Inside the Open Directory of the “You Dun” Threat Group
Key Takeaways The DFIR Report Services Reports such as this one are part of our All Intel service and are categorized as Threat Actor Insights. Private Threat Briefs: Over 20 … Read More
Category: cobaltstrike
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
Key Takeaways Contact us today for pricing or a demo! Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command … Read More
BlackSuit Ransomware
Key Takeaways In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor … Read More
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
Key Takeaways The DFIR Report Services → Click here to access the DFIR Lab related to this report ← Five new sigma rules were created from this report and added … Read More
From IcedID to Dagon Locker Ransomware in 29 Days
Key Takeaways In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. IcedID dropped and executed a Cobalt Strike beacon, which was … Read More
SQL Brute Force Leads to BlueSky Ransomware
In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and … Read More
From ScreenConnect to Hive Ransomware in 61 hours
In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such … Read More
A Truly Graceful Wipe Out
In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read More
IcedID Macro Ends in Nokoyawa Ransomware
Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can … Read More
Malicious ISO File Leads to Domain Wide Ransomware
IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and … Read More
Unwrapping Ursnifs Gifts
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment … Read More
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of … Read More
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, … Read More
Follina Exploit Leads to Domain Compromise
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. Qbot, also known … Read More
BumbleBee: Round Two
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. … Read More
Dead or Alive? An Emotet Story
In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after … Read More
BumbleBee Roasts Its Way to Domain Admin
In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group … Read More
SEO Poisoning – A Gootloader Story
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense … Read More
Quantum Ransomware
In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for … Read More
Stolen Images Campaign Ends in Conti Ransomware
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered … Read More
Qbot and Zerologon Lead To Full Domain Compromise
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot … Read More