Skip to content
  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Digital Forensics Challenge
      • Leaderboard
      • Digital Forensics Challenge Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Digital Forensics Challenge
    • Leaderboard
    • Digital Forensics Challenge Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Digital Forensics Challenge
      • Leaderboard
      • Digital Forensics Challenge Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
Monday, July 14, 2025
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Digital Forensics Challenge
    • Leaderboard
    • Digital Forensics Challenge Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

Search Results for: netscan

Hide Your RDP: Password Spray Leads to RansomHub Deployment
ransomhub ransomware rdp

Hide Your RDP: Password Spray Leads to RansomHub Deployment

editor June 30, 2025

Key Takeaways Case Summary This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted … Read More

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
elpacoteam mimic ransomware

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

editor May 19, 2025

Key Takeaways The DFIR Report Services Table of Contents: Case Summary In late June 2024, an unpatched Confluence server was compromised via CVE-2023-22527, a template injection vulnerability, first from IP … Read More

Confluence Exploit Leads to LockBit Ransomware
exploit lockbit ransomware

Confluence Exploit Leads to LockBit Ransomware

editor February 24, 2025

Key Takeaways Case Summary The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat actor … Read More

The Curious Case of an Egg-Cellent Resume
cobaltstrike more_eggs

The Curious Case of an Egg-Cellent Resume

editor December 2, 2024

Key Takeaways Private Threat Briefs: Over 20 private DFIR reports annually. Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc. All Intel: Includes everything from … Read More

BlackSuit Ransomware
adfind blacksuit cobaltstrike ransomware

BlackSuit Ransomware

editor August 26, 2024

Key Takeaways In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor … Read More

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
alphv cobaltstrike icedid ransomware

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

editor June 10, 2024

Key Takeaways The DFIR Report Services → Click here to access the DFIR Lab related to this report ← Five new sigma rules were created from this report and added … Read More

From IcedID to Dagon Locker Ransomware in 29 Days
adfind cobaltstrike dagonlocker icedid

From IcedID to Dagon Locker Ransomware in 29 Days

editor April 29, 2024

Key Takeaways In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. IcedID dropped and executed a Cobalt Strike beacon, which was … Read More

From OneNote to RansomNote: An Ice Cold Intrusion
adfind Exfiltrate Data icedid nokoyawa ransomware

From OneNote to RansomNote: An Ice Cold Intrusion

editor April 1, 2024

Key Takeaways We provide a range of services, one of which is our Threat Feed, specializing in monitoring Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, Viper, Mythic, Havoc, … Read More

Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
Exfiltrate Data ransomware rdp trigona

Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours

editor January 29, 2024

Key Takeaways In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware. On … Read More

NetSupport Intrusion Results in Domain Compromise
netsupport

NetSupport Intrusion Results in Domain Compromise

editor October 30, 2023

NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report … Read More

From ScreenConnect to Hive Ransomware in 61 hours
cobaltstrike Hive ransomware wmiexec

From ScreenConnect to Hive Ransomware in 61 hours

editor September 25, 2023

In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such … Read More

HTML Smuggling Leads to Domain Wide Ransomware
adfind Attribution icedid nokoyawa ransomware

HTML Smuggling Leads to Domain Wide Ransomware

editor August 28, 2023

We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved … Read More

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
adfind cobaltstrike ransomware

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware

editor November 28, 2022

In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of … Read More

Follina Exploit Leads to Domain Compromise
adfind cobaltstrike Qbot

Follina Exploit Leads to Domain Compromise

editor October 31, 2022

In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. Qbot, also known … Read More

SEO Poisoning – A Gootloader Story
cobaltstrike gootloader lazagne psexec

SEO Poisoning – A Gootloader Story

editor May 9, 2022

In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense … Read More

Trickbot Leads Up to Fake 1Password Installation
cobaltstrike trickbot

Trickbot Leads Up to Fake 1Password Installation

editor August 16, 2021

Intro  Over the past years, Trickbot has established itself as modular and multifunctional malware. Initially focusing on bank credential theft, the Trickbot operators have extended its capabilities. More recently, Trickbot … Read More

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
adfind BazarCall cobaltstrike conti ransomware trickbot

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike

editor August 1, 2021

Intro This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which … Read More

Bazar, No Ryuk?
adfind bazar cobaltstrike ryuk

Bazar, No Ryuk?

editor January 31, 2021

Intro In the fall of 2020, Bazar came to prominence when several campaigns delivered Ryuk ransomware. While Bazar appeared to drop-off in December, new campaigns have sprung up recently, using … Read More

Register For Our Next CTF

Reports

Threat Intelligence

Detection Rules

DFIR Labs

Mentoring and Coaching

Proudly powered by WordPress | Copyright 2023 | The DFIR Report | All Rights Reserved