Pinned
New logo. New website. Same DFIR Report team. π
Check out the incredible analysts behind the research:
The DFIR Report
1,765 posts
The DFIR Report
@TheDFIRReport
Real Intrusions by Real Attackers, the Truth Behind the Intrusion
- Cobalt Strike, a Defender's Guide - Part 2 β‘οΈIn this report we talk about domain fronting, SOCKS proxy, C2 traffic, Sigma rules, JARM, JA3/S, RITA & more. Big shout-out to @Kostastsale for helping put this together! thedfirreport.com/2022/01/24/cobβ¦
- Cobalt Strike, a Defender's Guide thedfirreport.com/2021/08/29/cob⦠Thanks to @Kostastsale for helping put this together! Shout outs to: @MalwareRE, @FSecureLabs, @Paulsec4, @redcanary, @CrowdStrike, @MichalKoczwara, @WLesicki, @bh4b3sh, @jpcert_en, @DidierStevens, and @ForensicITGuy.
- Sodinokibi (aka REvil) Ransomware β‘οΈTTR: 4 hours β‘οΈInitial Access: IcedID β‘οΈDiscovery: nltest, net, wmic, AdFind, BloodHound, etc. β‘οΈPrivEsc: UAC-TokenMagic & Invoke-SluiBypass β‘οΈDefense Evasion: Safe Mode & new GPO β‘οΈExfil: Rclone β‘οΈC2: CobaltStrike thedfirreport.com/2021/03/28/sodβ¦
- Here's a thread on some of the interesting things we've seen in the #ContiLeaks. If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translatβ¦. He will be adding more as things get leaked.
- Exchange Exploit Leads to Domain Wide Ransomware TTR: 42 Hours Initial Access: Exchange Exploited (ProxyShell) Discovery: ipconfig, nslookup, ping, KPortScan, etc. Execution: Fast Reverse Proxy & Plink Lateral Movement: RDP Impact: Data Encryption
- π Announcing DFIR Labs! π Introducing our DFIR Labs based on real intrusions from our public reports and private threat briefs! Whether you're starting out or looking to deepen your skills, our labs can help. 1/2
00:00 - BumbleBee Roasts Its Way to Domain Admin β‘οΈInitial Access: BumbleBee (zipped ISO /w LNK+DLL) β‘οΈPersistence: AnyDesk β‘οΈDiscovery: VulnRecon, Seatbelt, AdFind, etc. β‘οΈCredentials: Kerberoast, comsvcs.dll, ProcDump β‘οΈC2: BumbleBee, CobaltStrike, AnyDesk
- From Zero to Domain Admin β‘οΈInitial Access: Maldoc deploys Hancitor β‘οΈC2: #CobaltStrike & #Hancitor β‘οΈDiscovery: net, nltest, check.exe, AD module, scan for backup systems β‘οΈPrivilege Escalation: Zerologon CVE-2020-1472
- Quantum Ransomware β‘οΈTTR: 3h 48 minutes β‘οΈInitial Access: IcedID ISO β‘οΈPersistence: Scheduled Tasks β‘οΈDiscovery: WMIC, net, nltest, AdFind, etc. β‘οΈC2: Cobalt Strike β‘οΈLateral Movement: PsExec, WMI, RDP β‘οΈImpact: Domain wide ransomware
- From ScreenConnect to Hive Ransomware in 61 hours β‘οΈInitial Access: ScreenConnect β‘οΈDefense Evasion: BITS Jobs, Embedded Payloads β‘οΈLateral Movement: Impacket, RDP, SMB β‘οΈC2: ScreenConnect, Atera, Splashtop, Cobalt Strike, Metasploit β‘οΈExfil: Rclone thedfirreport.com/2023/09/25/froβ¦ 1/X
- Malicious ISO File Leads to Domain Wide Ransomware β‘οΈInitial Access: IcedID ISO β‘οΈCredentials: DCsync β‘οΈPrivEsc: ZeroLogon β‘οΈLateral: RDP, SMB/Remote Service, WMI β‘οΈC2: IcedID, Cobalt Strike, Anydesk β‘οΈExfil: Rclone to Mega β‘οΈImpact: Quantum Ransomware
- Replying to @TheDFIRReportRyuk in 5 Hours β‘οΈZerologon (CVE-2020-1472) exploited 2 hours after initial execution of Bazar β‘οΈCobalt Strike & Bazar for C2 β‘οΈAdFind, Net, Ping, Nltest & PowerShell for Discovery β‘οΈWMI & RDP for Execution β‘οΈRyuk ransomware for Impact thedfirreport.com/2020/10/18/ryuβ¦
