Key highlights

• Adversary priorities on Windows are changing. The tactic category of Execution now accounts for nearly double its previous share and surpasses Defense Evasion as the top tactic.

• The cloud attack surface is highly concentrated. Over 60% of all cloud security events boil down to just three adversary goals: Initial Access, Persistence, and Credential Access.

• Adversaries are weaponizing AI to lower the barrier to entry for cybercrime. We saw an increase in Generic threats, a trend likely influenced by adversaries using large language models (LLMs) to quickly generate simple but effective malicious loaders and tools.

• The theft of browser credentials has industrialized. Our analysis of over 150,000 malware samples revealed that more than one in eight are designed to steal browser data. This isn't for isolated use; these credentials are the raw material fueling the access broker economy, providing a steady supply of keys for other attackers to compromise corporate cloud accounts.

What we learned from the report

The security landscape is undergoing a rapid transformation. Adversaries’ AI-driven threat innovation is evolving at an accelerated pace via streamlined information synthesis and automated workflows. This is resulting in more diverse adversary capabilities and new, indirect avenues of access. AI’s role on both sides of the cyber battle is anticipated to shift significantly as these technologies become more widespread.

This report uncovers real-world threat activities, revealing a fundamental shift in how adversaries achieve success today. It also includes a new section describing our visibility from non-telemetry sources, highlighting which malware families and threat behaviors were seen externally.

Access brokers are increasingly using information stealers to maintain a distance from collective defense efforts, significantly escalating the risks of credential exposure through cloud storage and other services. Trojanized software, which represented about 61% of all malware samples observed, was a major contributor; the ClickFix methodology is one of the most common techniques used to deliver trojans and infostealers. More than 24% of malware samples on Windows represented named infostealer code families.

Defense Evasion techniques have held the top spot for several years. This is attributed to improvements in detection and response capabilities that drive adversaries toward edge devices with a powerful capacity for exploit development. Execution rose to more than 32% of techniques followed by defense evasion at 23% and initial access around 19%. Together, these larger patterns reveal that attackers are investing in gaining a cheap foothold with minimum exposure and quickly running other malicious code. Scripts and browser-based techniques as well as SaaS compromise attempts show us another aspect of these threat trends and highlight areas where many enterprises could improve their defenses.

Threat profiles for BANSHEE, EDDIESTEALER, and ARECHCLIENT2 demonstrate how some of the most popular novel discoveries from the Elastic Security Labs team used infostealers. REF7707, a threat campaign involving the FINALDRAFT, PATHLOADER, and GUIDLOADER malware families, provides details about how an espionage-motivated threat evaded defenses using Microsoft’s GraphAPI for C2. Without the visibility shared by our customers, these threats may have made a much bigger impact before being revealed.

Navigate the AI-era threat landscape with Elastic

Elastic Security Labs is dedicated to providing crucial, timely security research to the intelligence community. This report reveals a shift in the threat landscape — one in which AI is continuing to surface as a tool for both adversaries and defenders. With Elastic as your partner, this 2025 Elastic Global Threat Report empowers you to make informed decisions on how best to address these evolving threats.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use.

Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.

In this report, you'll get an inside look at how we work to keep our users protected and gain valuable insights into the world of detection engineering, like:

• How we analyze real-world threats, like the CUPS vulnerability and Windows Local Privilege Escalation.
• Our robust rule development strategies, including automation and the Detection Engineering Behavioral Maturity Model (DEBMM).
• Enhancements to Elastic Security through integration enrichments with AWS, Okta, and more.
• Our internal metrics and evaluation processes for ensuring rule effectiveness.
• Our partnership with the Elastic Global Threat Report and our future plans, including AI threat detection.

This report represents a full year of our detection engineering efforts, from October 2023 to October 2024. We chose this timeframe to capture our work following the 2023 Elastic Global Threat Report and gather enough data to identify meaningful patterns.

We collected and analyzed all the contextual data of an entire year’s worth of detection engineering efforts to build out the story of what we do and how we do it. Including Security Labs threat research publications, GitHub metadata from activity across our rules repos, alert telemetry, and operational metric data are used to both guide and assess our detection engineering efforts. We also conducted a series of interview-style conversations with the threat researchers, detection engineers, and developers behind the data. We wanted to dive-deep into the specifics and garner the details of the processes behind the outputs (detection rules, threat research articles, etc.) that our customers see. Then we put these details together to create a cohesive story that might benefit the larger community.

We’re pulling back the curtain on our detection engineering practices, going beyond the traditional survey-style State of Detection Engineering report. By revealing this information — information that security tool creators often keep private — we aim to demonstrate our commitment to our users and reinforce the fact that you are not alone in your security journey. We’re right here with you, every step of the way.

The discussion continues

Elastic Security Labs is dedicated to providing in-depth research to the security community — whether you’re an Elastic customer or not. By sharing the details of how we manage and leverage the Elastic Security solution, we hope to spark a broader conversation around detection engineering and encourage the community to hold our work accountable. If you’re interested in a broader look at the report, you can check out the blog on Elastic.

Download the free report, and join the conversation!

Elastic Security Labs has released the 2024 Elastic Global Threat Report, surfacing the most pressing threats, trends, and recommendations to help keep organizations safe for the upcoming year. Threat actors are finding success from the use of offensive security tools (OSTs), a misconfiguration of cloud environments, and a growing emphasis on Credential Access. This report explores key telemetry from over a billion data points with emphasis on malware trends, adversary tactics, cloud security, and generative AI curated by Elastic Security Labs.

Read the announcement and download the 2024 Elastic Global Threat Report to gain an in-depth understanding of the threat landscape.

It goes without saying (but let’s say it for good measure) that none of this would be possible without our users sharing more than one billion security events each year with us. And it certainly wouldn’t be possible without our Elastic colleagues who make our powerful world-spanning capability.

One essential contributor is the Threat Research and Detection Engineering team (TRaDE), who develop features like rules and investigation guides, and assigned the legendary Terrance DeJesus. Terrance was instrumental in creating the inaugural report, applying his cloud attack surface expertise and security operations experience to this process. Another crucial team is Security Data Analytics (SDA), which is responsible for all the systems that enable us to analyze telemetry. Chris Donaher leads SDA by day (also by night, technically), and helped us comb through hundreds of millions of events this year.

The work from these teams and the rest of Elastic Security Labs shows our commitment to providing security teams with actionable intelligence about threat phenomena so they can better prepare for, resist, and evict threats. By democratizing access to knowledge and resources, including publications like the Global Threat Report, we hope to demonstrate a more effective way to improve security outcomes. We’re more secure together and we can’t succeed without each other.

In our observations, we identified the following factors as reactions to security innovations that are making environments hostile to threats:

• Heavy adversary investments in defense evasion like using built-in execution proxies to run malicious code, masquerading as legitimate software, and software supply-chain compromise
• Significant research devoted to bypassing, tampering with, or disabling security instrumentation
• Increased reliance on credential theft to enable business email and cloud-resource compromise, places where endpoint visibility is not generally available

Defense Evasion

During the development of our inaugural Global Threat Report last year, we were surprised to see how often adversaries used a defense evasion capability regardless of the industry or region they targeted. After analyzing events from thousands of different environments all over the world, we better understood that defense evasion was a reaction to the state of security. It was a trend we saw again this year, just one of several forces shaping the threat landscape today.

More than 43% of the techniques and procedures we observed this year were forms of defense evasion, with System Binary Proxy Execution representing almost half of those events. These utilities are present on all operating systems and facilitate code execution– some common examples include software that interprets scripts, launches DLLs, and executes web content.

BLISTER, which is a malware loader associated with financially-motivated intrusions, relied on the rundll32.exe proxy built into every version of Microsoft Windows to launch their backdoor this year. The BLISTER loader is a useful example because its authors invested a great deal of energy encrypting and obfuscating their malicious code inside a benign application. They fraudulently signed their “franken-payload” to ensure human and machine mitigations didn’t interfere.

Endpoint tampering

This year we also saw the popularity of Bring Your Own Vulnerable Driver (BYOVD), which was described by Gabe Landau in a recent publication and provides a way to load an exploitable driver on Windows systems. Drivers run with system-level privileges but what’s more interesting is how vulnerable drivers can be used to disable or tamper with security tools. It won’t be long before more adversaries pivot from using this capability to launch malware and instead use it to uninstall security sensors.

To see this in action, look no further than your friendly neighborhood ransomware-as-a-service ecosystem. SOCGHOLISH, the group associated with BLISTER coincidentally, is one of multitudes that grew out of startup digs and became a criminal enterprise. Most of the ransomware we see is related to these kinds of services– and even as one gets disrupted it seems another is always emerging to take its place.

This is, in a very literal sense, a human phenomenon. Threats that endure periods of security innovation and disruption seem to do so by learning not to be caught, and one strategy of mature threats is to move edge-ward to Internet-facing systems, network devices, appliances, or cloud platforms where visibility is less mature. Consider the cost and relative risk of the following options: develop a feature-rich multiplatform implant with purposeful capabilities or purchase account credentials from a broker.

Credential Access

Although only about 7% of the data we analyzed involved one form of credential theft or another, 80% of those leveraged built-in operating system features. With functioning stolen credentials, many threat groups can directly interact with an enterprise’s critical data to access email, steal intellectual property, or deploy cloud resources.

Abusing stolen credentials has more utility today than ever before, given the widespread adoption of cloud for storage, productivity, code management, and authentication to third party services. For those threats that prioritize a low profile over other goals, credential theft is a shortcut with low exposure.

Insights like these, and many others, can be found in the 2023 Global Threat Report along with forecasts and threat profiles. Elastic Security Labs shares malware research, tools, intelligence analyses, as well as detection science and machine learning/artificial intelligence research.

You can download the report or check out our other assets. Reach out to us on X and get a deeper dive on the GTR results with our webinar Prepare for tomorrow: Insights from the 2023 Elastic Global Threat Report.

One of the most immediate and significant challenges-- and this is true of every new data source-- is understanding the properties and characteristics of the data, if it exists. You can read more about that process in this excellent pair of articles, which speak to a challenge many detection engineers are facing today.

New data sources are problematic in a unique way: with no visibility to rank malicious techniques by popularity, how does a detection engineer determine the most effective detections? Mapping fields and normalizing a data source is a good initial step that makes it possible to begin investigating; it's exciting to be a little closer to the answer today than we were yesterday.

Check out the new report, browse our prior research on this topic, and join us in preparing for tomorrow.

This week, we’re publishing a new version of this report that’s online and interactive, which includes additional data covering the remainder of 2022, written using Elastic. We’d like to offer a few thoughts on this interactive report and share findings both forecasted and unexpected. Let’s take a look at the 2023 Global Threat Report Spring edition!

First, let’s talk about malware: - We observed consistent trends throughout 2022, with the same approximate ratios of different malware types in all geographies - Trojans, cryptominers, and ransomware held the top spots - Linux and Windows continued to see higher rates of malware than MacOS

Next, consider these cloud observations: - Credential access attempts beat out every other tactic for Microsoft Azure, Google Cloud, and AWS as forecast - Brute force techniques remained steady along with token theft

But there were also a few new findings: - Impairing defenses by tampering with cloud logging functionality was one of the most common techniques we observed in the later part of 2022 and continues into 2023 - This likely impacted visibility of other techniques due to missing data sources, and is potentially a reaction to improvements in cloud logging - XMRig prevalence exploded on MacOS, likely as a result of macroeconomic conditions

As excited as we are to begin work on the next Elastic Global Threat Report and review how well we forecasted 2023, it’s been energizing to close out the 2022 calendar year with a few surprises. Defense evasion is still the top tactic for endpoint, credential access is still king of cloud, and malware trends have stayed pretty consistent. Check it out yourself and learn a little bit about how Elastic’s Canvas technology simplifies visualization.

If you’re attending RSAC 2023 come visit us at booth #5879, and don’t forget to follow @elasticseclabs on Twitter.

You can find the report here, we're excited to share it with you.

Threat detection and response has come a long way since the firewall dissolved and the cloud took center stage. AI and machine learning, for example, have been major contributors to the advancement of cybersecurity. Machine learning is being used to identify malicious behavior from bad actors by modeling network behavior and improving overall threat detection.

What’s been difficult is the sea of sameness filled with vendors promising products to mitigate today’s threats while preparing for the next one. As the 2022 Elastic Global Threat Report outlines, a significant percentage of all threats achieve a degree of success against technical, procedural, and human mitigations. So what is a company to do in the face of such unfavorable odds? At Elastic, we believe there are several ingredients that are critical to managing today’s threat landscape.

Build a program, not just a tool

Vendors need to start thinking about security products as more than software. They are part of a living, breathing program that takes care and feeding. For Elastic, it’s not just about shipping a solution; it’s about offering a holistic approach to security that happens to come with a great product. It’s sharing insights and best practices and creating a community focused on security data intelligence that extends the value of Elastic Security for customers.

The 2022 Elastic Threat Report is an important part of that program, and we’re excited to share our knowledge with the community. In addition to vital information from the Elastic Security Labs team, the report provides actionable guidance to security practitioners about how to maximize positive outcomes for their organizations.

It takes an (open) community

The foundation of any good program is a strong community that can support and foster it. Take Elastic’s commitment to open security, for example. The community born from vendors being transparent about their security controls, detection rules, and threat logic can be a force multiplier of best practices across the entire industry.

When vendors engage their experts with experts from across the broader security community about new threats they’ve observed or innovative methods for detecting nuanced attacks, it creates greater scalability of system defenses — not just for the enterprise but also for their customers.

For example, at Elastic we recently opened our Endpoint Security protections-artifacts repo, adding to our already open detection-rules repo, to foster further collaboration with our community and be transparent about how we protect users.

Treat the cause, not the symptom

Despite the ever-growing threat landscape and the risks that it poses, many organizations are still treating security symptoms instead of the cause. Companies can no longer afford to keep the security team siloed and separate from the engineering team. The two functions must work closely to build products and solutions that can withstand the barrage of advancing threats.

At Elastic, we design and build products with security in mind from the start, so it’s baked into every solution we ship to our customers. In fact, we take security so seriously that the office of InfoSec is part of the engineering organization.

We hope that the 2022 Elastic Global Threat Report will help your understanding of the important shifts in the threat landscape, and provide the information you need to make your organization more resilient, prepared, and protected.

Download the 2022 Elastic Global Threat Report.

As a technical leader in Elastic Security, I'd like to reveal a small amount about what goes into reports like this one and why it’s significant.

Why did we do it?

If you didn’t already know this, you know it now: Elastic is a security company. We are also different — we’re open and transparent. We share exactly how our detections and preventions work in the protections-artifacts and detection-rules repos. We’ve launched Elastic Security Labs and regularly publish our research, discoveries, and tools. Anyone can spin up a trial and try all our features — no barriers, no sales BS. This report is another way we’re bringing transparency to you. We want to empower you by sharing what we know and what we think is coming, and we will continue to expand the scope of what we share in the coming months.

How'd we do it?

Put simply, by analyzing a vast amount of data. Behind Elastic Security Labs is a large team of malware and intelligence analysts, security engineers, researchers, data scientists, and other experts. This team builds and maintains all the protection features in Elastic’s security products: blocking malware, in-memory threats, ransomware, and other malicious behaviors. You name it, we do it. To do this effectively, we need visibility into how our features perform and what threats they’re coming in contact with. We get that visibility through anonymous telemetry shared with us by our users (as well as through research our team carries out on threat feeds and other public datasets).

Our researchers are in the telemetry data daily. Usually, we are focused on the performance of particular features, eliminating false positives and adding protection against emergent techniques, some of which you can learn about in our threat report. This battle never ends, and we don’t anticipate that changing any time soon.

Why now?

As our user base rapidly grew over the past year, we came to the conclusion that we now observe a significant percentage of all threats. Upon hitting that critical mass, we decided to peel off some of our best researchers to zoom out, analyze the totality of what we’ve seen, and determine if we had a story worth sharing. We felt we probably had something to contribute to the community’s collective understanding of the threat landscape, and as you read the report, we hope you agree that we were right to think that.

Diving deeper

With that backdrop, I can share a bit more about how a report like this comes to be. Under the leadership of Devon Kerr, we built an eight-week plan to analyze and summarize the telemetry coming in from our various features. All our event telemetry data lives in Elasticsearch, which makes for straightforward summarization and visualization.

Data normalization was a significant challenge. This included filtering out excessively noisy endpoints so results aren’t skewed, ignoring data from test clusters, ignoring alerts for data which we later realized were false positives, pulling together signals from our full Elastic Security solution, and more. It wasn’t the most glamorous work in the world, but it was foundational to producing meaningful results at the end. We’ll plan for a couple weeks in this phase again next time — it will always be a significant lift.

Once the data was in good shape, we extracted the meaning from raw aggregations of a massive number of events to determine insights worth sharing, which help us understand the present state of the threat landscape. In particular, we wanted to explain the most prevalent threats we're seeing and put them in context. These are patterns that ebb and flow throughout the year, making an annual overview particularly useful for spotting the threats making the biggest impact. This led to the various charts and statistics laid out in the report. It took us a couple weeks to settle on a list among the team.

Next, we had to write. Devon, Andy Pease, Daniel Stepanic, and Terrance DeJesus did the heavy lifting here. Anyone who’s done technical writing knows how important clarity and conciseness are in delivering a message that can be understood by the general public. A few dozen pages came together in a way we’re proud of. Importantly, we partnered closely with Dhrumil Patel, our product management lead, and Jen Ellard, security product marketing lead, for the Threat Report effort to make sure our points were clear and meaningful to our user base.

All of that brought us to the end of our eight week plan to develop the report. By late August, we were largely pencils-down on the content but far from done. We’re lucky to have a team of designers at Elastic to help us transform a wall of text in a Google doc into a PDF with style and graphics to enhance meaning and help our conclusions and recommendations jump off the page. We knew that this process would take time, many drafts, and a lot of back and forth. Planning and executing this piece of the project took about as long as the data gathering, analysis, and writing. We learned a lot about how long it takes to go from completed draft to final copy and will involve our internal partners early and often in the process.

Tell us what you think

We’d love to hear your feedback about the first Elastic Global Threat Report. More is on the way. We expect to make this an annual publication, and between now and then we’re hoping to deliver a more interactive version of this inaugural report.

Let’s dig into a few of the endpoint related findings:

1. 72% of all defense evasion techniques consisted of masquerading and system binary proxy execution

2. ~77% of all credential access techniques are attributed to OS credential dumping with commonly known utilities

Here’s a chart on how the endpoint techniques breakdown across our data set.

This was just a preview of the research coming your way. We have lots of findings and recommendations coming your way soon. Stay tuned to Elastic Security Labs for the 2022 Elastic Global Threat Report.