection is a technique where attackers execute malicious code within the address space of a legitimate process, allowing them to evade detection and potentially gain elevated privileges. This method enables adversaries to mask their activities under the guise of trusted processes, making it challenging for security systems to identify malicious behavior. To mitigate process injection, organizations should implement application control solutions like AppLocker or Windows Defender Application Control, which prevent unauthorized code execution. Additionally, enabling features such as Windows Defender Exploit Guard's Arbitrary Code Guard and Export Address Filtering can further protect against these attacks. Regular monitoring of process behaviors and employing endpoint detection and response (EDR) tools can also aid in identifying and responding to injection attempts.