In an ever-changing landscape of adversary tactics, techniques and procedures (TTPs), malware remains the tool of choice for attackers to gain a foothold on target systems. The Mitre ATT&CK framework is a taxonomy of adversary TTPs. It is meant to advance cyber threat intelligence (CTI) by establishing a generic vocabulary to describe postcompromise adversary behavior. This paper discusses the results of automated analysis of a sample of 951 Windows malware families, which have been plotted on the ATT&CK framework. Based on the framework’s tactics and techniques we provide an overview of established techniques within Windows malware and techniques which have seen increased adoption over recent years. Within our dataset we have observed an increase in techniques applied for ﬁleless execution of malware, discovery of security software and DLL side-loading for defense evasion. We also show how a sophisticated technique, command and control (C&C) over IPC named pipes, is getting adopted by less sophisticated actor groups. Through these observations we have identiﬁed how malware authors are innovating techniques in order to bypass established defenses.
Supplementary notes can be added here, including code and math.