Skip to content
  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Capture The Flag (CTF)
      • Leaderboard
      • CTF Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Capture The Flag (CTF)
    • Leaderboard
    • CTF Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Capture The Flag (CTF)
      • Leaderboard
      • CTF Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
Wednesday, June 18, 2025
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Capture The Flag (CTF)
    • Leaderboard
    • CTF Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

Search Results for: rclone

Confluence Exploit Leads to LockBit Ransomware
exploit lockbit ransomware

Confluence Exploit Leads to LockBit Ransomware

editor February 24, 2025

Key Takeaways Case Summary The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat actor … Read More

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
cobaltstrike lockbit ransomware

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

editor January 27, 2025

Key Takeaways Case Summary This intrusion began near the end of January 2024 when the user downloaded and executed a file using the same name (setup_wm.exe) and executable icon, as … Read More

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
alphv cobaltstrike icedid ransomware

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

editor June 10, 2024

Key Takeaways The DFIR Report Services → Click here to access the DFIR Lab related to this report ← Five new sigma rules were created from this report and added … Read More

From IcedID to Dagon Locker Ransomware in 29 Days
adfind cobaltstrike dagonlocker icedid

From IcedID to Dagon Locker Ransomware in 29 Days

editor April 29, 2024

Key Takeaways In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. IcedID dropped and executed a Cobalt Strike beacon, which was … Read More

Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
Exfiltrate Data ransomware rdp trigona

Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours

editor January 29, 2024

Key Takeaways In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware. On … Read More

From ScreenConnect to Hive Ransomware in 61 hours
cobaltstrike Hive ransomware wmiexec

From ScreenConnect to Hive Ransomware in 61 hours

editor September 25, 2023

In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such … Read More

Malicious ISO File Leads to Domain Wide Ransomware
adfind cobaltstrike icedid quantum ransomware rclone ShareFinder

Malicious ISO File Leads to Domain Wide Ransomware

editor April 3, 2023

IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and … Read More

2022 Year in Review
Year in Review

2022 Year in Review

editor March 6, 2023

As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
adfind cobaltstrike ransomware

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware

editor November 28, 2022

In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of … Read More

Dead or Alive? An Emotet Story
adfind cobaltstrike emotet Exfiltrate Data Kerberoast ShareFinder

Dead or Alive? An Emotet Story

editor September 12, 2022

In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after … Read More

SANS Ransomware Summit 2022, Can You Detect This?
Conference

SANS Ransomware Summit 2022, Can You Detect This?

editor June 16, 2022

This report is a companion to the SANS Ransomware Summit 2022 “Can You Detect This” presentation today 6/16/22 @ 14:40 UTC (10:40 AM ET). Slides: SANS Ransomware Summit 2022 – … Read More

2021 Year In Review
Uncategorized

2021 Year In Review

editor March 7, 2022

As we come to the end of the first quarter of 2022, we want to take some time to look back over our cases from 2021, in aggregate, and look … Read More

CONTInuing the Bazar Ransomware Story
adfind bazar cobaltstrike conti ransomware

CONTInuing the Bazar Ransomware Story

editor November 29, 2021

In this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt Strike to accomplish their mission of encrypting systems with Conti … Read More

BazarLoader and the Conti Leaks
adfind bazar cobaltstrike

BazarLoader and the Conti Leaks

editor October 4, 2021

Intro In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while … Read More

Sodinokibi (aka REvil) Ransomware
adfind cobaltstrike icedid ransomware revil Sodinokibi

Sodinokibi (aka REvil) Ransomware

editor March 29, 2021

Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind … Read More

Register For Our Next CTF

Reports

Threat Intelligence

Detection Rules

DFIR Labs

Mentoring and Coaching

Proudly powered by WordPress | Copyright 2023 | The DFIR Report | All Rights Reserved