Full Report
Mandiant’s M-Trends report found that credential theft rose significantly in 2024, driven by the growing use of infostealers
Analysis Summary
# Tool/Technique: Vulnerability Exploitation (as Initial Access)
## Overview
Vulnerability exploitation has become the most common method for threat actors to gain initial access to target environments in 2024, surpassing phishing according to Mandiant's M-Trends 2025 Report. This technique involves leveraging weaknesses or flaws in software, hardware, or configuration to bypass security controls and establish a foothold.
## Technical Details
- Type: Technique
- Platform: Various (Dependent on the specific vulnerability being exploited, typically targeting internet-facing applications or unpatched systems)
- Capabilities: Gaining unauthorized entry into a system or network by triggering a flaw in an application or operating system.
- First Seen: Ongoing threat, but noted as the top initial access vector in 2024 reporting.
## MITRE ATT&CK Mapping
While vulnerability exploitation is broad, the core initial access aspect aligns typically with:
- **TA0001 - Initial Access**
- **T1190 - Exploit Public-Facing Application**
## Functionality
### Core Capabilities
- Delivering initial payloads onto victim systems via exploitation of known or zero-day vulnerabilities in publicly accessible services (e.g., web servers, VPNs, email gateways).
### Advanced Features
- Malicious exploitation chains targeting specific application logic that may bypass traditional perimeter defenses.
## Indicators of Compromise
*Note: Specific IOCs are not provided in the context as it discusses the *trend* rather than a specific exploit campaign.*
- File Hashes: N/A (Context dependent)
- File Names: N/A (Context dependent)
- Registry Keys: N/A (Context dependent)
- Network Indicators: Potential irregular traffic patterns or attempts to communicate with known exploit servers or command-and-control infrastructure following successful exploitation.
- Behavioral Indicators: Execution of code in unexpected processes or memory regions indicative of remote code execution following an exploit attempt.
## Associated Threat Actors
- All sophisticated threat actors, including Ransomware gangs and Nation-State actors, leverage this technique due to its high success rate against vulnerable targets.
## Detection Methods
- Signature-based detection: Signatures for exploit payloads or known exploit traffic patterns.
- Behavioral detection: Monitoring for unexpected process creation, unusual shell command execution, or anomalous network connections originating from vulnerable services.
- YARA rules: Applicable to detecting specific exploit code or initial dropper stages if malware is deployed.
## Mitigation Strategies
- Aggressive patch management for all internet-facing applications and systems.
- Thorough auditing and hardening of public-facing infrastructure.
- Deployment of Web Application Firewalls (WAFs) configured to block common exploit signatures.
- Implementing network segmentation to limit the blast radius of a successful exploit.
## Related Tools/Techniques
- Phishing (T1566) - (Observed decline in usage compared to exploitation and credential theft)
- Valid Accounts (T1078) - (Directly related to the success of credential theft)
***
# Tool/Technique: Stolen/Leaked Credential Usage (as Initial Access)
## Overview
The use of previously compromised or leaked credentials has significantly increased, becoming the second most common initial access vector reported in 2024. This technique relies on threat actors acquiring valid usernames and passwords (often through data breaches, credential stuffing, or infostealers) and using them to log into organizational resources directly.
## Technical Details
- Type: Technique
- Platform: Network services relying on authentication (VPNs, cloud portals, remote desktop services, email systems).
- Capabilities: Bypassing network defenses by authenticating as a legitimate user.
- First Seen: Ongoing threat, significant rise noted between 2023 (10%) and 2024 (16%).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1078 - Valid Accounts**
- T1078.001 - Valid Accounts: Cloud Accounts (Implied broad usage)
- T1078.004 - Valid Accounts: Local Accounts (Less common for initial external access, but possible)
- T1078.003 - Valid Accounts: Cloud Accounts (If accessing via RDP/SMB)
## Functionality
### Core Capabilities
- Logging in to remote access services (VPN, SSH, RDP) using stolen credentials.
- Accessing cloud-based resources or webmail via harvested credentials.
### Advanced Features
- Use of credentials harvested via malware (infostealers, keyloggers) that bypass traditional MFA controls if the credentials were stolen alongside session cookies or tokens, although the primary mechanism here is the login attempt itself.
## Indicators of Compromise
- File Hashes: N/A (Focus is behavioral/network based)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Multiple failed login attempts followed by a successful login from a new or suspicious geographic location or IP address; frequent use of known breached credential lists.
- Behavioral Indicators: Successful logins originating from unusual times of day or from IP address ranges not typically associated with the legitimate user.
## Associated Threat Actors
- Virtually all financially motivated and espionage actors utilize this method due to the high success rate when organizations have weak credential hygiene or fail to enforce MFA universally.
## Detection Methods
- Signature-based detection: Less effective unless integrated with threat intelligence regarding known compromised credential lists.
- Behavioral detection: Monitoring for impossible travel scenarios, logins outside established working hours, and high volumes of failed logins preceding a success.
- YARA rules: Not typically applicable for credential theft *usage*.
## Mitigation Strategies
- Mandatory implementation and enforcement of Multi-Factor Authentication (MFA) across all remote access and critical services.
- Strict monitoring and alerting on new IP addresses associated with established user accounts.
- User education regarding phishing and credential leakage risks.
- Regularly auditing and invalidating credentials found in publicly available data dumps.
## Related Tools/Techniques
- Infostealers (Used to obtain credentials)
- Phishing (Used to trick users into providing credentials)
***
# Technique: Information Stealers / Keyloggers (Mechanism for Credential Acquisition)
## Overview
Keyloggers and information stealers are types of malware used by threat actors to secretly capture credentials, session cookies, and other sensitive data from infected systems. This malware is explicitly mentioned as a mechanism threat actors use to obtain the credentials that fuel the 'Stolen Credential Usage' initial access trend.
## Technical Details
- Type: Malware (Category: Infostealer)
- Platform: Primarily Windows, though cross-platform versions exist.
- Capabilities: Capturing keystrokes, harvesting files, scraping browser data (passwords, cookies), and exfiltrating collected data.
- First Seen: Ongoing threat, highly prevalent in recent years.
## MITRE ATT&CK Mapping
This technique is primarily associated with Collection and Exfiltration phases, but its *output* directly fuels Initial Access:
- **TA0006 - Credential Access**
- **T1056 - Input Capture**
- T1056.001 - Input Capture: Keylogging
- **T1555 - Credentials from Password Stores**
## Functionality
### Core Capabilities
- Real-time logging of user keystrokes when interacting with sensitive applications.
- Scraping sensitive data stored within web browsers (e.g., Chrome, Firefox).
### Advanced Features
- File exfiltration capabilities, often compressing and encrypting harvested data before sending it to C2 infrastructure.
## Indicators of Compromise
*Note: Specific IOCs are not detailed in the summary, but malware features imply typical IOCs.*
- Behavioral Indicators: Unexpected execution paths for system processes, high outbound data usage from an endpoint that is otherwise idle, or suspicious outbound connections to file-sharing/cloud storage services containing encrypted archives.
## Associated Threat Actors
- Financially motivated groups (e.g., Ransomware affiliates) frequently use infostealers like Vidar, RedLine, and Raccoon Stealer to build inventories of accessible accounts.
## Detection Methods
- Signature-based detection: Signatures for known malware hashes or file markers.
- Behavioral detection: Monitoring for API calls related to input capturing (SetWindowsHookEx), unusual access to browser data directories, or mass file staging prior to outbound transfer.
- YARA rules: Effective for identifying known infostealer binaries.
## Mitigation Strategies
- Endpoint Detection and Response (EDR) solutions monitoring system calls indicative of input capturing.
- Application whitelisting to prevent unauthorized executable deployment.
- Disk and process memory scanning for staged data.
## Related Tools/Techniques
- Stolen Credential Usage (T1078)
- Data Exfiltration (TA0010)
***
# Trend: Decline of Phishing as Initial Access Vector
## Overview
Email Phishing has seen a marked decline as a primary initial access vector, falling from 22% in 2022 to 14% in 2024. This shift indicates that threat actors are pivoting towards methods offering higher reliability or better evasion capabilities against improving email security filters.
## Technical Details
- Type: Trend/Decline in Technique Usage
- Platform: Email systems, leading to initial endpoint compromise.
- Capabilities: Social engineering via email to trick users into clicking links or opening attachments, leading to malware delivery or credential harvesting.
- First Seen: Not applicable (This is a relative trend observation).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1566 - Phishing**
## Functionality
### Core Capabilities
- Delivery of malicious URLs or files via email communication.
### Advanced Features
- N/A (The observed trend is a *decline* in effectiveness or preference).
## Indicators of Compromise
- While phishing itself is declining, successful campaigns often leave IOCs related to the specific delivered payload (e.g., associated ransomware or remote access trojans).
## Associated Threat Actors
- Previously pervasive across all groups, now less central for initial access compared to vulnerability exploitation.
## Detection Methods
- Email Gateways focusing on URL sandboxing and content analysis remain crucial.
## Mitigation Strategies
- Continued investment in advanced email filtering and user training to handle remaining threats.
## Related Tools/Techniques
- Spearphishing Link (T1566.001)
- Spearphishing Attachment (T1566.002)