2023 – The DFIR Report

metasploit opendir sliver

Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity

December 18, 2023

This report is a little different than our typical content. We were able to analyze data from a perspective we typically don’t get to see… a threat actor’s host! In … Read More

bluesky cobaltstrike ransomware

SQL Brute Force Leads to BlueSky Ransomware

December 4, 2023

In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and … Read More

netsupport

NetSupport Intrusion Results in Domain Compromise

October 30, 2023

NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report … Read More

cobaltstrike Hive ransomware wmiexec

From ScreenConnect to Hive Ransomware in 61 hours

September 25, 2023

In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such … Read More

adfind Attribution icedid nokoyawa ransomware

HTML Smuggling Leads to Domain Wide Ransomware

August 28, 2023

We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved … Read More

adfind Attribution cobaltstrike Exfiltrate Data FIN11 FlawedGrace Lace Tempest truebot

A Truly Graceful Wipe Out

June 12, 2023

In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read More

adfind cobaltstrike icedid macro nokoyawa ransomware xls

IcedID Macro Ends in Nokoyawa Ransomware

May 22, 2023

Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can … Read More

adfind cobaltstrike icedid quantum ransomware rclone ShareFinder

Malicious ISO File Leads to Domain Wide Ransomware

April 3, 2023

IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and … Read More

Year in Review

2022 Year in Review

March 6, 2023

As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More

autohotkey keylogger

Collect, Exfiltrate, Sleep, Repeat

February 6, 2023

In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command … Read More

sharefinder Tools

ShareFinder: How Threat Actors Discover File Shares

January 23, 2023

Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all … Read More

cobaltstrike Exfiltrate Data ursnif wmiexec

Unwrapping Ursnifs Gifts

January 9, 2023

In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment … Read More