24/7/365 threat detection and response across your cloud, identity, endpoints and everything in-between. We got you: bit.ly/44icmuy
USA
- Tweets 5,880
- Following 1,165
- Followers 30,062
- Likes 4,058
Pinned Tweet
Today, Red Canary officially joins the @zscaler family! 🎉
We are thrilled to mark this incredible milestone and join forces with the leader in cloud security to deliver unified security operations to help our customers strengthen their cyber defenses.
Zscaler and Red Canary will enable the industry’s most advanced SOC capabilities, setting a new standard for the future of the security landscape.
As we take this big step forward, one thing will always remain true: We got you! 💪 bit.ly/46y8BD5
1
5
32
4,941
Introducing VSCode-ATT&CK, a new open source plug-in that lets you query the @MITREattack framework without clicking out of your code editor. bit.ly/3g9epIU
8
150
495
The Red Canary 2021 Threat Detection Report is now available. Use this in-depth look at the most prevalent ATT&CK® techniques to help you and your team focus on what matters most. bit.ly/3m825JW
7
94
363
Excited to release our test cases based on @MITREattack. Small and highly portable detection tests: github.com/redcanaryco/atomi…
9
244
381
Over the past few hours, we’ve observed malicious phishing emails associated with the delivery affiliate TR in multiple customer environments. The infection scheme was consistent, executing in the following pattern: OneDrive phishing page -> ZIP download -> malicious XLSB -> Qbot
6
132
276
From the folks that brought you Atomic Red Team, Chain Reactor is a new open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints. redcanary.com/blog/chain-rea…
2
140
283
Silver Sparrow is a cluster of activity that includes a binary compiled to run on Apple’s new M1 chips but lacks one very important feature: a malicious payload. redcanary.com/blog/clipping-… #RCintel
4
82
236
Protecting Linux from cyber attacks critical tactic #7: Harden your Linux system.
For more critical tactics, take a look at our Linux Security Checklist: redcanary.com/resources/guid…
58
232
24,902
DETECTION OPP: We’re seeing increased Qbot activity, including new TTPs that we haven’t previously associated with this threat. While we haven’t observed the ultimate payload delivered by Qbot, this trend is concerning given that Qbot is often a precursor to Conti ransomware. 1/6
1
82
231
Considering the spate of recent ransomware incidents affecting hospitals, we decided to share the ten detection analytics that helped us stop one earlier this month. redcanary.com/blog/how-one-h… #Ryuk
8
62
186
Invoke-AtomicRedTeam, a PowerShell framework that makes it easier to execute Atomic Red Team tests, is now an open source project of its own. This will make contributions and maintenance of both projects faster and easier for all involved! github.com/redcanaryco/invok…
1
77
217
The 2022 Threat Detection Report is out! Join us in counting down the most prevalent threats we encountered in our customers' environments last year. We'll reveal a new threat every hour in this thread (Or just download the report & see them all now) redcanary.com/resources/guid…
4
86
217
The #BumbleBee dropper/downloader continues to change. We’re now seeing odbcconf.exe load the malicious DLL (rather than Rundll32). While odbcconf.exe can execute DLL files, we don’t commonly observe it doing so in the wild, so this is an interesting change! #RCIntel
3
75
203
Mimikatz ascends the threat ranks, Emotet increases phishing campaigns, and the new Coral Crane activity cluster emerges. Check out January's Intelligence Insights: redcanary.com/blog/intellige…
3
68
184
JUST RELEASED: Our 2019 Threat Detection Report offers detection strategies for the most prevalent @MITREattack techniques: hubs.ly/H0h3zmb0
2
94
175
✨ Red Canary ➕ @zscaler
Today we are announcing Zscaler’s agreement to acquire Red Canary.
It’s a major milestone in our journey. This is a significant step forward in our mission to improve security operations, not just for our customers, but for the entire cybersecurity community. 🧵⬇️
4
43
178
26,277
SQUIRRELWAFFLE is a malware loader that first emerged in September 2021 and is often a delivery mechanism for Qbot. We’ve seen it rapidly deliver Cobalt Strike and Bloodhound, which we frequently observe preceding impactful threats like ransomware. 1/4
5
39
162
The 2023 Threat Detection Report is out! Here are the top 10 threats we observed across our customer environments last year. How does this compare with what you observed? redcanary.com/resources/guid…
1
60
168
64,226
New from @jsecurity101: MSRPC to ATT&CK is an encyclopedia of comprehensive context about specific Remote Procedure Call protocols. redcanary.com/blog/msrpc-to-…
2
65
169
New from @jsecurity101: Nearly all activity in Windows can be tied back to an identity using access tokens. Therefore, having the ability to track a token back to its source would provide invaluable visibility for incident response, detection, and more. redcanary.com/blog/access-to…
2
53
156
New blog from @likethecoins: While ingesting feeds of indicators or identifying state-sponsored adversaries can be part of your approach, cyber threat intelligence is a much broader field than any specific tool or data source. redcanary.com/blog/intel-tea…
2
53
145
Security teams can now generate macros in #AtomicRedTeam to test their ability to observe and detect emerging initial access techniques. Major thanks to @enigma0x3 and @Carlos_Perez, whose macro-builder and -techniques are used in these tests. hubs.ly/H0kw3JY0
2
77
154
Not all DLLs are created equally. Learn the basics of the Windows architecture. hubs.ly/H09qBgS0
1
72
142
Atomic Red Team: @subTee walks through how to use the new testing framework for defenders: ow.ly/L4wI30fZJJL
83
146
How are security leaders faring in 2021 with preparedness, detection, and response?
Our new benchmark report provides insights from 500 security leaders.
bit.ly/state-of-incident-res…
2
22
133
In our third Diary of a Detection Engineer, @mattifestation and @StarSlaughter invite you to an official meeting of the SOC Analysts club! bit.ly/2SFc7b3
1
35
133
Any security team that's working to adopt @MITREattack should consider these four free and compatible tools: hubs.ly/H0hvPwS0
2
54
136
What does lateral movement using WinRM & WMI look like? How to detect & mitigate this threat. #ThreatyThreatThursday hubs.ly/H09J4v10
48
124
Adversaries game the natural search order by relocating binaries outside of the System32 directory.
@M_haggis and Shane Welcher created some detection logic to help you sniff out malicious DLLs. bit.ly/3yYoP56
43
123
We're partnering with @CarbonBlack_Inc to bring you 'Threat Hunting with ATT&CK™', a 3-part webinar series. Attend to learn how top security teams use @MITREattack as a roadmap to mature and expand their threat hunting programs. Learn more and register: hubs.ly/H0dthlF0
59
123
SocGholish reclaims the top spot, Redline activity is on the rise, and detections associated with Raspberry Robin increase...all of this and more in the latest edition of Intelligence insights from #RCIntel. redcanary.com/blog/intellige…
2
22
113
We’ve detected suspicious activity in multiple environments today, and, while we haven’t yet observed a payload, we’re concerned the activity may be the result of Exchange Server compromise. 1/7 #RCintel
2
52
119
NEW: Here's how to detect ChromeLoader, a browser-hijacker that leverages PowerShell in some troubling ways. redcanary.com/blog/chromeloa…
2
46
118
Qbot climbs in threat rankings, Emotet is back, and an ADSelfService Plus RCE vulnerability likely increased detections involving webshells. Read the full December intelligence insights now: redcanary.com/blog/intellige…
49
115
First identified by @timmedin nearly a decade ago, "Kerberoasting" remains a popular post-exploitation technique among ransomware groups like Conti. We chatted with Tim about relevant data sources and how to fill in visibility gaps with #AtomicRedTeam. redcanary.com/blog/marshmall…
4
51
117
SocGholish falls from first place, Yellow Cockatoo rebounds, and Qbot campaigns leverage Windows Installer packages. All of this and more in the latest edition of Intelligence Insights from #RCIntel redcanary.com/blog/intellige…
3
23
110
Detect or do not detect, there is no try. On Star Wars Day, we're sharing some strategies for detecting malicious file transfer activity. #MayThe4thBeWithYou
bit.ly/2RrWbI9
1
53
117
Like others in the community, we’ve seen exploitation of VMware Horizon today. In addition to looking for the IP 185.112.83[.]116, you can also detect this in endpoint telemetry by looking at the PowerShell command line that spawns from `ws_tomcatservice.exe`. 1/6
Getting word of mass exploits against VMware Horizon with C2 (#CobaltStrike) to 185.112.83.116|80 & 8080. Potentially log4j related.
Anyone else seeing similar?
3
40
113
NEW: @mattifestation and @AstleJimmy shine a light on Microsoft’s Antimalware Scan Interface (AMSI), which can help defenders zero in on in-memory payloads. redcanary.com/blog/amsi/
1
63
111
Introducing the Red Canary Ransomware Detection Toolkit. We’ve rounded up our best guides, resources, and open-source tools in one place so you don’t waste a minute searching. redcanary.com/resources/guid…
2
35
110
Invoke-AtomicRedTeam started as a framework for executing atomic tests. Now it's much more than that, so we spun it out as its own open source project. Here are some key new features: redcanary.com/blog/invoke-at…
1
43
112
PowerShell reclaimed its place as the most prevalent technique we detected in 2023, as adversaries continued abusing the tool to execute commands and evade defenses. Learn more in the 2024 Threat Detection Report: redcanary.com/threat-detecti…
2
34
110
34,369
There's an overwhelming amount of information on Exchange server exploitation and web shell activity. Based on our observations, here's some simple guidance on remediation, detection, and categorizing activity clusters: bit.ly/2OGNkAY #RCintel
55
106
The 2024 Threat Detection Report is out! Featuring actionable insights for the most prevalent cyber threats and ATT&CK techniques your security team is likely to encounter. Read the full report now: redcanary.com/threat-detecti…
4
36
106
13,385
The 2024 Threat Detection Report is out! Featuring actionable insights for the most prevalent cyber threats and ATT&CK techniques your security team is likely to encounter. Read the full report now: redcanary.com/threat-detecti…
36
105
30,262
Red Canary recently introduced eBPF to our Linux sensor. At a high level, @FridayOrtiz explains what eBPF is and how it helps us protect our customers. redcanary.com/blog/ebpf-for-…
32
98
Best practices for Linux threat detection:
🕵️♂️ Focus on distinguishing between an administrator and an adversary
📈 Develop detectors that identify anomalies in activity
🏷️ Explore alternative ways of grouping processes
redcanary.com/blog/linux-sec…
37
104
5,882
NEW BLOG ALERT: Introducing the Next Chapter of Atomic Red Team @subTee @M_haggis @brianebeyer #AtomicRedTeam
hubs.ly/H0cF8pm0
2
51
104
Hundreds of security researchers have used our VSCode-ATT&CK plug-in to access the @MITREattack framework from the comfort of their code editor. Here are some new features that have been added to the tool over the last few months. (1/5) redcanary.com/blog/vscode-at…
3
30
109
📯 You can now find Atomic Red Team tests in the Defender for Endpoint Evaluation Lab! Test your security controls against the most common @MITREattack techniques in just a few clicks. Read @msftsecurity's blog here: techcommunity.microsoft.com/…
3
37
100
Red Canary ATT&CKs (Part 1): Why We’re Using ATT&CK Across Red Canary: hubs.ly/H09C4Fr0
54
99
We've gotten a ton of requests for access to Silver Sparrow samples. We didn't link to them when we first published our research, but we've added links since. For convenience, you can find the samples here:
Version 1: virustotal.com/gui/file/1dec…
Version 2: virustotal.com/gui/file/c7dd…
2
33
96
Threat Detection 3163: Using Alternate Data Streams to Bypass User Account Controls redcanary.com/blog/using-alt…
58
102
After working hundreds of short term incident response engagements, we’ve learned a lot about how to prevent and mitigate ransomware infections. Here's a ransomware survival guide. bit.ly/2Ek5qEp
36
93
3 Practical Ways for Lean Security Teams to Boost Their Defenses - via @subTee ow.ly/JK4Q30fteMU
1
49
96
Red Canary ATT&CKs (Part 2): Designing ATT&CK Interfaces in Red Canary hubs.ly/H09D7VM0
48
98
Watch a short video to learn how to use Atomic Red Team to test your detections: hubs.ly/H099nRm0
52
97
Red Canary ATT&CKs (Part 3): Mapping Our Detectors to ATT&CK Techniques: hubs.ly/H09DQ6K0
54
94
Great tools for getting started with ATT&CK:
1. @M_haggis recommends @olafhartong's ThreatHunting
2. @subTee recommends PoSh_ATTCK by @SadProcessor
3. @kwm recommends @MITREattack Navigator
4. @verri3r recommends #AtomicRedTeam chain reactions
hubs.ly/H0hwZNc0
40
95
In Oct. we observed a lot of the same threats we’ve grown accustomed to seeing each month. However, the end of the month saw a surge from a previously prolific phisher pushing a familiar foe: Qbot. Read more in our November Intelligence Insights: redcanary.com/blog/intellige…
3
19
88
LOLBins are a fascinating and somewhat scary concept because they are legitimate system tools that adversaries abuse to carry out cyberattacks…often undetected.
This video explores some of the tricks adversaries use to haunt our digital domains.
piped.video/watch?v=VhU3aYk3…
1
31
86
14,022
💡 Operational Atomic Red Team < hour per week
1.) Select a test: atomicredteam.io/atomics/
2.) List relevant defensive telemetry sources
3.) Perform the test, review results, document
🔖 redcanary.com/blog/atomic-ha…
📊 Track progress with this free tool
docs.google.com/spreadsheets…
28
82
6,334
Take a technical deep dive into the Windows API with analyst @Bewg12: ow.ly/i4an30dL2WD
43
90
We use eBPF at Red Canary to gather security telemetry directly from the Linux kernel. Now you can too. redcanary.com/blog/ebpf-for-…
1
18
88
Kicking off a new blog series, @mattifestation breaks down one detection engineer's thought process in determining whether a Mimikatz executable is malicious or not. bit.ly/3t0JOAf
33
90
We’re exploring one of the year’s most prevalent MITRE ATT&CK® techniques: PowerShell. Learn how adversaries abuse the Windows configuration management framework and how you can observe and detect malicious and suspicious commands and behaviors. piped.video/FDpAAY8haUU
1
30
83
10,290
The only difference between a remote administration tool and a remote access trojan (RAT) is who’s controlling it. Detection engineers @j_schoen13 and @killamjr are on the case. bit.ly/3suqkVQ
22
82
With help from our partners @KrollWire, #RCIntel analyzed a BlackByte ransomware sample and uncovered details about its initial access, post-exploitation, and exfiltration phases prior to encryption. redcanary.com/blog/blackbyte…
40
86
Due to its privileges, the Windows NT AUTHORITY\SYSTEM account is a juicy target for adversaries across all versions of Windows operating systems. @ForensicITGuy walks through how to hunt for telltale GetSystem commands in offsec tools. bit.ly/3op7sVi
22
80
In the second edition of Better know a data source, @jsecurity101 makes a case for monitoring process integrity levels, particularly between parent and child processes. redcanary.com/blog/process-i…
3
38
82
DarkGate emerged as the #6 threat in our Intelligence Insights last month. Our Intel team identified a detection opportunity for this new malware-as-a-service (MaaS). Read more: redcanary.com/blog/intellige…
18
77
12,191
While there are some shared best practices with Windows environments, developing detection logic for Linux systems is a distinct art. redcanary.com/blog/linux-sec…
22
78
8,859
The Atomic Red Team community's been asking for a Python execution framework for years. Earlier this month, @MSAdministrator and @swimlane delivered. Atomic Operator is an open source, python-based framework for executing atomics across platforms. redcanary.com/blog/atomic-op…
29
80
Detecting precursor activity is a great way to diminish or prevent a ransomware outbreak. One behavior we’ve encountered in numerous IR engagements involves adversaries renaming a popular file sharing utility, and here’s how you can detect it. #RCintel | #incidentresponse 1/6
1
16
77
[NEW BLOG] How To Threat Hunt For PsExec, Other Lateral Movement Tools by @ForensicITGuy hubs.ly/H0fBpSc0
1
37
78
What does a typical cloud intrusion actually look like? Watch clips from our latest Detection Series webinar on prevalent cloud techniques. redcanary.com/blog/cloud-att…
24
80
7,419
📈 We've seen a spike in LummaC2 stealer activity over the last two months. Get detection guidance and more in this month's edition of Intelligence Insights. redcanary.com/blog/threat-in…
28
76
7,354
NEW from @mattifestation: "Effective threat research is built on a foundation of asking specific, deliberate questions in an attempt to reduce a broad objective into something more achievable, measurable, and resilient against evasion." bit.ly/3oyVBUl
26
77
Kicking off a new series highlighting the most fruitful endpoint data sources for threat detection, @mattifestation goes deep into one of the most omnipresent: process command line. redcanary.com/blog/process-c…
36
73
The free-to-use software is intended to help researchers monitor and analyze macOS system events, much like ProcMon for Windows systems. Join @PartyD0lphin and Matt Graeber for a webinar on how to use a new, free tool, RedRoc. redcanary.com/resources/webi…
3
19
75
34,104
The Atomic Red Team maintainers are excited to launch atomic tests for @MITREattack techniques used on cloud and containers! bit.ly/3x36Nxg
1
22
73
NEW from @RCintel: @ForensicITGuy and @LaurenLeigh522 analyze a Gootloader sample and provide detection opportunties for follow-on activity. redcanary.com/blog/gootloade…
2
22
68
We're proud to share this great piece of news. Congratulations to @likethecoins and the full list of winners and nominees. Our security community is better because of your dedication and leadership.
Congratulations to Katie Nickels (@likethecoins) on her @CyberScoopNews award for Cyber Industry Leadership! 🎉
Read the full list of winners here: cyberscoop.com/announcing-20…
3
1
64
Director of Intelligence for Red Canary, @likethecoins, tries to focus her team’s time and efforts not on alarming rhetoric about ransomware attacks but rather developing an actionable, rapid response.
H/T @SCMagazine
scmagazine.com/feature/advoc…
1
12
72
Whether you spell out M-S-H-T-A or pronounce it "Mish-ta," the Windows built-in binary for executing Microsoft HTML Application (HTA) script code is worth keeping an eye on. 👀
Lately, adversaries have been leveraging mshta.exe in paste-and-run (aka Clickfix or fakeCAPTCHA) campaigns.
🔎 Learn what to look for your in environment in this year's 2025 Threat Detection Report: redcanary.com/threat-detecti…
🎬 Watch the full video with Principal Threat Researcher Matt Graeber here: piped.video/vkFsn1KcEto
1
13
74
4,857
Communication skills are often overlooked by “technical” teams that are hiring, but writing, briefing, and creativity bring invaluable insight to any cybersecurity role. redcanary.com/blog/strong-co…
29
65
NEW: "Yellow Cockatoo" is Red Canary Intel's name for a cluster of activity executing an in-memory .NET RAT on victim machines across a wide range of industries. Detection opportunities abound! bit.ly/3oqFEzG
1
28
68
#RedCanaryBookClub 📚 - If you are getting started in cybersecurity operations, evolving your existing SOC, or engaging with a SOC regularly may we recommend "11 Strategies of a World-Class Cybersecurity Operations Center"
1
9
65
10,023
Detection engineer @wilyhanshan was working his way through the queue when a peculiar event caught his eye. The event—he would later learn—was a likely precursor to a known ransomware payload that had recently surfaced in the wild. redcanary.com/blog/bitsadmin…
2
20
69
7,633
Big news ya'll: @Cyb3rWard0g will be hosting our next Atomic Friday on December 11! Join us for a deep dive into @Mordor_Project and learn strategies for expediting data analysis. bit.ly/33AKlil
2
17
69
What is Raspberry Robin? Read on for high-fidelity opportunities to detect known behaviors, & background on how we decided to cluster this activity. redcanary.com/blog/raspberry…
26
63
We're hiring Threat Hunters! (Or thrunters if you're so inclined) jobs.lever.co/redcanary/428c…
Our Intelligence team is growing too! jobs.lever.co/redcanary/19b9…
4
17
61
11,785
The security community is embracing the fact that whatever functional label you place on Cobalt Strike, it’s here to stay, it’s implicated in all variety of intrusions, and it’s our duty to defend against it. redcanary.com/threat-detecti…
1
24
69
Red Canary's @likethecoins and @ForensicITGuy will be discussing our recent Silver Sparrow research, including what we've learned since publishing. Tune in at 2pm EST today!
5
24
62
In honor of @taylorswift13's upcoming Eras Tour stop in Red Canary’s hometown of Denver, @Susannigans presents you with 13 reasons why Swifties should consider a career in cybersecurity: redcanary.com/blog/taylor-sw…
2
12
64
16,525
NEW BLOG ALERT: Threat Detection #9643: Cryptomining Enabled by Native Windows Tools @ForensicITGuy hubs.ly/H0c_rf30 #threatdetection #threatythreatthursday
1
31
61
The .NET framework includes rich offensive capabilities that adversaries aren’t yet using, but we’ve been thinking about detection anyway.
redcanary.com/blog/detecting…
1
26
64
The Threat Detection Report is an actionable, interactive resource to help you understand the most prevalent trends, cyber threats, & adversary techniques. Get the 2024 report delivered as soon as it is published 👇 redcanary.com/resources/guid…
10
62
6,120
🚨 New open source release: eBPFmon supercharges bpftool to help you better understand the eBPF programs running in your environment. redcanary.com/blog/ebpfmon/
27
64
16,800