You searched for @svch0st - The DFIR Report

Meet The Team

Kostas: Kostas has practical experience and a clear grasp of the ever-changing world of information security. His approach is anchored in clarity, patience, and real-world adaptability. Committed to your success, … Read More

A Truly Graceful Wipe Out

editor June 12, 2023

In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read More

Year in Review

2022 Year in Review

editor March 6, 2023

As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More

cobaltstrike Exfiltrate Data ursnif wmiexec

Unwrapping Ursnifs Gifts

editor January 9, 2023

In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment … Read More

adfind bumblebee cobaltstrike Meterpreter

BumbleBee: Round Two

editor September 26, 2022

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. … Read More

adfind bumblebee cobaltstrike Kerberoast ShareFinder

BumbleBee Roasts Its Way to Domain Admin

editor August 8, 2022

In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group … Read More

CVE-2021-44077 Exfiltrate Data exploit Plink

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration

editor June 6, 2022

In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the … Read More

adfind cobaltstrike icedid psexec quantum ransomware

Quantum Ransomware

editor April 25, 2022

In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for … Read More

exploit Fast Reverse Proxy PHOSPHORUS ProxyShell

PHOSPHORUS Automates Initial Access Using ProxyShell

editor March 21, 2022

In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks … Read More

cobaltstrike

Cobalt Strike, a Defender’s Guide – Part 2

editor January 24, 2022

Our previous report on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this report, we will focus on the network traffic it produced, and provide … Read More

exploit Fast Reverse Proxy PHOSPHORUS Plink ProxyShell ransomware

Exchange Exploit Leads to Domain Wide Ransomware

editor November 15, 2021

In late September, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. The threat actors in this case were … Read More

Analysts

Current Analysts: @kostastsale – Reports @RoxpinTeddy – Reports @iiamaleks – Reports @pigerlin – Reports @tas_kmanager – Reports @samaritan_o – Reports @MetallicHack – Reports @yatinwad – Reports @_pete_0 – Reports v3t0_ – … Read More