The DFIR Report
@TheDFIRReport
Followers
52,670
Following
0
Media
412
Statuses
1,298
Real Intrusions by Real Attackers, the Truth Behind the Intrusion. Services:
thedfirreport.com/contact
Joined April 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 193799 Tweets
Madonna
• 145897 Tweets
Bucks
• 69080 Tweets
Dame
• 57177 Tweets
#虎に翼
• 49403 Tweets
Pacers
• 38376 Tweets
#ラヴィット
• 35641 Tweets
憲法記念日
• 33375 Tweets
Vitória
• 32427 Tweets
#911onABC
• 27918 Tweets
bruno mars
• 27731 Tweets
憲法改正
• 24187 Tweets
FDNY
• 23492 Tweets
Tiffany Titan Launch
• 23395 Tweets
Dua Lipa
• 21171 Tweets
Pabllo
• 20497 Tweets
Giannis
• 19063 Tweets
Anne Hathaway
• 13819 Tweets
Lillard
• 13444 Tweets
DANNY OCEAN
• 12801 Tweets
#SnowMan結成12周年
• 12306 Tweets
Bruins
• 11609 Tweets
浮所くん
• 11022 Tweets
![[조금씩 녹아가는] 쥅뷁넴](https://pbs.twimg.com/profile_images/1121793316020875264/Thn9x5LU.jpg)
Pinned Tweet
If you would like to receive an email when we publish a new report, please subscribe below.
⬇️⬇️⬇️
0
22
83
Cobalt Strike, a Defender's Guide - Part 2
➡️In this report we talk about domain fronting, SOCKS proxy, C2 traffic, Sigma rules, JARM, JA3/S, RITA & more.
Big shout-out to
@Kostastsale
for helping put this together!
6
357
775
Cobalt Strike, a Defender's Guide
Thanks to
@Kostastsale
for helping put this together!
Shout outs to:
@MalwareRE
,
@FSecureLabs
,
@Paulsec4
,
@redcanary
,
@CrowdStrike
,
@MichalKoczwara
,
@WLesicki
,
@bh4b3sh
,
@jpcert_en
,
@DidierStevens
, and
@ForensicITGuy
.
3
374
737
Sodinokibi (aka REvil) Ransomware
➡️TTR: 4 hours
➡️Initial Access: IcedID
➡️Discovery: nltest, net, wmic, AdFind, BloodHound, etc.
➡️PrivEsc: UAC-TokenMagic & Invoke-SluiBypass
➡️Defense Evasion: Safe Mode & new GPO
➡️Exfil: Rclone
➡️C2: CobaltStrike
18
359
717
Here's a thread on some of the interesting things we've seen in the
#ContiLeaks
.
If you would like to read the chat logs and TrickBot Forum information,
@Kostastsale
has translated them to English here: . He will be adding more as things get leaked.
6
305
670
Exchange Exploit Leads to Domain Wide Ransomware
TTR: 42 Hours
Initial Access: Exchange Exploited (ProxyShell)
Discovery: ipconfig, nslookup, ping, KPortScan, etc.
Execution: Fast Reverse Proxy & Plink
Lateral Movement: RDP
Impact: Data Encryption
7
240
510
🎉 Announcing DFIR Labs! 🎉
Introducing our DFIR Labs based on real intrusions from our public reports and private threat briefs! Whether you're starting out or looking to deepen your skills, our labs can help.
1/2
1
133
502
From Zero to Domain Admin
➡️Initial Access: Maldoc deploys Hancitor
➡️C2:
#CobaltStrike
&
#Hancitor
➡️Discovery: net, nltest, check.exe, AD module, scan for backup systems
➡️Privilege Escalation: Zerologon CVE-2020-1472
4
201
494
BumbleBee Roasts Its Way to Domain Admin
➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDesk
5
206
474
Quantum Ransomware
➡️TTR: 3h 48 minutes
➡️Initial Access: IcedID ISO
➡️Persistence: Scheduled Tasks
➡️Discovery: WMIC, net, nltest, AdFind, etc.
➡️C2: Cobalt Strike
➡️Lateral Movement: PsExec, WMI, RDP
➡️Impact: Domain wide ransomware
5
214
423
Ryuk in 5 Hours
➡️Zerologon (CVE-2020-1472) exploited 2 hours after initial execution of Bazar
➡️Cobalt Strike & Bazar for C2
➡️AdFind, Net, Ping, Nltest & PowerShell for Discovery
➡️WMI & RDP for Execution
➡️Ryuk ransomware for Impact
4
250
426
2022 Year in Review
➡️Most common TTPs we saw in 2022
➡️Trends around IAB's
➡️Top detections
➡️Ransomware propagation methods
➡️and more!
8
228
416
2021 Year in Review
➡️Summary of tools we've seen
➡️Summary of indicators of attack
➡️Opsec failures
➡️Most common TTPs of the year and much more
Report lead
@kostastsale
Contributing analysts
@ICSNick
,
@yatinwad
,
@_pete_0
and 1 unnamed contributor
16
230
411
BumbleBee: Round Two
➡️Initial Access: Bumblebee ISO>LNK>DLL
➡️Persistence: AnyDesk, Added Local Admin
➡️Discovery: LOLbins, AdFind
➡️Credentials: LSASS Dump
➡️Lateral: SMB, Remote Services, RDP
➡️C2: Bumblebee, Meterpreter, CobaltStrike
2
199
404
Follina Exploit Leads to Domain Compromise
➡️Initial Access: Word Doc exploiting Follina
➡️Persistence: Scheduled Tasks
➡️Discovery: ADFind, Netscan, etc.
➡️Lat Movement: SMB, Service Creation, RDP
➡️C2:
#CobaltStrike
, Qbot, NetSupport, Atera/Splashtop
3
184
389
From ScreenConnect to Hive Ransomware in 61 hours
➡️Initial Access: ScreenConnect
➡️Defense Evasion: BITS Jobs, Embedded Payloads
➡️Lateral Movement: Impacket, RDP, SMB
➡️C2: ScreenConnect, Atera, Splashtop, Cobalt Strike, Metasploit
➡️Exfil: Rclone
1/X
2
168
395
Ryuk Speed Run, 2 Hours to Ransom
➡️Discovery using Net, Nltest, and AdFind
➡️Cobalt Strike and Bazar for C2
➡️Zerologon for Privilege Escalation
➡️Credential Access via Rubeus
➡️Lateral Movement via SMB
5
173
385
Malicious ISO File Leads to Domain Wide Ransomware
➡️Initial Access: IcedID ISO
➡️Credentials: DCsync
➡️PrivEsc: ZeroLogon
➡️Lateral: RDP, SMB/Remote Service, WMI
➡️C2: IcedID, Cobalt Strike, Anydesk
➡️Exfil: Rclone to Mega
➡️Impact: Quantum Ransomware
10
180
381
🚨 Insight from Unusual Script in Dagon Locker Ransomware Case
🧩 We've analyzed an interesting PowerShell script that threat actors used during a Dagon Locker Ransomware case.
Let's dive into the script🧵
5
120
382
This content looks VERY familiar...
1. "Initial Actions"
2. rclone config using Mega
3. rclone instructions
4.Powerview/UserHunter instructions
Thanks
@vxunderground
!!
A "pentester" for Conti has leaked "pentester manuals and software" online. These files are allegedly given to affiliates
vxug.fakedoma[.]in/tmp/
* Link modified, Twitters banned our domains
* Some files password protected, we do not know the password
* Images from XSS
12
252
667
3
169
372
HTML Smuggling Leads to Domain Wide Ransomware
➡️Initial Access: Thread-Hijacked Email > HTML Attachment
➡️Credentials: LSASS Access, SessionGopher
➡️Lateral Movement: RDP, PsExec
➡️C2: IcedID, Cobalt Strike
➡️Impact: Nokoyawa Ransomware
1/X
5
170
368
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
➡️Initial Access: CVE-2021-44077 exploited
➡️Execution: Web shell
➡️Credential Access: WDigest + MiniDump
➡️Lat Movement: RDP using Plink
➡️Exfiltration: Sensitive data exfilled
7
172
357
BazarLoader and the Conti Leaks
Discovery: AdFind, Advanced IP Scanner, PowerSploit, Nltest, Net, etc.
Credential Access: ntdsAudit, ntdsutil, LSASS Access
Defense Evasion: Process Injection
C2:
#CobaltStrike
, AnyDesk
Exfil: Rclone (upload to mega)
4
155
351
ShareFinder: How Threat Actors Discover File Shares
Detection Opportunities:
➡️ Network
➡️ PowerShell Logs
➡️ LDAP Logs
➡️ Object Access Logs
1
145
347
A Truly Graceful Wipe Out
➡️Initial Access: Email > TDS > Truebot download
➡️Credentials: LSASS & Registry Dump
➡️Persistence: Scheduled Task
➡️C2: Truebot, FlawedGrace, Cobalt Strike
➡️Exfiltration: FlawedGrace
➡️Impact: MBR Killer
1/X
2
165
342
🚨Active Exploitation🚨
➡️CVE-2023-22527 - Confluence template injection
➡️Executed whoami
➡️Source IP: 45.61.137[.]90
➡️UA: Opera/9.89.(Windows 95; sv-FI) Presto/2.9.181 Version/12.00
➡️PCAP, full POST URI and more available in our AllIntel service
0
120
330
Qbot Likes to Move It, Move It
➡️Initial Access: Maldoc deploys Qbot
➡️Execution: Regsvr32 DLL Execution
➡️Discovery: ipconfig, netstat, whoami, etc.
➡️Collection: Email and Browser Info Stealing
➡️Defense Evasion: Process Injection, Defender Exclusions
4
138
326
CONTInuing the Bazar Ransomware Story
➡️ Initial Access: BazarLoader
➡️ Discovery: Nltest, Net, Ping, PowerView, ADFind
➡️ C2:
#CobaltStrike
&
#BazarLoader
➡️ Lateral movement: wmic
➡️ Exfil: Rclone
➡️ Impact:
#Conti
ransomware
3
154
320
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
➡️Initial Access: sqlmap, ghauri, metasploit, exploits
➡️Persistence: weevely, SharPersist
➡️C2: Sliver, Meterpreter
➡️PrivEsc: Schtasks, LinPEAS, Metasploit
and more!
4
149
312
Dead or Alive? An Emotet Story
➡️Initial Access: Emotet XLS
➡️Persistence: RegRunKeys, Atera
➡️Discovery: LOLbins, AdFind, ShareFinder
➡️Credentials: LSASS access, Kerberoast
➡️Lateral: SMB, Remote Services
➡️C2: Emotet, CobaltStrike
➡️Exfil: Rclone/Mega
5
124
301
APT35 Automates Initial Access Using ProxyShell
➡️Initial Access:
#ProxyShell
➡️Discovery: net, ipconfig, PowerShell, quser, etc.
➡️PrivEsc: Scheduled Task
➡️Defense Evasion: Real-time Monitoring & WDigest enablement
➡️Credential Access: Comsvcs.dll
2
122
292
Another RDP brute force ransomware strikes again, this time, Snatch Team!
-Lateral movement via RDP
-C2 via Meterpreter/RDP Proxy via Tor
-Persistence via Scheduled Tasks
-Domain ransomed in less than 5 hours
#infosec
#malware
@MISPProject
5
155
281
BazarLoader to Conti Ransomware in 32 Hours
➡️Initial Access: BazarLoader
➡️Discovery: Nltest, Net, AD PS module, Get-DataInfo.ps1, Ping
➡️C2:
#CobaltStrike
&
#BazarLoader
➡️Exfiltration: WinSCP
➡️Impact: Conti ransomware
4
136
290
Qbot and Zerologon Lead To Full Domain Compromise
➡️Discovery: Net, Nltest, AdFind, etc
➡️Persistence: Scheduled Task
➡️Privilege Escalation: Zerologon CVE-2020-1472
➡️Lateral Movement: Remote Services & RDP
➡️Exfil: C2 Channel
➡️C2:
#CobaltStrike
& Qbot
3
141
286
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
➡️TTR: 154 hours
➡️Discovery: nltest, net group, ShareFinder, etc.
➡️Exfil: Rclone Transfer to Mega
➡️C2: CobaltStrike, AnyDesk, Tactical RMM Agent
➡️Impact: Quantum Ransomware
1/X
1
149
281
NetSupport Intrusion Results in Domain Compromise
➡️Initial Access: Zip in Email
➡️Execution: Batch scripts, NetSupport
➡️Credential Access: NTDS.dit dump, LSASS Dump
➡️Lateral Movement: RDP, SMB, wmiexec/atexec
➡️C2: NetSupport RAT, SSH Tunnel
2
110
282
From Word to Lateral Movement in 1 Hour
➡️Initial Access: Malspam delivering maldoc
➡️Discovery: Net, Nltest, AdFind
➡️Credential Access: LSASS dump via
#CobaltStrike
➡️Persistence: Scheduled Task
➡️C2:
#IcedID
&
#CobaltStrike
3
133
282
Conti Ransomware
➡️Initial Access: IcedID
➡️Discovery: net, ipconfig, systeminfo, nltest, whoami, query, dir, dsquery
➡️Lateral Movement: PsExec, SMB, RDP
➡️C2:
#CobaltStrike
and IcedID
➡️Defense Evasion: Modify GPO, stop/uninstall security tools
1/6
2
103
280
IcedID Macro Ends in Nokoyawa Ransomware
➡️Initial Access: IcedID XLS Macro
➡️Credentials: LSASS, Creds in Files
➡️Persistence: Scheduled Task
➡️Lateral: RDP, SMB, WMI, WinRM, Psexec
➡️C2: IcedID, Cobalt Strike, VNC
➡️Impact: Nokoyawa Ransomware
1/X
2
137
266
Stolen Images Campaign Ends in Conti Ransomware
➡️Initial Access: Stolen Images IcedID Campaign
➡️Discovery: net, ipconfig, Invoke-ShareFinder, chcp, etc.
➡️Persistence: Scheduled Task & Atera Agent
➡️C2:
#CobaltStrike
& Atera
➡️Impact: Conti Ransomware
4
115
257
We're looking to add a few analysts to the team!
➡️ Are you familiar with memory, network, and/or endpoint analysis and want to work on a few cases a year?
➡️ We'll credit your work in the report, give you free access to our intel, and provide CPE credits if needed.
1/X
11
97
259
Collect, Exfiltrate, Sleep, Repeat
➡️Initial Access: Job App VBA Maldoc
➡️Discovery: PS Cmdlets, net, tzutil, etc.
➡️Persistence: Scheduled Tasks
➡️Collection: AutoHotkey Keylogger, Compress-Archive, makecab.exe
➡️C2: Custom PowerShell Framework
1/X
1
92
262
IcedID to XingLocker Ransomware in 24 hours
➡️Initial Access: IcedID
➡️Persistance: Scheduled Tasks
➡️Discovery: net, wmic, AdFind, BloodHound, PowerView, etc.
➡️C2:
#CobaltStrike
➡️Defense Evasion: Process Hollowing & Disabling Security Tools
1/5
3
114
253
Here is the companion report to our SANS Ransomware Summit 2022 talk:
Can You Detect This?
Great job
@_pete_0
&
@yatinwad
!!🥳
Slides:
Recording: Coming soon
#RansomwareSummit
4
108
255
🔍 Intrusion Analysis Thread from our private reports | DarkGate, Cobalt Strike, and BianLian:
1/ 🚨 Overview:
We observed a suspicious MSI file executed, leading to the deployment of DarkGate, Cobalt Strike, and BianLian malware. Let us dive deeper.
2
97
248
🚨Confluence exploit (CVE-2023-22518) Leads to C3RB3R Ransomware🚨
➡️Exploit source: 193.187.172.73
➡️Download & Exec:
http://193[.]187[.]172[.]73/tmp[.]1u
➡️Lateral Movement: Attempts to spread over SMB/445
➡️Extension: LOCK3D
h/t
@GreyNoiseIO
1
96
252
Our Year in Review 2022 report will be out Monday March 6th!🥳
We'll be discussing the most common TTPs we reported on in 2022.
Analysis and reporting by
@iiamaleks
,
@kostastsale
,
@samaritan_o
Reviewed by
@svch0st
& UC1
9
64
250
SEO Poisoning – A Gootloader Story
➡️Initial Access: Gootloader
➡️Discovery: BloodHound, Port Scanning
➡️Credential Access: LaZagne & Mimikatz
➡️Defense Evasion: Defender Service Deletion
➡️Lat Movement: Remote Service Creation & RDP
➡️C2:
#CobaltStrike
3
106
248
🥳As 2021 comes to an end we want to thank our analysts and everyone in the community who has shared tools, IOCs, TTPs, etc. over the last year.
Thread ⬇️
➡️Thanks to analysts/infosec folks
➡️➡️People you should be following
➡️Highlights from 2021
➡️Forward looking statements
5
62
237
We'll be releasing a private report to our
#AllIntel
customers on Monday 8/7 in relation to
#DarkGate
,
#CobaltStrike
, &
#BianLian
.
4
57
221
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
➡️Initial Access: maldoc (
#BazarCall
)
➡️Discovery: AdFind, BloodHound, etc.
➡️Credential Access: ProcDump & Ntdsutil
➡️Lateral Movement: WMIC & SMB
➡️C2:
#Trickbot
&
#CobaltStrike
4
120
227
Unwrapping Ursnifs Gifts
➡️Initial Access: Ursnif ISO/LNK/DLL
➡️Discovery: Get-ADComputer, nltest, net view, etc.
➡️Credentials: LSASS access
➡️Lateral: Impacket
➡️Persistence: Registry Run Key
➡️C2: Ursnif, Cobalt Strike
1/X
1
96
222
🔍 Intrusion Analysis From Our Private Reports
🚨Overview:
We observed an intrusion that started with an IcedID infection and continued with Cobalt Strike beacons. Days later, and after files were exfiltrated to AWS, it led to the deployment of Dagon Locker ransomware.
2
57
223
SELECT XMRig FROM SQLServer
➡️Initial Access: Brute Force
➡️Execution: xp_cmdshell, batch scripts, certutil
➡️Persistence: Hidden accounts, schtasks, WMI event subscription via mof files
➡️Defense Evasion: Kill AVs, Disabling UAC
➡️Impact: XMRig Miner
1
94
215
📢Private report | WS_FTP Exploit Activity Leads to Sliver
We are sharing this private report to highlight the TTPs used in an intrusion related to the recent WS_FTP vulnerability. This report became available to our paid subscribers a couple weeks ago.
5
71
216
The recorded talk is now available!
"Lessons from the frontlines: Ransomware attacks, new techniques and old tricks" by
@_pete_0
&
@samaritan_o
Thanks to everyone who made this conference happen!
@rj_chap
@phillmoore
@MindsEyeCCF
@SANSInstitute
📺 SANS
#RansomwareSummit
Talks are live!
🗣Featured Experts: Peter O, The DFIR Report
Alessandro Di Carlo (
@samaritan_o
), Certego Srl
👏 Lessons from the Frontlines: Ransomware attacks, New Techniques and Old Tricks
➡️ Watch Now:
0
5
13
1
69
215
Diavol Ransomware
➡️Initial Access: Zip->ISO loading BazarLoader
➡️Discovery: Net, Ping, AdFind, Advanced IP Scanner, ShareFinder
➡️C2:
#CobaltStrike
&
#BazarLoader
➡️Lateral Movement: RDP, AnyDesk
➡️Exfil: FileZilla, ufile
➡️Impact: Diavol ransomware
4
126
212
BumbleBee Zeros in on Meterpreter
➡️Initial Access: Contact Forms/Stolen Images/ISO
➡️PrivEsc: WSReset & Slui UAC Bypass, Zerologon CVE2020-1472
➡️Cred Access: Procdump LSASS, reg dump SAM/SEC/SYS hives
➡️C2: BumbleBee, Meterpreter, CobaltStrike
1/X
1
106
211
Getting word of mass exploits against VMware Horizon with C2 (
#CobaltStrike
) to 185.112.83.116|80 & 8080. Potentially log4j related.
Anyone else seeing similar?
9
89
207
🎉 As we start 2024, we reflect on a year of insightful DFIR reports.
This thread showcases the public reports that exposed various threat actor TTPs in 2023.
A big shoutout to our dedicated analysts that contributed to these reports:🧵👇
1
79
205
Has a red teamer or pen tester requested that you refrain from uploading their implant to VirusTotal?
How did you respond? If not, how would you respond?
27
27
201
SEO Poisoning to Domain Control: The Gootloader Saga Continues
🌟Analysis and reporting completed by
@_pete_0
,
@malforsec
&
@r3nzsec
🎵Audio: Available on Spotify, Apple, YouTube and more!
🏹Services:
📚Report:
0
87
201
Hoping to have this report out Monday!
🔥"The threat actors conducted this intrusion with almost no malware."
➡️Exchange exploit->.......->BitLocker ransomware
CC:
@0xtornado
@svch0st
@v3t0_
@samaritan_o
🚨We have a report coming out in a few weeks that does not include Cobalt Strike🚨
CC:
@0xtornado
@svch0st
@v3t0_
@samaritan_o
8
12
109
13
48
196
Trickbot Still Alive and Well
➡️Discovery: AdFind, Nltest, Net, Bloodhound, PowerView
➡️Lateral Movement: SMB, WMI, PS
➡️C2: Trickbot & Cobalt Strike
➡️Credential Access: Ntdsutil & lsass dump
➡️PrivEsc: Named Pipe
➡️Defense Evasion: Trickbot->Wermgr
1
103
195
Buzzing on Christmas Eve: Trigona Ransomware in 3 hours
Analysis and reporting by
@MetallicHack
,
@pcsc0ut
& UC3
Feedback:
Audio:
Report:
5
71
192
IcedID and Cobalt Strike vs Antivirus
➡️Initial Access: Maldoc
➡️Discovery: Nltest, WMIC, AdFind, PowerView, etc
➡️PrivEsc: UAC Bypass and Named Pipe Impersonation
➡️Persistence: Scheduled Task
➡️C2:
#CobaltStrike
&
#IcedID
2
77
191
Trickbot discovery from the below sample:
ipconfig /all
net config workstation
net view /all
net view /all /domain
nltest /domain_trusts
nltest /domain_trusts /all_trusts
Followed by:
wermgr->cmd (multiple times)
Thanks
@malware_traffic
!
3
55
181
From OneNote to RansomNote: An Ice Cold Intrusion
🌟Analysis & reporting completed by
@iiamaleks
,
@IrishD34TH
, and
@Miixxedup
🎵Audio (New Voice!): Available on Spotify, Apple, YouTube and more!
🏹Services:
📚Report:
2
68
181
Recent
#Trickbot
discovery activity:
➡️ipconfig /all
➡️net config workstation
➡️net view /all
➡️net view /all /domain
➡️nltest /domain_trusts
➡️nltest /domain_trusts /all_trusts
0
55
178
We'll have a report out on Nokoyawa ransomware tomorrow (5/22) by
@iiamaleks
,
@MittenSec
, &
@0xtornado
.
Want to receive an email when we publish the report? Subscribe below.
⬇️⬇️⬇️
1
44
172
Our next report will be out on 6/6.
The analysts working this case spent weeks analyzing the artifacts and telling the story. We're excited about this one, and you'll see why soon 🤔
No Cobalt Strike, ISO, or LNK. 🤔🤔
cc:
@iiamaleks
,
@svch0st
&
@v3t0_
3
23
167
This report will be out tomorrow!
You'll see mentions of
#CobaltStrike
,
#Conti
,
#BazarLoader
, AdFind, ShareFinder, Rclone, Process Hacker, RDP, AnyDesk, and more.
cc:
@Kostastsale
@pigerlin
@_pete_0
This one ends in
#Conti
ransomware. Report out in a few weeks!
Thanks
@James_inthe_box
!
C2, beacon config, ransomware files, artifacts, etc. available @
2
20
52
1
46
168
We Need Your Help!
➡️ Are you familiar with memory, network, and/or endpoint analysis and want to volunteer for a couple hours a week doing analysis and reporting?
➡️ We'll credit your work in the report, give you free access to our intel, and provide CPE credits if needed.
⬇️
7
86
169
Bazar, No Ryuk?
➡️ Initial Access: DocuSign themed maldoc
➡️ Discovery: AdFind, PowerSploit, Net, Get-ADComputer, etc.
➡️ Lateral Movement: PtH, SMB, RDP
➡️ Credential Access: Lsass dump via
#CobaltStrike
➡️C2:
#Bazar
&
#CobaltStrike
1
76
166
In May, we observed a threat actor (TA) exploit PaperCut NG (CVE-2023-27350) to download/execute a Havoc C2 binary.
➡️The TA then reviewed tasklist before dumping credentials using Mimikatz.
➡️Next, the TA downloaded numerous RMM tools.
#AllIntel
1/X
3
68
164
We're currently working on a report on
#REvil
/
#Sodinokibi
ransomware. Should have the report out in a week or so (each report takes 40+ hours of work).
Interested in the C2 IPs, files, mem dumps, logs, etc. ahead of time?⬇️
2
42
163
We have so many exciting reports in the pipeline 😀
➡️Next Monday you'll see a report on Quantum ransomware by
@svch0st
,
@0xtornado
, &
@samaritan_o
➡️A couple weeks after that you'll see a report on Gootloader/GootKit by
@kostastsale
,
@iiamaleks
&
@pigerlin
4
44
161
Here's an interesting batch script you'll see in an upcoming report:
➡️Do you know what it's doing?
➡️Would you struggle to do analysis on a system if it ran? Why or Why not?
➡️Are there any rules available to detect this activity?
Post your answers below
29
42
158
Trickbot Brief: Creds and Beacons
➡️Discovery: Nltest, PowerView, Net, ipconfig
➡️Credential Access: Lazagne, LSASS access via
#CobaltStrike
, WDigest
➡️C2:
#Trickbot
&
#CobaltStrike
x2
➡️Defense Evasion: Process Injection into wermgr
1/3
3
79
157
We are currently seeing WebLogic exploitation (CVE-2020-14882) which leads to a XMRig miner installation.
The exploit abuses FileSystemXmlApplicationContext method to execute a XML file (xx.xml) containing a PowerShell payload.
Analysis and tweet by
@0xtornado
2
57
151
🚨The Ryuk threat actors are actively exploiting ZeroLogon (CVE-2020-1472).🚨
Report coming soon.
If you're looking forward to our report or enjoy our other reports please consider donating $1 or more using Patreon.
1
66
152
All That for a Coinminer?
➡️ Initial Access: RDP brute force
➡️ Defense Evasion: attrib +h
➡️ Persistence: Create account
➡️ Credential Access: Mimikatz (LogonPasswords & Tickets)
➡️ Discovery: Advanced IP Scanner & Net
➡️ Impact: XMRig
3
62
149
Multiple TAs exploiting this vuln now⬇️
TAs executing:
➡️whoami
➡️curl redacted[.]oast[.]me
➡️curl redacted[.]oast[.]fun
source IPs:
38.150.12[.]131
38.180.75[.]124
67.181.73[.]197
134.122.186[.]223
38.150.12[.]144
186.117.138[.]210
🚨Active Exploitation🚨
➡️CVE-2023-22527 - Confluence template injection
➡️Executed whoami
➡️Source IP: 45.61.137[.]90
➡️UA: Opera/9.89.(Windows 95; sv-FI) Presto/2.9.181 Version/12.00
➡️PCAP, full POST URI and more available in our AllIntel service
0
120
330
1
55
150
🚀 Exciting News Coming Soon! 🌟
🔍 We're launching an innovative platform to help boost your DFIR skills!
🙏 Thanks to our beta testers - your feedback was invaluable!
✨ Curious for a sneak peek? Head to our site to see what's coming!
2
22
144
We recently uploaded ~1k
#CobaltStrike
beacons to
@virustotal
.
You can find them @ or by subscribing to our All Intel service @
3
41
143
New report out Monday 2/21!
You'll see mentions of Qbot, Zerologon (CVE-2020-1472), AdFind, overpass-the-hash, Cobalt Strike, RDP, custom sigma rules, new ET sigs and more!
cc:
@pigerlin
,
@MetallicHack
,
@ICSNick
&
@kostastsale
1
35
142
We're working on a new way to help infosec folks advance their careers...
The big reveal is just around the corner! 🤫🥳
#Infosec
#CareerGrowth
#PersonalDevelopment
4
12
142
Can confirm!
➡️Splashtop
SRUtility.exe
➡️AnyDesk
AnyDesk.exe
AnyDeskMSI.exe
➡️Atera
AteraAgent.exe
AgentPackageSTRemote.exe
AgentPackageHeartbeat.exe
AgentPackageWindowsUpdate.exe
AgentPackageADRemote.exe
Thanks for sharing
@AltShiftPrtScn
!
#Conti
ransomware affiliates using AnyDesk, Atera, Splashtop, Remote Utilities and ScreenConnect to maintain network access. During initial stage of IR I recommend blocking ALL remote access tools via Application Control policies, allow only the ones required & monitor their use.
5
114
302
3
52
139
We’ll have a new report out on Nokoyawa ransomware on Monday 8/28 by
@v3t0_
,
@AkuMehDFIR
, and
@RoxpinTeddy
!
The threat actor goes from gaining initial access via HTML smuggling to deploying Nokoyawa ransomware domain wide in just over 12 hours.
2
44
139
Trickbot Leads Up to Fake 1Password Installation
➡️Initial Access: Maldoc
➡️Discovery: nltest, net, WMI, AD PS module
➡️Credential Access: WDigest, ProcDump
➡️C2:
#CobaltStrike
& Trickbot
➡️Defense Evasion: Process injection, Application masquerading
2
79
138
WebLogic RCE Leads to XMRig
➡️Initial Access: WebLogic Unauthorized RCE CVE-2020-14882
➡️Execution: PowerShell script
➡️Defense Evasion: Disable firewall
➡️Persistence: Scheduled task and run key
➡️Impact: XMRig
5
57
135
Threat Brief: WordPress Exploit Leads to Godzilla Web Shell, Discovery & New CVE
📅 Today, we're excited to share one of our latest Private Threat Briefs!
🔍 Explore our Threat Brief service here:
📚Report:
1
45
130
New report out Monday April 3rd by
@MetallicHack
&
@_pete_0
!!
This one ends in Quantum ransomware and has so much good info. One of our longest reports yet 👀
If you would like to receive an email when we publish a new report ⬇️
1
40
130
🌟New report out Monday 4/1 by
@iiamaleks
,
@IrishD34TH
, and
@Miixxedup
!
📷 This intrusion began with a malicious OneNote attachment and ended with ransomware. You'll see mentions of IcedID, AnyDesk, Cobalt Strike, FileZilla, AdFind and more!
Subscribe⬇️
2
58
128