Skip to content
  • Analysts
  • Contact Us
  • Services

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Analysts
  • Contact Us
  • Services
Tuesday, October 04, 2022
BumbleBee: Round Two
adfind bumblebee cobaltstrike Meterpreter

BumbleBee: Round Two

September 26, 2022

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. … Read More

Dead or Alive? An Emotet Story
adfind cobaltstrike emotet Exfiltrate Data Kerberoast ShareFinder

Dead or Alive? An Emotet Story

September 12, 2022

In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after … Read More

BumbleBee Roasts Its Way to Domain Admin
adfind bumblebee cobaltstrike Kerberoast ShareFinder

BumbleBee Roasts Its Way to Domain Admin

August 8, 2022

In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group … Read More

SELECT XMRig FROM SQLServer
coinminer exploit

SELECT XMRig FROM SQLServer

July 11, 2022

In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner … Read More

SANS Ransomware Summit 2022, Can You Detect This?
Conference

SANS Ransomware Summit 2022, Can You Detect This?

June 16, 2022

This report is a companion to the SANS Ransomware Summit 2022 “Can You Detect This” presentation today 6/16/22 @ 14:40 UTC (10:40 AM ET). Slides: SANS Ransomware Summit 2022 – … Read More

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
CVE-2021-44077 Exfiltrate Data exploit Plink

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration

June 6, 2022

In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the … Read More

SEO Poisoning – A Gootloader Story
cobaltstrike gootloader lazagne psexec

SEO Poisoning – A Gootloader Story

May 9, 2022

In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense … Read More

Quantum Ransomware
adfind cobaltstrike icedid psexec quantum ransomware

Quantum Ransomware

April 25, 2022

In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for … Read More

Stolen Images Campaign Ends in Conti Ransomware
adfind cobaltstrike conti exploit icedid ransomware

Stolen Images Campaign Ends in Conti Ransomware

April 4, 2022

In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered … Read More

APT35 Automates Initial Access Using ProxyShell
APT35 exploit Fast Reverse Proxy ProxyShell

APT35 Automates Initial Access Using ProxyShell

March 21, 2022

In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks … Read More

Posts navigation

1 2 … 6 Next

Translate

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Follow us on Twitter

My Tweets

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Proudly powered by WordPress | Theme: FreeNews | By ThemeSpiral.com.