Get Off the Rat Wheel: The Top 10 Techniques Haven't Changed in a Decade

The post that set this off

An executive of a detection-engineering company bravely posted this week a take that's become almost ritual in our industry:

"Prevention is ideal. Detection is mandatory… I'm not waiting for prevention to save me. The rate of change is so awesome - the sheer number of new technologies, new attack surfaces, new ways things can break. Prevention can't keep up. So the question isn't 'can we prevent this?' It's how fast can we detect it."

He invited debate. So let's debate.

The argument sounds reasonable on its face. Controls fail. Systems drift. Enterprises change faster than they can secure. All true. But the conclusion “therefore lean harder into detection” is exactly the loop that's kept our industry running in place for ten years. It's the rat wheel, and the data says we're still on it.

Here's the part nobody wants to sit with: the techniques that actually hurt enterprises are the same techniques that hurt them in 2019, 2021, 2023, and 2025. They're enumerated in public GitHub repos. They're versioned. They have APIs. And most of them are blockable today with tooling that already ships with Windows.

We're not writing detections because we have to. We're writing detections because we've convinced ourselves prevention is impossible, while the evidence stacks up in the other direction every year.

Three reports. One list. (And a five-year aggregated receipt.)

I pulled the last several years of the three most-cited threat reports in the industry, including the brand-new CrowdStrike 2026 Global Threat Report and Red Canary 2026 Threat Detection Report. Different telemetry. Different customer bases. Different methodologies. Same answer.

Mandiant M-Trends

The M-Trends 2024 report, which analyzed Mandiant's frontline IR engagements across 2023, was explicit: the top 10 most frequently observed ATT&CK techniques showed little variance over the last several years, and Command and Scripting Interpreter (T1059) appeared in more than half of all investigations. (M-Trends 2024, PDF)

The 2025 edition doubled down. Mandiant called out living-off-the-land via legitimate admin tools - SimpleHelp, AnyDesk, and other RMM platforms - as the hard-to-detect pattern they see repeatedly on engagements, specifically noting attackers deploying SimpleHelp as persistence after exploiting FortiClient EMS and then selling access through broker networks. (Mandiant M-Trends 2025 analysis)

Red Canary Threat Detection Report 2026

Red Canary's 2026 TDR - built on telemetry from 1,700+ organizations - confirms the list is stubbornly stable. The 2026 top 10 techniques: Cloud Accounts, PowerShell, Windows Command Shell, Data From Cloud Storage, Ingress Tool Transfer, Email Forwarding Rule, WMI, Malicious Copy and Paste, Email Hiding Rules, and Obfuscated Files or Information. (Red Canary 2026 Threat Detection Report)

Five of those ten, PowerShell, cmd.exe, WMI, Malicious Copy and Paste (the ATT&CK home for ClickFix / paste-and-run, which lands as powershell.exe or wscript.exe execution), and Obfuscated Files are the same Windows-native execution primitives that LOLBAS has catalogued for years. And on the threats side, NetSupport Manager climbed to #4. A legitimate RMM tool cracked the top five of the most prevalent threats Red Canary sees in enterprise environments.

CrowdStrike 2026 Global Threat Report - "Year of the Evasive Adversary"

CrowdStrike's 2026 GTR, pulled from Falcon platform telemetry, puts hard numbers on what every IR team has been screaming about: 82% of detections in 2025 were malware-free, up from 51% in 2020. (CrowdStrike 2026 Global Threat Report)

And the clock is collapsing:

• Average eCrime breakout time: 29 minutes in 2025, down from 98 minutes in 2021 roughly a 70% reduction in four years.
• Fastest breakout observed: 27 SECONDS!!!

Read that chart and then ask yourself honestly: what MTTD target can your SOC actually hit? 30 minutes? 15? Five? Because at 29 minutes average and 27 seconds at the tail, detect-and-respond isn't a strategy anymore, it's a coin flip. The only layer of defense that operates on the right timescale is the one that refuses to let the execution happen in the first place.

• CHATTY SPIDER - a vishing-driven eCrime group - went from initial access to attempted data exfiltration in four minutes. The access vector? Social-engineering a law firm employee into granting Microsoft Quick Assist, then pulling down WinSCP and pivoting to Google Drive when the firewall blocked the first exfil attempt.
• PUNK SPIDER ran 198 intrusions CrowdStrike observed in 2025 - a 134% year-over-year jump - and their signature move is remote SMB encryption from unmanaged hosts. In one engagement, they launched Akira ransomware from an unpatched corporate webcam. A webcam. Running ransomware.
• SCATTERED SPIDER continued their 2024 playbook: help-desk vishing for self-service password resets, VMware ESXi-only ransomware deployment, and dumping Active Directory ntds.dit by mounting domain-controller virtual disks onto brand-new unmanaged VMs inside vCenter. Entire intrusion from first help-desk call to NTDS extraction: three hours, with exactly one touch of a managed endpoint.

The RMM story is the part that should end the detection-first debate on its own. CrowdStrike's own LOTL blog from late 2025 documented a single adversary dropping 30+ different RMM tools into one environment so that if one got caught, the others would survive. (CrowdStrike - How CrowdStrike Stops Living-off-the-Land Attacks)

The five-year receipts: Splunk SURGe's Macro ATT&CK dataset

If three reports aren't enough, here are four - aggregated across five years.

Splunk's SURGe research team has been maintaining a running project called Macro ATT&CK, which pulls top-technique reporting from Mandiant M-Trends, Red Canary's Threat Detection Report, the MITRE Center for Threat-Informed Defense (CTID) Sightings Ecosystem, and CISA public alerts, then normalizes them into a single consensus list. The dataset is public on GitHub and now contains more than 2,400 observations of techniques and sub-techniques tied to real cyber incidents across five years of reporting. (Splunk SURGe - Macro ATT&CK 2024: A Five-Year Perspective · GitHub: splunk/macro-level-attack-trending)

Here's the finding that should stop the debate cold:

The consensus top techniques - the ones ranked in the top 15 by at least three of four independent reporting organizations - have been used, on average, in more than 20% of all cyber incidents over the past five years. (Splunk SURGe - Macro ATT&CK for a TTP Snack)

Twenty percent. Per technique. Across five years. Across four different reporting sources with four different customer bases and four different methodologies. Four orgs. Four different customer bases. Four different ways of counting. Same list.

And the list? Same faces. Command and Scripting Interpreter (T1059 - PowerShell, cmd.exe, bash). Exploitation of Public-Facing Applications (T1190). File and Directory Discovery (T1083). Scheduled Task/Job (T1053). Valid Accounts (T1078). OS Credential Dumping (T1003). Ingress Tool Transfer (T1105). Obfuscated Files or Information (T1027). The Splunk team specifically called out attacker command-line interpreter preference - PowerShell's dominance, the steady rise of bash and Python - as a key dimension of the five-year trend.

The Macro ATT&CK work goes back further too. The original 2022 post ("Zoom. Enhance!") asked the same question with three years of data. The 2023 update ("Revisiting the Big Picture") asked it with four. The 2024 update ("A Five-Year Perspective") asked it with five. Every single one of them found the same answer: the consensus top techniques are stable, the command-line interpreters are stable, and the list you'd write detections for in 2020 is substantially the list you'd write detections for in 2025.

That's not a failure of threat intelligence. That's a loud, five-year, four-source signal that the industry keeps reporting the same techniques because adversaries keep using them - and defenders keep rebuilding detections for them instead of blocking them. Splunk even shipped a "Macro ATT&CK Top 20" benchmark inside Splunk Security Essentials so orgs could measure their coverage against the consensus list. The benchmark exists because the list exists. The list exists because it hasn't moved.

If you're still in the detection-first camp, you have to explain why - with 2,400+ observations across five years of four-source consensus, with a named top-20 stable list, with an entire SURGe research project dedicated to publishing "the things adversaries keep doing" - the industry still treats blocking those things as somehow impractical or controversial.

It isn't impractical. It's inconvenient for the business model.

The overlap matrix

Boil all three reports down and here's what's actually on the top-technique lists, year after year:

Every row is a technique that's been on the list for years. Every row is catalogued in an open-source repo. Every row is maintained by defenders, updated weekly, with machine-readable detection and blocklist artifacts.

The attacker playbook isn't secret. It's on GitHub.

The rat wheel, visualized

Here's what most security orgs are actually doing right now. Follow the arrows.

That's the loop. Ten years of it. The headline in the retrospective is always the same - "we need better detection" - and the next vendor pitch is always the same: more ML, more telemetry, more analysts, more rules.

Meanwhile, here's what the prevention-first flow looks like with the same threat intel feeding a WDAC-style enforcement plane:

Same intel. Different destination. One produces alerts forever. The other shrinks the attack surface until the alerts that do fire are actually worth investigating.

The math detection-first doesn't want you to do

Let's put some numbers on it. Pick any mid-sized enterprise with an EDR. Ask three questions:

1. How many detection analytics does your SOC maintain for PowerShell alone? Red Canary has publicly documented maintaining hundreds of analytics for a single binary - powershell.exe - and that binary is still #2 on their 2026 top-10 techniques list, eight years into the exercise. Yours is probably in the hundreds too.
2. How many of those fired on confirmed threats last year vs. benign activity? The signal-to-noise ratio is brutal even at the best shops on the planet. For most orgs it's far worse.
3. How many of those analytics would you still need if powershell.exe simply couldn't execute unsigned code or run in anything but Constrained Language Mode on 90% of your endpoints?

The answer is: almost none.

This is not a thought experiment. Constrained Language Mode is a WDAC side effect that Red Canary themselves recommend in their own Mshta guidance: deploying an allow-all policy places PowerShell into constrained language mode, which by its very nature blocks a significant amount of PowerShell-based attacks. (Red Canary - Mshta)

The detection-engineering industry has been quietly documenting the prevention path inside its own detection guidance for years. We just don't lead with it, because prevention doesn't sell seat licenses to SOC analysts.

And here's the part that makes the 2026 CrowdStrike data especially damning: when the average breakout time is 29 minutes and the fastest observed breakout is 27 seconds, the detection-and-respond loop is mathematically losing. CHATTY SPIDER proved it - four minutes from Quick Assist session to attempted exfil. No SOC on earth triages, investigates, and contains in four minutes. But WDAC can refuse to let Quick Assist's child processes launch WinSCP in zero.

"But prevention can't keep up with AI and new attack surfaces"

This is the strongest-sounding argument in the detection-first camp, let's break it down. AI is absolutely changing the initial-access game. Phishing is cheaper. Social engineering is better. Deepfake help-desk calls are real. Paste-and-run / ClickFix is the new normal. Fine. Agreed.

But look at what happens after initial access. CrowdStrike's 2026 number: 82% of detections are malware-free. What does malware-free mean in practice? It means the adversary landed a session and then reached for - say it with me - PowerShell, cmd.exe, WMI, scheduled tasks, rundll32, an RMM tool, and a vulnerable driver. CrowdStrike's own CHATTY SPIDER case study uses Microsoft Quick Assist and WinSCP. Their PUNK SPIDER case study uses Akira ransomware running from a webcam. SCATTERED SPIDER's entire ransomware pipeline is VMware ESXi + ntds.dit mounted from unmanaged VMs inside vCenter.

AI didn't invent new post-exploitation primitives. It made it cheaper to get to the primitives we already know about. The execution plane on the other side of the phish is the same Windows binaries and the same RMM tools it's been for a decade. Which means the prevention layer isn't chasing a moving target - the target has been standing still the entire time.

"Prevention can't keep up" is true for initial access. It's emphatically false for execution. And execution is where the damage happens - usually within the 29 minutes it now takes the average eCrime crew to break out.

What "prevention of the known" actually looks like

This is the part most detection-first proponents deliberately misrepresent. They'll hear "prevention" and immediately pattern-match to deny-all allowlisting - six-month projects, IT revolts, broken line-of-business apps, executives screaming. That's one flavor of prevention and it's the hardest one. It's also not what I'm arguing for as step one.

The prevention worth doing today, with tools that already ship with Windows, looks like this:

• Block the known-abused LOLBAS primitives your org doesn't need. Mshta is a great start - the overwhelming majority of enterprises have zero legitimate business use for mshta.exe in 2026. Same for hh.exe, SyncAppvPublishingServer.vbs, and friends. WDAC rules exist. Ship them.
• Block the vulnerable drivers in LOLDrivers. Microsoft's own vulnerable driver blocklist is a starting point. LOLDrivers is the superset. BYOVD attacks like TrueSightKiller and POORTRY get neutralized at load time. (MagicSword - TrueSightKiller analysis)
• Block the RMM tools your org doesn't sanction. If your IT team uses ConnectWise, you don't need AnyDesk, TeamViewer, ScreenConnect, Atera, and NetSupport all able to run. LOLRMM catalogs every one of them with the artifacts needed for enforcement. (MagicSword - CISA RMM abuse)
• Block signed malware by certificate, not by hash. Ghost certificates and revoked-but-still-trusted signing chains are how half of the BYOVD and stealer campaigns land. Cert Graveyard tracks them. (MagicSword - Ghost Certificates)
• Clamp PowerShell to Constrained Language Mode for users who don't need full language mode. Red Canary says this alone blocks a significant amount of PowerShell-based attacks, in their own words.

None of this is "deny-all." None of this breaks LOB apps. None of this requires a six-month project. It's a curated, intelligence-driven blocklist targeting the exact tools and primitives that every major threat report names every single year.

This is what we mean at MagicSword by Mean Time to Prevent - the metric detection-first security deliberately avoids because it exposes how much of the top 10 is sitting there, blockable, and we just… don't.

→ Learn more about MTTP here: Stop Detecting. Start Preventing. The Case for Mean Time to Prevent (MTTP)

The honest hierarchy

Here's the framing that detection-first advocates should actually be defending, if they were being rigorous:

1. Block what's predictable. The top 10 techniques from M-Trends, Red Canary, and CrowdStrike. The abused LOLBAS binaries. The known bad drivers. The unsanctioned RMMs. The ghost certificates. This layer is cheap, it's known, and the intel is free.
2. Constrain what can't be blocked. Constrained Language Mode, AppLocker/WDAC in audit-then-enforce, kernel-level integrity. Reduce what the remaining tools can do even when they run.
3. Detect what survives. Now you're detecting the creative 10–20% of adversary tradecraft that actually earned its way through. Your analysts see signal. Your detections have meaning. Your top-10 analytic list shrinks from 368 to maybe 30.
4. Respond fast to what you detect. This is where MTTD and MTTR actually matter - on the residue, not on the bulk.

Detection-first inverts this. It says: skip 1 and 2, throw everything at 3, then complain that 3 doesn't scale.

Of course 3 doesn't scale. You're making it do the job of 1, 2, and 3 at once.

You said you're not waiting for prevention to save you. Good news: you don't have to wait. The prevention layer for the top 10 techniques has been sitting on GitHub for years. LOLBAS since 2018. LOLDrivers since 2023. LOLRMM since 2024. Cert Graveyard, Bootloaders.io - all of it. Free, maintained, machine-readable, MITRE-mapped.

The reason the industry hasn't shipped it isn't technical. It's that detection engineering is a business model, and that business model depends on the top 10 staying detectable instead of getting blocked.

I get it. I spent years in that world. But look at the data honestly. Three reports. Ten years. Same list. Same reports next year will say the same thing, and the year after that, and the year after that - unless somebody actually blocks the known bad.

Prevention isn't "ideal." Prevention of the known is the cheapest, highest-ROI move in security, and we've been talking ourselves out of it because it's less interesting than building another ML model on top of Sigma rules.

Stop detecting what you can stop. Detect what you can't. That's the job.

Get off the wheel.

Want to see how prevention changes the equation? Book a demo and we’ll walk through how MagicSword blocks real-world attack techniques at execution time.

Keep up with how modern attacks actually work and how to prevent them. Subscribe to the MagicSword newsletter for practical research, real-world attack tradecraft, and prevention-focused intelligence.

Further reading

• The Eternal Cybersecurity Pendulum: Why Prevention Is Back
• AI Makes Getting In Easy. What Happens Next Is the Real Problem
• Allowlisting vs. Blocking Abuse: Two Paths to Application Control

Receipts

• Mandiant M-Trends 2024 (PDF)
• Mandiant M-Trends 2024 announcement
• Mandiant M-Trends 2025 analysis
• Red Canary 2026 Threat Detection Report
• Red Canary - PowerShell technique page
• Red Canary - Windows Command Shell
• Red Canary - Malicious Copy and Paste (ClickFix)
• Red Canary - NetSupport Manager (#4 threat 2026)
• CrowdStrike 2026 Global Threat Report
• CrowdStrike - How CrowdStrike Stops Living-off-the-Land Attacks
• Splunk SURGe - Macro ATT&CK 2024: A Five-Year Perspective
• Splunk SURGe - Macro ATT&CK for a TTP Snack
• Splunk SURGe - Macro ATT&CK 2023 update
• Splunk SURGe - Macro ATT&CK 2022 (Zoom. Enhance!)
• Splunk SURGe - Macro ATT&CK raw dataset (GitHub)
• LOLBAS
• LOLRMM
• LOLDrivers
• Bootloaders.io