81 results for ""
Search
TechniqueOS Credential Dumping
Why do adversaries dump credentials? Rooted in the common need for adversaries to infiltrate user accounts and other resources within target organizations, the OS Credential Dumping technique encompasses various methods employed by adversaries and professional penetration testers to acquire valid usernames and passwords. While there are alternative methods of access that do not necessitate legitimate […]
Read More
Why do adversaries dump credentials? Rooted in the common need for adversaries to infiltrate user accounts and other resources within target organizations, the OS Credential Dumping technique encompasses various methods employed by adversaries and professional penetration testers to acquire valid usernames and passwords. While there are alternative methods of access that do not necessitate legitimate […]
Read MoreThreatImpacket
At its core, Impacket is a collection of Python classes that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI). Oftentimes the popular Python scripts smbexec, wmiexec, or dcomexec are used directly without having been downloaded […]
Read More
At its core, Impacket is a collection of Python classes that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI). Oftentimes the popular Python scripts smbexec, wmiexec, or dcomexec are used directly without having been downloaded […]
Read MoreThreatRaspberry Robin
Red Canary started tracking a cluster of worm-like activity in September 2021 that we called Raspberry Robin. We shared our observations on this cluster in a blog published in May 2022. Following our post, other security researchers shared their observations and research findings, expanding the community’s understanding of Raspberry Robin. Since our initial blog publication, Raspberry Robin […]
Read More
Red Canary started tracking a cluster of worm-like activity in September 2021 that we called Raspberry Robin. We shared our observations on this cluster in a blog published in May 2022. Following our post, other security researchers shared their observations and research findings, expanding the community’s understanding of Raspberry Robin. Since our initial blog publication, Raspberry Robin […]
Read MoreThreatYellow Cockatoo
Yellow Cockatoo is an activity cluster involving search engine poisoning to trick users into installing a .NET RAT with infostealer capabilities. First reported by Red Canary in 2020, Yellow Cockatoo has also garnered attention from other researchers, who track it under other names such as Jupyter and Solarmarker. After bursting onto the scene in 2020 […]
Read More
Yellow Cockatoo is an activity cluster involving search engine poisoning to trick users into installing a .NET RAT with infostealer capabilities. First reported by Red Canary in 2020, Yellow Cockatoo has also garnered attention from other researchers, who track it under other names such as Jupyter and Solarmarker. After bursting onto the scene in 2020 […]
Read MoreThreatGamarue
Gamarue, sometimes referred to as Andromeda or Wauchos, is a malware family used as part of a botnet. The variant of Gamarue that we observed most frequently in 2022 was a worm that spread primarily via infected USB drives. Gamarue has been used to spread other malware, steal information, and perform other activities such as […]
Read More
Gamarue, sometimes referred to as Andromeda or Wauchos, is a malware family used as part of a botnet. The variant of Gamarue that we observed most frequently in 2022 was a worm that spread primarily via infected USB drives. Gamarue has been used to spread other malware, steal information, and perform other activities such as […]
Read MoreThreatMimikatz
Analysis Mimikatz is an open source credential-dumping utility that was initially developed in 2007 by Benjamin Delpy to abuse various Windows authentication components. While the initial v0.1 release was oriented towards abusing already well established “pass the hash” attacks, after expanding its library of abuse primitives, the tool was publicly released as Mimikatz v1.0 in […]
Read More
Analysis Mimikatz is an open source credential-dumping utility that was initially developed in 2007 by Benjamin Delpy to abuse various Windows authentication components. While the initial v0.1 release was oriented towards abusing already well established “pass the hash” attacks, after expanding its library of abuse primitives, the tool was publicly released as Mimikatz v1.0 in […]
Read MoreThreatSocGholish
SocGholish is a malware family that leverages drive-by-downloads masquerading as software updates for initial access. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp. As in past years, Red Canary observed SocGholish impacting a wide variety of industry verticals in 2023. Similar to the spike in activity […]
Read More
SocGholish is a malware family that leverages drive-by-downloads masquerading as software updates for initial access. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp. As in past years, Red Canary observed SocGholish impacting a wide variety of industry verticals in 2023. Similar to the spike in activity […]
Read MoreThreatQbot
Also known as “Qakbot,” the Qbot banking trojan has been active since at least 2007. Initially focused on stealing user data and banking credentials, Qbot’s functionality has expanded to incorporate features such as reconnaissance, follow-on payload delivery, command and control (C2) infrastructure, and anti-analysis capabilities. Qbot is typically delivered via an email-based distribution model. Over […]
Read More
Also known as “Qakbot,” the Qbot banking trojan has been active since at least 2007. Initially focused on stealing user data and banking credentials, Qbot’s functionality has expanded to incorporate features such as reconnaissance, follow-on payload delivery, command and control (C2) infrastructure, and anti-analysis capabilities. Qbot is typically delivered via an email-based distribution model. Over […]
Read MoreTrendAdversary emulation and testing
Threats attributed to testing represented approximately 24 percent of malicious and suspicious classified threats that our team detected in 2023, nearly 6,000 in all. These threats include purple or red team activity, adversary emulation tools and platforms, and more. In this section, we’ll look closer at the types of organizations performing these tests, along with […]
Read More
Threats attributed to testing represented approximately 24 percent of malicious and suspicious classified threats that our team detected in 2023, nearly 6,000 in all. These threats include purple or red team activity, adversary emulation tools and platforms, and more. In this section, we’ll look closer at the types of organizations performing these tests, along with […]
Read MoreTrendIdentity attacks
Humans remained the primary vulnerability that adversaries took advantage of when they targeted identities in 2023. This dynamic is not only true of the identity threats we detected but of the ones we researched and read about too. In this section, we will highlight trends we’ve observed in the identity threat landscape—both directly among our […]
Read More
Humans remained the primary vulnerability that adversaries took advantage of when they targeted identities in 2023. This dynamic is not only true of the identity threats we detected but of the ones we researched and read about too. In this section, we will highlight trends we’ve observed in the identity threat landscape—both directly among our […]
Read MoreTrendInfo stealers
As organizations continue to embrace technologies that allow employees to work outside the traditional perimeter of an enterprise network, identities and credentials remain key to allowing access to resources from remote locations. Information-stealing malware such as RedLine, Vidar, and LummaC2 all gather credentials from various sources on a computer system, including password managers, web browsers, […]
Read More
As organizations continue to embrace technologies that allow employees to work outside the traditional perimeter of an enterprise network, identities and credentials remain key to allowing access to resources from remote locations. Information-stealing malware such as RedLine, Vidar, and LummaC2 all gather credentials from various sources on a computer system, including password managers, web browsers, […]
Read MoreTrendVulnerabilities
Addressing vulnerabilities is a fundamental part of information security, and security pros often have mixed reactions to the disclosure of new ones. Between the catastrophic reaction of “cancel all your weekends” to the lax perspective of “that’s next month’s problem,” there is a healthy medium we can approach as a community to address vulnerabilities and […]
Read More
Addressing vulnerabilities is a fundamental part of information security, and security pros often have mixed reactions to the disclosure of new ones. Between the catastrophic reaction of “cancel all your weekends” to the lax perspective of “that’s next month’s problem,” there is a healthy medium we can approach as a community to address vulnerabilities and […]
Read MoreTechniqueRename System Utilities
Adversaries rename system utilities to circumvent security controls and bypass detection logic that’s dependent on process names and process paths. Renaming system utilities allows an adversary to take advantage of tools that already exist on the target system and prevents them from having to deploy as many additional payloads after initially gaining access. Renaming a […]
Read More
Adversaries rename system utilities to circumvent security controls and bypass detection logic that’s dependent on process names and process paths. Renaming system utilities allows an adversary to take advantage of tools that already exist on the target system and prevents them from having to deploy as many additional payloads after initially gaining access. Renaming a […]
Read MoreTechniqueIngress Tool Transfer
Why do adversaries use Ingress Tool Transfer? Note: Ingress Tool Transfer has no sub-techniques. Administrative tooling and other native operating system binaries offer adversaries a rich array of functionalities that are ripe for abuse. While an adversary can accomplish many of their objectives by living off the land, they often require non-native tooling to perform […]
Read More
Why do adversaries use Ingress Tool Transfer? Note: Ingress Tool Transfer has no sub-techniques. Administrative tooling and other native operating system binaries offer adversaries a rich array of functionalities that are ripe for abuse. While an adversary can accomplish many of their objectives by living off the land, they often require non-native tooling to perform […]
Read MoreTechniqueRundll32
Why do adversaries use Rundll32? Like other prevalent ATT&CK techniques, Rundll32 is a native Windows process and a functionally necessary component of the Windows operating system that can’t be blocked or disabled without breaking things. Adversaries typically abuse Rundll32 because it makes it hard to differentiate malicious activity from normal operations. More often than not, […]
Read More
Why do adversaries use Rundll32? Like other prevalent ATT&CK techniques, Rundll32 is a native Windows process and a functionally necessary component of the Windows operating system that can’t be blocked or disabled without breaking things. Adversaries typically abuse Rundll32 because it makes it hard to differentiate malicious activity from normal operations. More often than not, […]
Read MoreTechniqueObfuscated Files or Information
Why do adversaries obfuscate files and information? Note: T1027 comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Adversaries employ obfuscation to evade simple, signature-based detection analytics and to impede analysis. Since software and IT […]
Read More
Why do adversaries obfuscate files and information? Note: T1027 comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Adversaries employ obfuscation to evade simple, signature-based detection analytics and to impede analysis. Since software and IT […]
Read MoreTechniqueWindows Management Instrumentation
Why do adversaries use WMI? Like many of the threats highlighted in this report, WMI is a native Windows feature that can be used on local or remote systems. Administrators regularly use WMI to: configure systems execute processes or scripts automate tasks What makes WMI useful to administrators also makes it attractive to adversaries. Note […]
Read More
Why do adversaries use WMI? Like many of the threats highlighted in this report, WMI is a native Windows feature that can be used on local or remote systems. Administrators regularly use WMI to: configure systems execute processes or scripts automate tasks What makes WMI useful to administrators also makes it attractive to adversaries. Note […]
Read MoreTechniquePowerShell
PowerShell is a versatile and flexible automation and configuration management framework built on top of the .NET Common Language Runtime (CLR), which expands its capabilities beyond other common command-line and scripting languages. PowerShell is included by default in modern versions of Windows, where it’s widely and routinely used by system administrators to automate tasks, perform […]
Read More
PowerShell is a versatile and flexible automation and configuration management framework built on top of the .NET Common Language Runtime (CLR), which expands its capabilities beyond other common command-line and scripting languages. PowerShell is included by default in modern versions of Windows, where it’s widely and routinely used by system administrators to automate tasks, perform […]
Read MoreTechniqueWindows Command Shell
Windows Command Shell is the native command-line interpreter (CLI) across every version of the Windows operating system. As utilitarian as it is ubiquitous, Windows Command Shell is one of the primary ways that adversaries interact with compromised systems. Unlike its more sophisticated and capable cousin, PowerShell, Windows Command Shell’s native feature set—i.e., commands that may […]
Read More
Windows Command Shell is the native command-line interpreter (CLI) across every version of the Windows operating system. As utilitarian as it is ubiquitous, Windows Command Shell is one of the primary ways that adversaries interact with compromised systems. Unlike its more sophisticated and capable cousin, PowerShell, Windows Command Shell’s native feature set—i.e., commands that may […]
Read MoreTrendInitial access tradecraft
In 2023 we saw continued use of perennial favorite techniques. Phishing remains an evergreen issue, and this year adversaries continued to leverage a variety of file types in their phishing emails to deliver malicious payloads. SEO poisoning and malvertising continued to be popular, with new threats taking inspiration from established malware families. We saw a […]
Read More
In 2023 we saw continued use of perennial favorite techniques. Phishing remains an evergreen issue, and this year adversaries continued to leverage a variety of file types in their phishing emails to deliver malicious payloads. SEO poisoning and malvertising continued to be popular, with new threats taking inspiration from established malware families. We saw a […]
Read MoreTrendRansomware
Even if we as a community are tired of talking about it, 2023 showed us that ransomware isn’t done with us yet. As with 2022, Red Canary’s visibility into the ransomware landscape focused on the early stages of the ransomware intrusion chain—the initial access, reconnaissance, and lateral movement occurring before exfiltration or encryption, which we […]
Read More
Even if we as a community are tired of talking about it, 2023 showed us that ransomware isn’t done with us yet. As with 2022, Red Canary’s visibility into the ransomware landscape focused on the early stages of the ransomware intrusion chain—the initial access, reconnaissance, and lateral movement occurring before exfiltration or encryption, which we […]
Read MoreTechniqueEscape to Host
What is a container? Containers are short-lived processes designed to run an application. They are typically isolated from the underlying host via mechanisms such as namespaces, cgroups, and capabilities. In combination, these mechanisms ensure containers are isolated, resource-controlled, and maintain a level of security. For example, capabilities in Linux are employed to granularly assign privileges […]
Read More
What is a container? Containers are short-lived processes designed to run an application. They are typically isolated from the underlying host via mechanisms such as namespaces, cgroups, and capabilities. In combination, these mechanisms ensure containers are isolated, resource-controlled, and maintain a level of security. For example, capabilities in Linux are employed to granularly assign privileges […]
Read MoreTechniqueEmail Forwarding Rule
Business email compromise (BEC) and email account compromise (EAC) attacks remained prevalent in 2023. Adversaries use compromised credentials or identities to access email accounts, leveraging their legitimacy to bypass automated security controls and to trick otherwise phish-aware users who apply more scrutiny to external or unfamiliar email addresses. Adversaries also use email forwarding rules to […]
Read More
Business email compromise (BEC) and email account compromise (EAC) attacks remained prevalent in 2023. Adversaries use compromised credentials or identities to access email accounts, leveraging their legitimacy to bypass automated security controls and to trick otherwise phish-aware users who apply more scrutiny to external or unfamiliar email addresses. Adversaries also use email forwarding rules to […]
Read MoreTechniqueKernel Modules and Extensions
Why do adversaries abuse kernel modules and extensions? When an adversary gains access and execution on a system, they are often hamstrung by the reality that their execution exists in memory only. Thus, if the machine restarts, the program they had running on the machine goes away. Kernel Modules and Extensions allow adversaries to establish […]
Read More
Why do adversaries abuse kernel modules and extensions? When an adversary gains access and execution on a system, they are often hamstrung by the reality that their execution exists in memory only. Thus, if the machine restarts, the program they had running on the machine goes away. Kernel Modules and Extensions allow adversaries to establish […]
Read MoreTechniqueInstaller Packages
Note: Installer Packages is a broadly scoped sub-technique, and so we decided to focus our analysis on emerging tradecraft related to MSIX What is MSIX? MSIX is a packaging format for Windows that eases the packaging, installation, and update process for applications. It is intended to improve upon the limitations of the MSI format. MSIX […]
Read More
Note: Installer Packages is a broadly scoped sub-technique, and so we decided to focus our analysis on emerging tradecraft related to MSIX What is MSIX? MSIX is a packaging format for Windows that eases the packaging, installation, and update process for applications. It is intended to improve upon the limitations of the MSI format. MSIX […]
Read MoreTechniqueReflective Code Loading
Analysis Note: Reflective Code Loading is a broad, cross-platform technique, and we’ve chosen to focus our analysis specifically on this technique in the context of macOS. Why do adversaries abuse reflective code loading? The macOS file system is carefully scrutinized by endpoint detection and response (EDR) tools, commercial antivirus (AV) products, and Apple’s baked-in XProtect […]
Read More
Analysis Note: Reflective Code Loading is a broad, cross-platform technique, and we’ve chosen to focus our analysis specifically on this technique in the context of macOS. Why do adversaries abuse reflective code loading? The macOS file system is carefully scrutinized by endpoint detection and response (EDR) tools, commercial antivirus (AV) products, and Apple’s baked-in XProtect […]
Read MoreTechniqueAppleScript
Why do adversaries abuse AppleScript? Gaining execution on macOS can be noisy. When binaries are dropped to disk, there is ample opportunity for defenders to respond, be it via traditional static-based detection or more modern process-centric behaviors. It’s for this reason that adversaries tend towards a “Living off the Orchard” (LOOBin) approach, which assumes the […]
Read More
Why do adversaries abuse AppleScript? Gaining execution on macOS can be noisy. When binaries are dropped to disk, there is ample opportunity for defenders to respond, be it via traditional static-based detection or more modern process-centric behaviors. It’s for this reason that adversaries tend towards a “Living off the Orchard” (LOOBin) approach, which assumes the […]
Read MoreTechniqueCloud Accounts
Cloud account compromises are increasing in prevalence as organizations embrace software-as-a-service (SaaS) for critical productivity applications like email, file storage, and messaging, resulting in a substantial volume of data now being stored in the cloud. This shift is mirrored by adversaries too, who are finding just as much value in compromising cloud identities as they […]
Read More
Cloud account compromises are increasing in prevalence as organizations embrace software-as-a-service (SaaS) for critical productivity applications like email, file storage, and messaging, resulting in a substantial volume of data now being stored in the cloud. This shift is mirrored by adversaries too, who are finding just as much value in compromising cloud identities as they […]
Read MoreThreatChromeLoader
ChromeLoader is a browser hijacker capable of redirecting searches for popular search engines such as Google, Bing and Yahoo, sending search data to its C2, and adding and preventing users from uninstalling a malicious browser extension. Our evolving understanding of an evolving threat We began 2023 with a narrower view of ChromeLoader than most other […]
Read More
ChromeLoader is a browser hijacker capable of redirecting searches for popular search engines such as Google, Bing and Yahoo, sending search data to its C2, and adding and preventing users from uninstalling a malicious browser extension. Our evolving understanding of an evolving threat We began 2023 with a narrower view of ChromeLoader than most other […]
Read MoreTrendIndustry and sector analysis
Is an organization’s industry an important factor in determining the types of threats they face, the techniques that adversaries use against them, or the general level of risk they’re exposed to? We looked at our detection data set to answer this question and shed light on the relative risks—or the different kinds of risk—faced by […]
Read More
Is an organization’s industry an important factor in determining the types of threats they face, the techniques that adversaries use against them, or the general level of risk they’re exposed to? We looked at our detection data set to answer this question and shed light on the relative risks—or the different kinds of risk—faced by […]
Read MoreTrendArtificial intelligence (AI)
In 2023 we all witnessed a new era in the use of generative AI (GenAI) to aid in solving or automating many of the rote tasks we take on as defenders. Technologies like ChatGPT, Bard, and GitHub Copilot showed how GenAI—backed by powerful foundational models like GPT-4—can reduce the cognitive load and stresses that come […]
Read More
In 2023 we all witnessed a new era in the use of generative AI (GenAI) to aid in solving or automating many of the rote tasks we take on as defenders. Technologies like ChatGPT, Bard, and GitHub Copilot showed how GenAI—backed by powerful foundational models like GPT-4—can reduce the cognitive load and stresses that come […]
Read MoreThreatSmashJacker
SmashJacker is a browser search engine hijacker first documented by ConnectWise in June 2023. Distributed through sites advertising “the download of wallpapers, software, games, and movies,” often via a pay-per-installer that Red Canary tracks as Charcoal Stork, SmashJacker installs a browser extension designed to redirect search engine queries and serve additional advertisements that provide income […]
Read More
SmashJacker is a browser search engine hijacker first documented by ConnectWise in June 2023. Distributed through sites advertising “the download of wallpapers, software, games, and movies,” often via a pay-per-installer that Red Canary tracks as Charcoal Stork, SmashJacker installs a browser extension designed to redirect search engine queries and serve additional advertisements that provide income […]
Read MoreThreatCharcoal Stork
The birth of Charcoal Stork Charcoal Stork is a suspected pay-per-install (PPI) provider that first drew our attention in 2022 when it began delivering ChromeLoader. In the months since, we have observed this initial access threat deliver multiple payloads, including SmashJacker and VileRAT, and research from other vendors suggests several other payloads have been observed […]
Read More
The birth of Charcoal Stork Charcoal Stork is a suspected pay-per-install (PPI) provider that first drew our attention in 2022 when it began delivering ChromeLoader. In the months since, we have observed this initial access threat deliver multiple payloads, including SmashJacker and VileRAT, and research from other vendors suggests several other payloads have been observed […]
Read MoreTrendRemote monitoring and management tools
Adversaries have abused RMM tools for years, and they continued to do so in 2023. RMM tools are an attractive option for adversaries because they offer robust sets of remote administration features and they do so with the veneer of legitimacy. Many organizations use one or another of these tools to apply updates, manage assets, […]
Read More
Adversaries have abused RMM tools for years, and they continued to do so in 2023. RMM tools are an attractive option for adversaries because they offer robust sets of remote administration features and they do so with the veneer of legitimacy. Many organizations use one or another of these tools to apply updates, manage assets, […]
Read MoreTrendAPI abuse in the cloud
As businesses across the world have moved to cloud services and built infrastructure on top of cloud providers, adversaries have followed them. Moving to the cloud has huge benefits, such as scalability, security, and developer-friendly application programming interfaces (API). It has also brought new tools in the form of identity and access management (IAM) services, […]
Read More
As businesses across the world have moved to cloud services and built infrastructure on top of cloud providers, adversaries have followed them. Moving to the cloud has huge benefits, such as scalability, security, and developer-friendly application programming interfaces (API). It has also brought new tools in the form of identity and access management (IAM) services, […]
Read MoreTechniqueMulti-Factor Authentication Request Generation
Adversaries abuse MFA requests to log into valuable systems that are protected by second factors of authentication. To the surprise of many, some MFA implementations are susceptible to relatively unsophisticated social engineering attacks that could allow an adversary to impersonate victims and bypass security controls. Highly privileged identities are particularly juicy targets for adversaries seeking […]
Read More
Adversaries abuse MFA requests to log into valuable systems that are protected by second factors of authentication. To the surprise of many, some MFA implementations are susceptible to relatively unsophisticated social engineering attacks that could allow an adversary to impersonate victims and bypass security controls. Highly privileged identities are particularly juicy targets for adversaries seeking […]
Read MoreTechniqueSMB/Windows Admin Shares
Windows Admin Shares are enabled by default to allow administrators and software to remotely manage hosts on an internal network using the SMB protocol. These shares give adversaries the ability to stage payloads for execution, move laterally throughout a network, and elevate their privilege level. As is often the case with legitimate operating system utilities, […]
Read More
Windows Admin Shares are enabled by default to allow administrators and software to remotely manage hosts on an internal network using the SMB protocol. These shares give adversaries the ability to stage payloads for execution, move laterally throughout a network, and elevate their privilege level. As is often the case with legitimate operating system utilities, […]
Read MoreTechniqueMark-of-the-Web Bypass
Windows uses the Mark-of-the-Web (MotW) to indicate that a file originated from the Internet, which gives Microsoft Defender SmartScreen an opportunity to perform additional inspection of the content. MotW also supplies the basis for prompting a user with an additional prompt when high-risk extensions are opened. MotW is applied to a file by appending a […]
Read More
Windows uses the Mark-of-the-Web (MotW) to indicate that a file originated from the Internet, which gives Microsoft Defender SmartScreen an opportunity to perform additional inspection of the content. MotW also supplies the basis for prompting a user with an additional prompt when high-risk extensions are opened. MotW is applied to a file by appending a […]
Read MoreTechniqueSetuid and Setgid
Once an adversary gains access to a machine, they need to make sure they have enough permissions to persist, evade defensive controls, steal credentials, and more. Adversaries abuse setuid and setgid bits to elevate their privilege levels on macOS and Linux, potentially accessing both cloud-hosted and physical on-premise machines. With elevated privileges, adversaries can modify […]
Read More
Once an adversary gains access to a machine, they need to make sure they have enough permissions to persist, evade defensive controls, steal credentials, and more. Adversaries abuse setuid and setgid bits to elevate their privilege levels on macOS and Linux, potentially accessing both cloud-hosted and physical on-premise machines. With elevated privileges, adversaries can modify […]
Read MoreTechniqueGatekeeper Bypass
Adversaries attempt to bypass Apple’s Gatekeeper security checks in order to gain execution on a host. Since Gatekeeper’s introduction, the security control has hampered adversaries’ ability to execute untrusted code (i.e., code that does not conform to the system’s security policy). Adversaries may also circumvent the older File Quarantine feature and some of the high-level […]
Read More
Adversaries attempt to bypass Apple’s Gatekeeper security checks in order to gain execution on a host. Since Gatekeeper’s introduction, the security control has hampered adversaries’ ability to execute untrusted code (i.e., code that does not conform to the system’s security policy). Adversaries may also circumvent the older File Quarantine feature and some of the high-level […]
Read MoreTechniqueModify Registry
The registry being a generic database used by Windows for myriad purposes means that an adversary can use it for myriad purposes too. However, modification of the registry is a means to an end for executing other techniques. The following, non-exhaustive list comprises the various techniques that registry modification facilitates: Boot or Logon Autostart Execution […]
Read More
The registry being a generic database used by Windows for myriad purposes means that an adversary can use it for myriad purposes too. However, modification of the registry is a means to an end for executing other techniques. The following, non-exhaustive list comprises the various techniques that registry modification facilitates: Boot or Logon Autostart Execution […]
Read MoreTechniqueLSASS Memory
Adversaries commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory. Upon starting up, LSASS contains valuable authentication data such as: encrypted passwords NT hashes […]
Read More
Adversaries commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory. Upon starting up, LSASS contains valuable authentication data such as: encrypted passwords NT hashes […]
Read MoreTechniqueService Execution
Why do adversaries abuse Service Execution? All production operating systems have one thing in common: a mechanism to run a program or service continuously. On Windows, such a program is referred to as a “service,” and in the Unix/Linux world, such a program is often referred to as a “daemon.” Regardless of what operating system […]
Read More
Why do adversaries abuse Service Execution? All production operating systems have one thing in common: a mechanism to run a program or service continuously. On Windows, such a program is referred to as a “service,” and in the Unix/Linux world, such a program is often referred to as a “daemon.” Regardless of what operating system […]
Read MoreTechniqueProcess Injection
Why do adversaries use Process Injection? Note: Process Injection comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Process Injection is a versatile technique that adversaries leverage to perform a wide range of malicious activity. […]
Read More
Why do adversaries use Process Injection? Note: Process Injection comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Process Injection is a versatile technique that adversaries leverage to perform a wide range of malicious activity. […]
Read MoreThreatPlugX
PlugX is a malware family observed in intrusions attributed to multiple operators at least as far back as 2008. Although researchers largely attribute compromises involving PlugX to espionage operators with ties to Chinese interests, notably Mustang Panda (which overlaps with the TA416 and RedDelta), there is speculation that PlugX source code has been circulated online […]
Read More
PlugX is a malware family observed in intrusions attributed to multiple operators at least as far back as 2008. Although researchers largely attribute compromises involving PlugX to espionage operators with ties to Chinese interests, notably Mustang Panda (which overlaps with the TA416 and RedDelta), there is speculation that PlugX source code has been circulated online […]
Read MoreThreatGootloader
Gootloader is a JScript-based malware family that typically leverages SEO poisoning and compromised websites to lure victims into downloading a ZIP archive that poses as a document that the user has searched for. While we observed Gootloader detections in customer environments across multiple sectors in 2022, they almost always happened after victims accessed compromised websites […]
Read More
Gootloader is a JScript-based malware family that typically leverages SEO poisoning and compromised websites to lure victims into downloading a ZIP archive that poses as a document that the user has searched for. While we observed Gootloader detections in customer environments across multiple sectors in 2022, they almost always happened after victims accessed compromised websites […]
Read MoreThreatEmotet
Emotet is an advanced, modular trojan that primarily functions as a downloader or dropper of other malware. It’s disseminated through malicious email links or attachments that use branding familiar to the recipient. Emotet focuses on stealing user data and banking credentials, and opportunistically deploys itself to victims. Emotet is polymorphic, meaning it often evades typical […]
Read More
Emotet is an advanced, modular trojan that primarily functions as a downloader or dropper of other malware. It’s disseminated through malicious email links or attachments that use branding familiar to the recipient. Emotet focuses on stealing user data and banking credentials, and opportunistically deploys itself to victims. Emotet is polymorphic, meaning it often evades typical […]
Read MoreThreatBloodHound
BloodHound is an open source tool that can be used to identify attack paths and relationships in an Active Directory (AD) environment. BloodHound made it into our top 10 threat rankings thanks to both testing activity and adversary use. It is popular among adversaries and testers because having information about an AD environment can enable […]
Read More
BloodHound is an open source tool that can be used to identify attack paths and relationships in an Active Directory (AD) environment. BloodHound made it into our top 10 threat rankings thanks to both testing activity and adversary use. It is popular among adversaries and testers because having information about an AD environment can enable […]
Read MoreThreatCobalt Strike
Cobalt Strike continues to be a favorite post-exploitation tool for adversaries. At #8, it is the only post-exploitation framework to make the top 10. Ransomware operators in particular rely substantially on Cobalt Strike’s core functionalities as they seek to deepen their foothold in their victims’ environments. Its speed, flexibility, and advanced features are likely contributing […]
Read More
Cobalt Strike continues to be a favorite post-exploitation tool for adversaries. At #8, it is the only post-exploitation framework to make the top 10. Ransomware operators in particular rely substantially on Cobalt Strike’s core functionalities as they seek to deepen their foothold in their victims’ environments. Its speed, flexibility, and advanced features are likely contributing […]
Read MoreTrendEmail threats
Spearphishing, Business Email Compromise (BEC), and Email Account Compromise (EAC) attacks continue to silently menace businesses across the globe, steadily outpacing damages inflicted by other attacks such as ransomware. Adversaries traditionally rely on social engineering schemes that allow them to trick unsuspecting users into facilitating payment fraud, disclosing sensitive information, or installing malware. Social engineering […]
Read More
Spearphishing, Business Email Compromise (BEC), and Email Account Compromise (EAC) attacks continue to silently menace businesses across the globe, steadily outpacing damages inflicted by other attacks such as ransomware. Adversaries traditionally rely on social engineering schemes that allow them to trick unsuspecting users into facilitating payment fraud, disclosing sensitive information, or installing malware. Social engineering […]
Read MoreTrendCommand and control frameworks
Commercial and open source post-exploitation frameworks save red teamers time on custom development and allow them to quickly change TTPs in their engagements. Not surprisingly, adversaries also find them attractive due to their ease of use and flexibility. Adversaries have long used open source and leaked versions of commercial frameworks, most notably Metasploit and Cobalt […]
Read More
Commercial and open source post-exploitation frameworks save red teamers time on custom development and allow them to quickly change TTPs in their engagements. Not surprisingly, adversaries also find them attractive due to their ease of use and flexibility. Adversaries have long used open source and leaked versions of commercial frameworks, most notably Metasploit and Cobalt […]
Read More