Know them. Find them. Stop them.

The problem isn’t malware — it’s adversaries. To stop these adversaries, security teams must understand how they operate. In the 2023 Threat Hunting Report, CrowdStrike’s Counter Adversary Operations team exposes the latest adversary tradecraft and provides knowledge and insights to help stop breaches.

583%

increase in Kerberoasting, a growing identity-based attack technique

312%

increase in abuse of remote monitoring and management (RMM) tools

160%

increase in credential theft via cloud instance metadata APIs

79 minutes

average eCrime breakout time, a 5-minute drop from 2022

7 minutes

fastest eCrime breakout time recorded

62%

of interactive intrusions involved compromised identities

Read the CrowdStrike 2023 Threat Hunting Report

Expose adversaries and stop them in their tracks.

Download now

Read the CrowdStrike 2023 Threat Hunting Report

Expose adversaries and stop them in their tracks.

Download now

Key report insights



Identity threats have become mainstream

Overall, 62% of interactive intrusions involve compromised identities. It’s not surprising that identity-based intrusions are on the rise — stolen credentials give adversaries immediate access. There’s been a 583% increase in Kerberoasting and 147% increase in broker advertisements on the dark web since 2022, highlighting the growth in the end-to-end criminal ecosystem exploiting identity-based attacks.

Adversaries are getting smarter in the cloud

Threat actors are becoming cloud experts, knowing as much as or more about cloud environments than organizations do. As security teams adopt more cloud-based technologies, adversaries are becoming more adept at exploiting misconfigurations and abusing cloud management tools. In fact, adversaries are exploiting the cloud more than ever. There's been a 95% rise in cloud attacks and a 160% increase in credential theft via cloud instance metadata APIs.

eCrime is surging as adversaries become faster

Adversaries are breaking in and out of environments faster than ever. The average eCrime breakout time has dropped to 79 minutes. The fastest recorded time is just 7 minutes. Furthermore, eCrime threat actors are also finding more efficient ways to break in. Among them is the misuse of legitimate remote monitoring and management tools with a 312% increase since 2022.

Cross-platform proficiency is growing

Many of today’s adversaries confidently target and navigate multiple operating systems, with growing prowess in Linux and macOS. CrowdStrike® Falcon OverWatch℠ saw a 3X increase of adversaries replacing Pluggable Authentication Modules (PAM) with malicious modules in Linux — especially in the finance, technology, and services industries.