How Attackers Run Harmful Code and How to Stop Them

Let’s talk about something critical for any organization today: understanding how attackers actually run harmful code on target systems and what you can do to stop them. Imagine an attacker has already managed to get inside your network—what’s next? Their aim now is to execute code that lets them control systems, move across networks, and potentially steal data. This is where the MITRE ATT&CK framework becomes helpful, as it maps out the main ways attackers run code on systems.

Here’s a rundown of the techniques attackers commonly use to run harmful code—and just as importantly, the steps you can take to counter each of these moves.

Remote Code Execution (RCE)

First up, Remote Code Execution. Attackers often use RCE vulnerabilities to run code from a remote location by taking advantage of weaknesses in your applications. This lets them run commands, deploy malware, or even gain administrative control without physical access.

Regular vulnerability scans and prompt patching are your best friends here. Keep applications and systems updated, and don’t overlook network segmentation—it limits the blast radius if something gets compromised.

Command and Scripting Interpreters

Attackers love using command-line interpreters like PowerShell or Bash. These tools let them run automated tasks, gather data, and keep control over compromised systems. PowerShell is particularly popular because it’s powerful and often trusted in Windows environments.

Limit who can access these tools. Set up logging for PowerShell, and restrict script execution. Regularly monitor command-line activity to catch any suspicious commands early.

Scheduled Task/Job

Attackers might set up scheduled tasks on Windows or cron jobs on Unix/Linux to execute their code at certain times or intervals. This tactic is especially useful if they want to keep their activity under the radar.

Make it a habit to review scheduled tasks and cron jobs. Look out for anything unauthorized or out of the ordinary, and set up policies to restrict who can create these tasks.

Process Injection

Process injection is all about stealth. Attackers inject their malicious code into legitimate processes, so it blends in and becomes harder to spot. This also often gives them elevated privileges.

Endpoint Detection and Response (EDR) tools are your go-to here. They can detect abnormal behavior in processes. You can also enable memory protections like DEP and ASLR, which make injection attacks trickier to pull off.

Masquerading

Sometimes attackers disguise their malicious files as trusted ones by changing names, icons, or locations. They aim to make their code look like a legitimate part of your system.

Use file integrity monitoring to detect changes in file attributes. Application whitelisting is another great tool to restrict execution to only authorized files.

DLL Sideloading

In DLL sideloading, attackers trick applications into loading malicious DLLs instead of legitimate ones, often by taking advantage of how programs search for libraries.

Limit permissions in directories where DLLs are loaded and keep software sources trusted. Regularly monitor for any strange DLL activity, and keep an updated software inventory to catch unexpected changes.

Exploiting Application Layer Protocols

Attackers can also exploit protocols like SMB and RDP, using them to execute malicious code. By hiding within these trusted protocols, they make their activities blend into regular network traffic.

Network segmentation and strict access control are essential here. Watch for unusual traffic in these protocols, and use Intrusion Detection Systems (IDS) to catch suspicious protocol usage.

User Execution

Social engineering is still very effective. Here, attackers trick users into running malicious files, often by embedding code in documents or luring them to click dangerous links.

This one’s all about user education. Train employees to spot phishing and suspicious attachments. Disable macros whenever possible, and have endpoint protection that scans files in real time.

Abusing Trusted Developer Utilities

Some attackers use legitimate developer tools, like MSBuild or certutil, to sneak past security. These trusted utilities can be exploited to load malicious code without detection.

Restrict access to these tools and monitor for unusual activity. EDR tools can alert you if these developer utilities are used in unexpected ways.

Scripting Languages and Payloads

Attackers often use scripting languages like JavaScript or VBA in documents and web pages to launch their payloads, which can evade traditional antivirus tools.

Disable unnecessary scripting features like Office macros. Strengthen browser security and set up filtering for web-based scripts. Regular monitoring of script activity across your network is crucial.

Building Your Defense Strategy

So, what’s the overall game plan? Here are the key areas to focus on:

• Endpoint Protection and EDR: These tools monitor processes, detect anomalies, and catch suspicious activity early.
• User Awareness and Training: Regular training on recognizing phishing and malicious files goes a long way.
• Application Whitelisting: Only allow trusted applications to run, limiting the risk of rogue code execution.
• Network Segmentation and Monitoring: Isolate critical systems and monitor traffic to catch any unusual behavior.
• Regular Patching: Patch and update all software regularly to close gaps attackers might exploit.

By understanding these techniques and taking targeted actions, you’re making it much harder for attackers to get their code running in your network. It’s all about staying one step ahead and maintaining a resilient, secure environment.