We are often asked about the new adversary techniques we’re identifying and the research we are doing to hunt them down. We are excited to begin providing regular updates highlighting these improvements. 

When Red Canary's security operations team or researchers identify behaviors, indicators, or attributes that can be used to describe a potentially threatening event, it is implemented as a Detector. A Detector may be very specific or very broad and tend to evolve over time.

We will be publishing these updates every one to two weeks in the Detector Updates section. An example of these updates is below:


=================================================

CREATED: WIN-POSSIBLE-MIMIKATZ-CLI

Description

Identifies instances of Mimikatz by identifying command line elements common to Mimikatz execution.

References

ATT&CK Technique T1003

=================================================

CREATED: WIN-MSXSL-SCRIPT-EXECUTION

Description

Identifies malicious use of MSXSL.EXE, a command line utility that performs Extensible Stylesheet Language (XSL) transformations using the Microsoft XSL processor. MSXSL.EXE can be abused to execute malicious scripts locally or remotely.

References

ATT&CK Technique T1127

Did this answer your question?