Liner notes
Threat sounds vol. 4: The 2024 Threat Detection Report playlist
We’re excited to press play on Threat sounds vol. 4, a playlist to accompany the 2024 Threat Detection Report. For the fourth year in a row, we picked a song for each of the most prevalent threats, trends, and ATT&CK® techniques Red Canary observed this past year. Read our liner notes below, and listen to the whole songs on Spotify!
Liner notes
Threat sounds vol. 4: The 2024 Threat Detection Report playlist
We’re excited to press play on Threat sounds vol. 4, a playlist to accompany the 2024 Threat Detection Report. For the fourth year in a row, we picked a song for each of the most prevalent threats, trends, and ATT&CK® techniques Red Canary observed this past year. Read our liner notes below, and listen to the whole songs on Spotify!
Side 1: Threats
1. Charcoal Stork
“Stork Bite” by Andy Thorn
Our most prevalent threat of the year is more notable for its sheer numbers than any novel capabilities, but this suspected pay-per-installer can certainly drop some biting payloads.
2. Impacket
“You Need to Calm Down” by Taylor Swift
Ranking second for the second year in a row, the Impacket library of Python classes showed no signs of calming down in 2023, with significant changes made to its code repository.
3. Mimikatz
“Cat’s in the Cradle” by Harry Chapin
When Mimikatz is in the cradle, no set of credentials is safe.
4. Yellow Cockatoo
“good 4 u” by Olivia Rodrigo
Named by Red Canary in 2020, Yellow Cockatoo looked a little too happy and healthy in 2023, cracking our monthly top 10 six times.
5. SocGholish
“Java Jive” by The Ink Spots
SocGholish loves the java jive–malicious JavaScript in its drive-by downloads, to be exact.
6. ChromeLoader
“Fancy Footwork” by Chromeo
Like the members of Chromeo, ChromeLoader and its suspected delivery affiliate Charcoal Stork make for a dynamic duo.
7. Gamarue
“Birds Vs Worms” by Modest Mouse
Since Gamarue has been around for so long, we went with this appropriately titled Modest Mouse deep cut.
8. Qbot
“Linger” by The Cranberries
Last summer’s much-hyped Qbot takedown appeared to only last for a few weeks. Do you have to let it linger, Qbot affiliates? Do you have to?
9. Raspberry Robin
“Rockin’ Robin” by Bobby Day
As Raspberry Robin is often spread via USB drives, here’s an oldie for the boomers who still use those.
10. SmashJacker
“All Star” by Smash Mouth
SomeBODY once told us our browser was gonna roll us, unless we adopt better allowlist policies.
Side 2: Techniques
1.PowerShell (T1059.001)
“My Power” by Beyoncé and friends
Only Queen Bey is powerful enough to represent our most prevalent ATT&CK technique of the year, commanding some featured artists as well.
2. Windows Command Shell (T1059.003)
“Shell Shocked” by Juicy J, Wiz Khalifa, Ty Dolla $ign and others
This song from the “Teenage Mutant Ninja Turtles” soundtrack evokes how defenders can get “Shell Shocked” after discovering malicious use of cmd.exe
.
3. Windows Management Instrumentation (T1047)
“Side to Side” by Ariana Grande
Given the lateral movement it enables, Windows Management Instrumentation (WMI) has got us walking side to side.
4. Cloud Accounts (T1078.004)
“Cloudbursting” by Kate Bush
Adversaries burst into cloud environments by creating highly permissioned accounts on a whim, often with the help of short-term tokens or API keys.
5. Obfuscated Files or Information (T1027)
“Hide and Seek” by Imogen Heap
Mmm whatcha say? Adversaries hide malicious code from signature-based detection tools with Base64 encoding, string concatenation, and other forms of obfuscation.
6. Email Forwarding Rule (T1114.003)
“emails I can’t send” by Sabrina Carpenter
Turns out Sabrina can’t send these emails because they’ve been moved to the RSS-Subscription folder.
8. Rundll32 (T1218.011)
“Born to Run” by Bruce Springsteen
Sprung from cages in System32—DLLs like us, baby we were born to run.
9. Ingress Tool Transfer (T1105)
“Transfer Affection” by Flock of Seagulls
What can we say, we have a thing for bands with bird names.
10. Rename System Utilities (T1036.003)
“What’s My Name?” by Rihanna, featuring Drake
We can imagine adversaries humming this when deciding what to rename the system utilities they’re abusing. RiRi.exe
would probably not blend in very well.
Featured: Installer Packages (T1546.016)
“The Grand Parade of Lifeless Packaging” by Genesis
While they might appear lifeless, MSIX packages are prime delivery vehicles for malicious fake installers.
Featured: Kernel Modules and Extensions (T1547.006)
“Everybody Hates Linux” by Linux
We don’t hate Linux, not at all! But we understand the frustration around trying to secure the kernel might lead you to say so.
Featured: Escape to Host (T1611)
“The Sweet Escape” by Gwen Stefani and Akon
Escaping from a Linux container to its host must be quite a rush, enough for us to let out a Millennial whoop with Akon.
Featured: Reflective Code Loading (T1620)
Mirrors” by Justin Timberlake
Adversaries leverage reflective code loading to avoid writing their payload to disk (or so they believe) and thus evading defensive controls like Justin Timberlake avoids Britney Spears fans.
Featured: AppleScript (T1509.002)
“Unwritten” by Natasha Beddingfield
Just like MTV’s “reality” show “The Hills,” much adversary activity on macOS is scripted. The rest? Still unwritten.
Bonus tracks: Trends
Ransomware
“Criminal” by Fiona Apple
What you need is a good defense–against ransomware precursors that is.
Initial access tradecraft
“Wolfman’s Brother” by Phish
Like certain types of multi-factor authentication (MFA), the editors of this report are known to be Phish-resistant. But this year we relented after discovering a Phish song under five minutes long.
Identity attacks
“It Wasn’t Me” by Shaggy, featuring Rik Rok
If you spot nefarious activity coming from one of your employees’ accounts, rule out an identity compromise before pointing fingers. Their denials are likely more credible than Shaggy’s.
Vulnerabilities
“I Like to Move it” by Reel 2 Reel
While new CVEs like the MOVEit zero day made headlines, adversaries exploited plenty of years-old (maybe less catchy) vulnerabilities throughout 2023 as well.
Stealers
“Jolene” by Dolly Parton
RedLine, RedLine, RedLiiiine: We’re begging you to not take our creds.
Remote monitoring and management (RMM) tools
“Scattered” by Green Day
No adversary made better use of remote monitoring and management (RMM) tools in 2023 than SCATTERED SPIDER; we hope to say Good Riddance to them in 2024.
API abuse in the cloud
“Just a Cloud Away” by Pharrell Williams
Once they access the API, adversaries are just a cloud away from your organization’s crown jewels.
Artificial intelligence (AI)
“Now and Then” by The Beatles
Among the things we have artificial intelligence (AI) to thank for in 2023: The release of a long lost Beatles song, new detection and response technologies, and a steady drip of existential dread.
Industry and sector analysis
“INDUSTRY BABY” by Lil Nas X featuring Jack Harlow
Does Lil Nas X make country music? Rap? Pop for the terminally online? We faced similar dilemmas when trying to accurately categorize our customers in our industry analysis.