84 percent of attacks now use legitimate tools
New research from Bitdefender shows that 84 percent of high severity attacks are using Living off the Land (LOTL) techniques, exploiting legitimate tools used by administrators.
One of the findings is that the netsh.exe tool -- used for network configuration -- management is the most frequently abused tool, appearing in a third of major attacks. While checking firewall configurations is a logical initial step for attackers, this clearly demonstrates how data analysis can spotlight trends that human operators might instinctively disregard.
Other frequently exploited tools include the PowerShell.exe command-line shell and scripting language, Reg.exe, a command-line tool allows administrators to query, change, add, or remove registry entries, and Csc.exe, the Microsoft C# compiler.
The study also highlights the widespread use of PowerShell.exe in business environments. While nearly 96 percent of organizations in the dataset legitimately utilize PowerShell, the expectation was that its execution would be limited primarily to administrators. However, the research detected PowerShell activity on a staggering 73 percent of all endpoints. Further investigation revealed that PowerShell is frequently invoked not only by administrators (for things like logon/logoff scripts), but also by third-party applications running PowerShell code without a visible interface.
There are regional differences in tool deployment, for example PowerShell.exe showed a notably lower presence in the Asia-Pacific region, at just 53.3 percent of organizations in the dataset. This stands in sharp contrast to EMEA, where analysis indicates a much higher adoption rate of 97.3 percent.
The reports authors conclude, "Attackers are demonstrably successful in evading traditional defenses by expertly manipulating the very system utilities we trust and rely on daily -- and threat actors operate with a confident assertion of undetectability. This stark reality demands a fundamental shift towards security solutions like Bitdefender's PHASR, which moves beyond blunt blocking to discern and neutralize malicious intent within these tools."
The full report is available on the Bitdefender site.
Image credit: Ruslan Batiuk / Dreamstime.com