Mining off the Land: Cryptomining Enabled by Native Windows Tools

A lesson I learned early in my career is that technology professionals often inherit older problems. This is especially true of administrators responsible for network services and security because they inherit the biggest snowball of problems: an enterprise network. Networks often grow in ways that make them harder to secure and maintain as they age, […]

Slaying Evil Around the Clock with Red Canary’s Cyber Incident Response Team

Red Canary’s Cyber Incident Response Team (CIRT) is comprised of two groups: detection engineers and incident handlers. Our blog posts often focus on threats we detect, but it’s rare to get a glimpse of our incident handlers in action. This article will walk through a recent threat in a customer’s environment, from the initial discovery […]

Tried-and-True Tactics: How an Adversary Mixed Lateral Movement and Cryptomining

Cryptomining continues to be a hot topic as the values of cryptocurrencies fluctuate, and adversaries use mining as an easy way to make money without needing escalated privileges. In my last detection post, I wrote about mining as the objective of exploitation against Oracle WebLogic systems. In this detection, we’ll look at how one adversary […]

Using Alternate Data Streams to Bypass User Account Controls

There are some pretty cool PowerShell frameworks out there, which means it’s relatively common to see PowerShell doing nefarious things. So when the below alert fired, it was not immediately obvious that it was anything other than normal PowerShell encoding: Digging a little deeper, however, I found that the pattern of behavior was nearly identical […]

Improve Your Threat Detection: Inspect All of the New Everythings

When asked to describe the potential threats that Red Canary detects and confirms, we tend to frame the discussion around several big buckets: Bad things – the most obvious: malware and unwanted software, primarily. Good things gone bad – legitimate applications and services leveraged by a malicious actor . . . think PowerShell, WMIC, MSHTA, etc. Unusual things […]

What Red Canary Detects, Part II: Suspicious Activity

At the risk of oversimplifying the threats and threat actors that organizations face, I’m going to assume for purposes of this article that they fall into one of two broad categories: opportunistic and targeted. Opportunistic Attacks Opportunistic attackers land where they land and attempt to extract as much value from each victim as they can […]