Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 

Liner notes

Threat sounds vol. 3: The 2023 Threat Detection Report playlist

We’re excited to press play on Threat sounds vol. 3, a playlist to accompany the 2023 Threat Detection Report. Like we did in 2021 and 2022, we picked a song for each of the most prevalent threats, trends, and ATT&CK techniques Red Canary observed in 2023. Read our liner notes below, and listen to the whole songs on Spotify!

Side 1: Threats

1. Qbot

“Ain’t No Rest for the Wicked” by Cage the Elephant

There was no rest for our number one threat last year. While Qbot’s operators appeared to take vacations in both 2021 and 2022, they reemerged with a vengeance in the fall. After all, money don’t grow on trees.

2. Impacket

“This is Not a Test” by She and Him

While about half of the Impacket behavior we run into comes from customer-confirmed testing, ransomware operators and other adversaries use the library of Python scripts for post-exploitation activity.

3. AdSearch

“False Advertising” by Bright Eyes

It can be heartbreaking when you click on an online ad for a miracle product and end up with malware instead. That tummy-flattening tea is in fact too good to be true.

4. Gootloader

“Little Drop of Poison” by Tom Waits

Gootloader’s operators use a little drop of SEO poison to lure victims into downloading a malicious ZIP archive. Symptoms of a Gootloader infection might include Tom Waits-levels of rasp in your voice.

5. Mimikatz

“Pass the Dutchie” by Musical Youth

This open source password-dumping utility is the secret sauce behind “Pass the Hash” attacks.

6. SocGholish

“Ghosts ‘n’ Stuff” by Deadmau5

This malware family leverages drive-by downloads to trick users into executing malicious JavaScript ‘n’ stuff.

7. Raspberry Robin

“Raspberry Robin” by Christopher Treitsch

We’re just stunned this song exists at all. Call us, Christopher.

8.  Cobalt Strike

 “If You Can’t be Good, be Gone” by the Steeldrivers

Despite good-faith efforts from Cobalt Strike’s developers to prevent adversaries from cracking this post-exploitation tool, ransomware operators are still abusing older versions of the software.

9.  BloodHound

“Hound Dog” by Big Mama Thornton

Adversaries use the BloodHound open source tool to sniff around Active Directory environments, making them no friend of ours.

10. Gamarue

“I Will Survive” by Cake

More than five years after an attempted takedown, Gamarue has survived, often spreading via infected USB drives, an initial access vector that also won’t seem to die.

Featured: Yellow Cockatoo

“Old Yellow Bricks” by Arctic Monkeys

Love’s a risk, and so are search engine redirects. We recommend blocking newly registered and low-reputation domains to avoid the .NET remote access trojan (RAT) associated with Yellow Cockatoo.

Featured: Emotet

“It’s Been a While” by Staind

After a largely dormant 2021, it had been a while since we’d seen Emotet in customer environments, almost as long as it had been since we thought about the band Staind.

Featured: PlugX

“X Gon’ Give it To Ya” by DMX

In 2022, Red Canary observed the PlugX remote access trojan (RAT) giving it to customers in manufacturing, construction, insurance, and international nonprofits.

Side 2: Techniques

 

1. Windows Command Shell (T1059.003)

“The Shell” by Lucy Dacus

Windows Command Shell overtook its cousin PowerShell as the number one adversary technique Red Canary observed in 2022. Hopefully things won’t be awkward at Thanksgiving.

2. PowerShell (T1059.001)

“Seven Nation Army” The White Stripes

PowerShell commands are like the power chords of the Windows operating system: simple building blocks that add up to something bigger. The question is: Which is more annoying—a destructive computer worm or an incessant earworm?

2. Windows Management Instrumentation (T1047)

“Bust Your Windows” by Jazmine Sullivan

Because Windows Management Instrumentation (WMI) is a native feature, malicious activity often blends in with legitimate activity, enabling attacks that could ultimately bust your Windows.

4. Obfuscated Files or Information (T1027)

“Invisible String” by Taylor Swift

Adversaries can make key strings of malicious code invisible to the naked eye (and even some detection tools) by using obfuscation techniques such as Base64 encoding, string concatenation, substrings, and escape characters

5. Rundll32 (T1218.011) 

“We Run This” by Missy Elliot

While there are plenty of legitimate reasons to run this native Windows process, we’ve seen adversaries run it to commit misdemeanors…and worse.

6. Ingress Tool Transfer (T1105)

 “Drop it Like it’s Hot” by Snoop Dogg

After gaining initial access to a victim system, adversaries often leverage native Windows binaries to drop their own hot tools into an environment.

7. Process Injection (T1055)

“Run Run Run” by the Velvet Underground featuring Nico

Code can inherit the privilege level of the process it’s injected into, so adversaries often run run run seemingly benign processes as proxies to have a little fun.

8. Service Execution (T1569.002)

“Wherever, Whenever” by Shakira

Here’s the deal, my dear: Services like services.exe and svchost.exe enable adversaries to execute malicious code wherever, whenever, often at a high privilege level.

9. Rename System Utilities (T1036.003)

“My Name is Jonas” by Weezer

By renaming system utilities to something inconspicuous (like Jonas, for example), adversaries can bypass detection controls that flag certain process names and paths.

10. LSASS Memory (T1003.001)

“Ghost in the Machine” by SZA featuring Phoebe Bridgers

When SZA asks “Can I get into the app, what’s the password?” Phoebe Bridgers should tell her to look for the hashes stored in LSASS memory!

Featured: Modify Registry (T1112)

“Love on Top” by Beyonce

In a nod to how adversaries modify registry keys like HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, we picked the Queen Bey song with the most key changes (four!).

Featured: Gatekeeper Bypass (T1553.001)

“Gatekeeper” by Feist

Gatekeeper, Mac users wait for your nod. Adversaries have found ways to circumvent the additional security checks performed by Apple’s Gatekeeper feature.

Featured: Setuid and Setgid (T1548.001)

“Svefn-g-englar” by Sigur Ros

Out of context, the bits you modify to set permissions based on user ID (Setuid) and group ID (Setgid) could pass for Sigur Ros lyrics.

Featured: Mark-of-the-Web Bypass (T1553.005)

“See No Evil” by Television

Adversaries can bypass Windows’s Mark-of-the-Web security check by embedding their payloads in stealthy file format, such as .iso, to make it so defenders see no evil.

Featured: SMB/Admin Shares (T1021.002)

“We R Who We R” by Ke$ha

Although Ke$ha dropped hers, Windows still uses the $ sign to mark a shared drive or folder, e.g., ADMIN$

Featured: Multi-Factor Authentication Request Generation (T1621)

“Let me in” by R.E.M.

Adversaries flood users with MFA requests, asking to be let in over and over until the user relents out of annoyance. Maybe that’s how R.E.M. managed to get inducted into the Rock ‘n’ Roll Hall of Fame before their fellow Athenians, the B-52s.

Bonus tracks: Trends

 

Ransomware

“Ransom” by blink-182

The original blink-182 lineup got back together in 2022, and so did several former Conti ransomware operators, operating under new names such as Black Blasta and Quantum.

Initial access tradecraft

“Everything Old is New Again” by Peter Allen

Cybercriminals or hipsters? Adversaries resurfaced some vintage initial access tradecraft in 2022, including exploiting unusual file types such as LNK and MSI.

Command and control (C2) frameworks

“Under Control” by The Strokes

While Cobalt Strike and Metasploit remain the most popular command and control (C2) frameworks, in 2022 we saw some adversaries keeping things under control via alternatives such as Brute Ratel, Silver, and Mythic.

Stealers

“Been Caught Stealing” by Jane’s Addiction

We caught malware like RedLine, Raccoon, and Vidar stealing credentials and other sensitive information from customers in multiple industries in 2022.

Identity

“Same OI’ Mistakes” by Rihanna

Adversaries have multiple avenues of circumventing authentication mechanisms to impersonate users, kind of like when Rihanna covered this Tame Impala song and everyone thought it was an original.

Email threats

“New Rules” by Dua Lipa

After successfully compromising a user’s email account, adversaries can create custom inbox rules so that any unauthorized messages sent or received are automatically deleted or forwarded to an obscure folder. We observed this tactic firsthand when we thwarted an attempted payroll diversion scam.

Adversary emulation and testing

“Fight Test” by The Flaming Lips

In total, known tests accounted for 40 percent of threats that Red Canary detected in 2022, a year-over-year increase of roughly 20 percent. This is great news! It makes us want to crowd surf in a giant hamster ball!

 
 
Back to Top