CrowdStrike 2024 Threat Hunting Report

245+ adversaries tracked globally by CrowdStrike
86% of hands-on-keyboard attacks were executed by eCrime actors
70% YoY increase in adversary exploitation of RMM tools

Download now

Threat hunting insights to outsmart
modern adversaries

The CrowdStrike 2024 Threat Hunting Report unveils the latest tactics of the 245+ adversaries we actively track. This year’s report shows how modern adversaries continue to evolve as they emulate legitimate user behavior — with 86% of hands-on keyboard attacks by eCrime actors seeking financial gain. They are also expanding their reach to execute cross-domain attacks across clouds, identities, and endpoints.



Read the CrowdStrike 2024 Threat Hunting Report

Outpace today's stealthy, sophisticated adversaries.

Download now

Cross-domain attacks and insider threats
are on the rise

Adversaries are executing cross-domain attacks, targeting identity, cloud, and endpoint domains. Most often, they use stolen credentials to break into the cloud and move laterally to endpoints. Cross-domain threats are prevalent among malicious insiders, who can log in and quickly compromise multiple domains.

Legitimate credentials are exploited to gain easy access

Adversaries aren’t breaking in — they’re logging in with stolen credentials sourced from social engineering or access brokers. However, their misuse of valid accounts in suspicious ways creates abnormal patterns that help expert threat hunters shut them down, making human validation critical.

Adversaries are gaining full control of the cloud

As organizations move to the cloud, threats from adversaries like SCATTERED SPIDER intensify, leveraging spear phishing, policy modifications, and password manager access to infiltrate and exploit cloud environments. Penetrating the cloud control plane gives adversaries broad access and the capability to compromise the entire cloud infrastructure.

Endpoint attacks use remote monitoring and management (RMM) tools

The use of RMM tools for endpoint attacks surged by 70% in the past 12 months, accounting for 27% of hands-on-keyboard intrusions. Adversaries like STATIC KITTEN gain access with stolen credentials or phishing, then deploy RMM tools to blend in with legitimate operations. RMM-based attacks are here to stay, making it essential for protectors to continuously monitor these tools.

Join our threat briefing to understand modern adversaries and the current threat landscape.


Register now for the CrowdStrike 2024 Threat Hunting Report Briefing.

Watch now

Know them. Find them.
Stop them.

Explore your threat landscape and find out which adversaries are targeting organizations like yours in the Adversary Universe.

Know them. Find them. <br>Stop them.
PUNK SPIDER
Fastest, most active eCrime adversary targeting the Americas and EMEA
Know them. Find them. <br>Stop them.
STATIC KITTEN
Most active adversary leveraging legitimate RMM tools
Know them. Find them. <br>Stop them.
FAMOUS CHOLLIMA
North Korean adversary launching cross-domain and insider attacks
Know them. Find them. <br>Stop them.
HORDE PANDA
Uses compromised identities to target the telecom sector in SE Asia
Know them. Find them. <br>Stop them.
SCATTERED SPIDER
Most prominent adversary in cloud-based intrusions
Know them. Find them. <br>Stop them.
COZY BEAR
Cloud-conscious adversary evolving quickly to evade detection