Skip Navigation
Get a Demo


Top techniques

The purpose of this section is to help you detect malicious activity in its early stages so you don’t have to deal with the consequences of a serious security incident.

The following chart represents the most prevalent MITRE ATT&CK® techniques observed in confirmed threats across the Red Canary customer base in 2023. To briefly summarize what’s explained in detail in the Methodology section, we have a library of nearly 4,000 detection analytics that we use to surface potentially malicious and suspicious activity across our customers’ environments. These are mapped to corresponding MITRE ATT&CK techniques whenever possible, allowing us to associate the behaviors that comprise a confirmed threat detection with the industry standard for classifying adversary activity.

When counting techniques, we filter out detections associated with potentially unwanted programs and authorized testing in order to make this list as reflective of actual adversary behavior as possible.

In addition to the top 10, read our analysis of these five featured techniques:



What’s included in this section?

We’ve written extensive analyses of 15 ATT&CK techniques and sub-techniques. Each technique-specific section includes:

  • analysis of how and why adversaries leverage a given technique
  • descriptions of data sources that offer visibility into the technique
  • guidance on the tooling or logs that will enable you to collect those data sources
  • specific examples of how you can use that telemetry to detect adversaries abusing the technique
  • individual tests for emulating how adversaries abuse the technique to validate that you can observe or detect it
  • mitigation advice for limiting an adversary’s ability to abuse the technique


How to use our analysis

Implementing the guidance in this report will help security teams improve their defense in depth against the adversary actions that often lead to a serious incident. Readers will gain a better understanding of common adversary actions and what’s likely to occur if an adversary gains access to your environment. You’ll learn what malicious looks like in the form of telemetry and the many places you can look to find that telemetry. You’ll gain familiarity with the principles of detection engineering by studying our detection opportunities. At a bare minimum, you and your team will be armed with hyper-relevant and easy-to-use Atomic Red Team tests that you can leverage to ensure that your existing security tooling does what you think it’s supposed to do. More strategically, this report can help you identify gaps as you develop a road map for improving coverage, and you can assess your existing sources of collection against the ones listed in this report to inform your investments in new tools and personnel.

Back to Top