Atomic Red Team Chain Reactions

Testing Detection and Prevention Tools With Atomic Red Team “Chain Reactions”

Casey Smith, Michael Haag

The very nature of Atomic Red Team is to allow for customization of different testing units to determine coverage, prevention, or detection within your environment. Chain reactions are a concept we developed to enable security teams to combine multiple MITRE ATT&CK™ techniques and execute them simultaneously. You can use these free-form methods to either build a sequence of events or … Read More

eggshell tool mac post-exploitation

How to Detect and Defend Against the EggShell Surveillance Tool for MacOS

Adam Mathis

As macOS and Linux systems have become more commonplace in enterprises, so has the tooling to compromise them and facilitate post-exploit hijinks. For those charged with defending macOS and Linux systems, knowing how to detect and defend against this activity is critical. Even unsophisticated attackers can use these tools to infiltrate a system, perform reconnaissance, escalate privilege, and move laterally … Read More

Red Canary and CrowdStrike

Red Canary and CrowdStrike: Birds Join Forces

Chris Rothe

We are very excited about our new partnership with CrowdStrike®. Red Canary can now provide our industry-leading hunting and response using Falcon’s Endpoint Detection and Response (EDR) data. We have a very simple goal at Red Canary: to make companies’ security better. From day one, we started with that single goal and asked what we could do to make the … Read More

Detecting Remote Access Trojan

We Smell a RAT: Detecting a Remote Access Trojan That Snuck Past a User

Julie Brown

You can have the best firewalls and perimeter defenses in place, but if your users aren’t aware of phishing techniques and malicious email attachments, it can be your undoing. Today we’re going to break down an attack that we detected for a Red Canary customer in which a malicious executable was renamed to look like an important document. While it’s … Read More

Credential Harvesting

Credential Harvesting on the Rise

Keith McCammon, Chief Security Officer

Red Canary began to see its annual spike in credential harvesting attacks last week. These attacks typically increase as tax season approaches and adversaries gear up to file fraudulent tax returns. Here’s what organizations need to know to understand and mitigate the risk. How Credential Harvesting Works Adversaries send the victim a personalized lure, which is typically an email containing … Read More

Mapping Detectors to MITRE ATT&CK

Red Canary ATT&CKs (Part 3): Mapping Our Detectors to ATT&CK Techniques

Kyle Rainey

As discussed in Part 1 of this series, we decided that using the MITRE ATT&CK framework would give us a common language to describe adversary tactics and techniques. This would help us to effectively share information amongst our internal teams, our customers, and the community at large. In this post, we will walk through the process of mapping our 800+ … Read More

Red Canary Product

Red Canary ATT&CKs (Part 2): Designing ATT&CK Interfaces in Red Canary

Chris Rothe

This is the second part of a series on why and how Red Canary chose MITRE’s ATT&CK framework as our common language for adversary tactics and techniques. This post describes the design and interface tradeoffs our engineering team considered, lessons learned, and key takeaways that security teams can use when applying ATT&CK to their security programs. When Red Canary’s security … Read More