2022 Falcon OverWatch
Threat Hunting Report

Intrusions intensify, complexity escalates

2022 continues to demonstrate that proactive human-led threat hunting is no longer an option but a necessity to detect and disrupt advanced attacks and keep evolving adversaries at bay.

In this exclusive report, the CrowdStrike® Falcon OverWatch™ threat hunting team provides a look into the adversary tradecraft and tooling they observed from July 1, 2021 to June 30, 2022. The report also includes actionable tips for organizations and threat hunters to get ahead and stay ahead of today's stealthiest, most sophisticated cyber threats.

The data speaks for itself

2022 was a year unlike any other.


Potential intrusions stopped by OverWatch

7 minutes

Average time potential intrusions were uncovered by OverWatch

1+ million

Malicious events prevented


Increase in interactive intrusions


Of threats detected by OverWatch were malware-free

1 hour 24 minutes

Average eCrime breakout time

Key highlights

CVEs, zero-days and beyond

The proliferation of newly disclosed vulnerabilities and zero-days is putting organizations at unprecedented risk. Threat actors are weaponizing these vulnerabilities at speeds faster than ever before. This leaves little reaction time for targeted organizations.

Learn why a proactive approach to threat hunting will be crucial to staying ahead of increasing risks, and how organizations can get there.

Same ransomware, unique tradecraft

Lucrative ransomware-as-a-service (RaaS) models are a big driver of eCrime intrusion activity. A vast array of affiliates are capitalizing on the availability of RaaS offerings, employing diverse patterns of adversary tradecraft.

In the report, the OverWatch team shares four case studies illustrating some of the different approaches observed in RaaS affiliate intrusions.

Tradecraft deep dive: emerging, trending and mainstay tools

Despite the prevalence of malware-free attacks, OverWatch continues to observe adversaries employing a diverse range of tooling in their attacks.

This report dives in and analyzes the emerging, trending and mainstay tools and tradecraft in depth — highlighting capabilities and tactics that rose to the forefront and novel methods previously unseen in the wild.

Identities are under siege

Over the last 12 months, OverWatch observed significant abuse of valid and compromised credentials.

Identity-based techniques surfaced to the top of six tactics of the MITRE ATT&CK® Framework: Initial Access, Persistence, Privilege Escalation, Defense Evasion, Credential Access and Discovery.

Learn what your organization can do to keep your identities safe.

Phishing: out with macros, in with ISO

Adversaries immediately began to shift phishing tactics when Microsoft announced earlier this year that VBA macros — a tried-and-true malware delivery tactic — would be disabled by default across its Office product line. Rather than move away from phishing campaigns altogether, OverWatch observed attackers adopt alternative tooling, replacing malware-laden macros with similarly compromised container files, such as ISO, ZIP and RARs, among others.

Read the report for detailed case studies examining this tactic and hunting strategies to identify ISO phishing attempts.

Adversaries take to the cloud

Intrusion activity in cloud applications and infrastructure is on the rise. In this report, OverWatch details two cloud-based attacks to illustrate how adversaries operate in cloud environments and weaponize key components at different stages of their intrusion. The report also provides action items, guidance and considerations for defenders when evaluating their cloud environment.

Falcon OverWatch Cloud Threat Hunting™ applies the same systematic and comprehensive hunting methodology while adding new tooling and telemetry for granular visibility down to the control plane.

Get the 2022 Falcon OverWatch Threat Hunting Report

Must-read insights from CrowdStrike’s
threat hunting team

Download now

Get the 2022 Falcon OverWatch Threat Hunting Report

Must-read insights from CrowdStrike’s
threat hunting team

Download now