Liner notes

Threat sounds: Listen to the 2021 Threat Detection Report playlist

As you click through our hot-off-the-presses Threat Detection Report, here are some tunes to help you keep calm and canary on. We picked a song for each of the most prevalent threats and ATT&CK techniques Red Canary observed in 2020, with a few bonus tracks for fun. Read our liner notes below, and don’t forget to press play on Spotify!

#1: Command and Scripting Interpreter (T1059)

“Control” by Janet Jackson

Ms. Jackson said it best: “It’s all about control”…and PowerShell and Windows Command Shell give adversaries a lot of it. These sub-techniques put Command and Scripter Interpreter at the top of this year’s list.

#2: Signed Binary Process Execution (T1218)

“Signed, Sealed, Delivered” by Stevie Wonder

Here they are, baby: Rundll32! Mshta! These native Windows processes are yours! (But watch out—bad guys use them too.)

#3: Create and Modify System Process (T1543)

“Windows” by Donnie Trumpet and the Social Experiment

Windows services grant adversaries a means of both persistence and privilege escalation. You might want to listen to Chance the Rapper when he sings “keep your head away from windows.”

#4: Scheduled Task/Job (T1053)

“Why Don’t You Get a Job” by the Offspring

Scheduled tasks: they get the job done!

#5: OS Credential Dumping (T1003)

“Memory” from Cats

LSASS, all alone in the moonlight.

#6: Process Injection (T1055)

“They Call Us Run” by Run-DMC

This song by Run-DLL, I mean DMC, evokes the enthusiasm with which adversaries execute suspicious processes in the context of seemingly benign ones.

#7: Obfuscated Files or Information (T1027)

“You’ve Got to Hide Your Love Away” by the Beatles

Hey! You’ve got to hide your strings a-way.

#8: Ingress Tool Transfer (T1105)

“Stinkfist” by TOOL

Just like the band TOOL keeps finding its way back on the Billboard charts, adversaries are constantly finding novel and deceptive ways to introduce their own tools onto victim machines.

#9: System Services (T1569)

“Chop Suey” by System of a Down

Wake up! (that is all.)

#10: Masquerading (T1036)

“The Real Slim Shady” by Eminem

Will the real AdFind.exe please stand up?

#1: TA551

“Lean on Me” by Bill Withers

So much depends on a TA551 phishing email. Other threats lean on this group’s well oiled infrastructure to deliver a variety of payloads, making TA551 the most prevalent threat we observed in 2020.

#2: Cobalt Strike

“Blue Monday” by New Order

It’s a Blue Monday when you wake up to discover Cobalt Strike Beacons in your environment.

#3: Qbot

“Mr. Roboto” by Styx

Does Qbot dream of electric sheep?

#4: IcedID

“Ice, Ice, Baby” by Vanilla Ice

Sing it with us: Iced, Iced, ID. Iced, Iced, ID. It’s not the same!

#5: Mimikatz

“Non, Je Ne Regrette Rien” by Edith Piaf

Whatever song we picked, it had to be French (“mimi” means cute).

#6: Shlayer

“Angel of Death” by Slayer

‘nuff said.

#7: Dridex

“Sound of Silence” by Simon and Garfunkel

Hello Dridex, our old friend. We’ve come to detect on you again.

#8: Emotet

“Atlantic City” by Bruce Springsteen

Much of Emotet’s infrastructure was taken down in January 2021, but don’t count out this threat just yet. In the words of the Boss, “maybe everything that dies someday comes back.”

#9: TrickBot

“Tubthumping” by Chumbawamba

When TrickBot gets knocked down, it always gets up again. We’re going to need a few more whiskey drinks to keep this trojan down.

#10: Gamarue

Theme from “The Neverending Story” by Limahl

It was between this one and “The Song That Never Ends.” We picked the slightly less annoying option.

“Mockingbird” by Carly Simon and James Taylor

In 2020, Red Canary identified Blue Mockingbird, an activity cluster that deploys Monero cryptocurrency-mining payloads and leverages Windows services for persistence. Yeah!

“Yellow” by Coldplay

The Yellow Cockatoo remote access trojan burst onto the scene in the second half of 2020, landing in our top five threats in October, November, and December. This gives Chris Martin the feels.

“A Long December” by Counting Crows

When news of the SolarWinds compromise broke on December 13, the rest of the month felt like a year.

“Waiting for the Sun” by the Doors

Months after the initial disclosure, we’re still learning about new victims and details related to Solargate. The story will continue well into 2021, and we don’t mind waiting.

“Working for the Weekend” by Loverboy

Everybody’s working for the weekend—unless you’re infosec, which means you’re working through the weekend.