Skip to content
  • Artifacts
  • Contact Us
  • Help Support This Project
  • Sponsors
  • Store

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Artifacts
  • Contact Us
  • Help Support This Project
  • Sponsors
  • Store
Tuesday, January 19, 2021

Category: cobaltstrike

Trickbot Still Alive and Well
adfind cobaltstrike trickbot

Trickbot Still Alive and Well

January 11, 2021

In October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under concerted pressure applied by US Cyber Command infiltrating … Read More

Ryuk Speed Run, 2 Hours to Ransom
adfind bazar cobaltstrike ransomware ryuk

Ryuk Speed Run, 2 Hours to Ransom

November 5, 2020

Intro Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, … Read More

bazarcobalt strikekegtapransomwareryuk
Ryuk in 5 Hours
adfind bazar cobaltstrike ransomware rdp ryuk yara

Ryuk in 5 Hours

October 18, 2020

Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More

adfindbazarcobalt strikekegtapmalspamryuk
Ryuk’s Return
adfind bazar cobaltstrike ransomware ryuk

Ryuk’s Return

October 8, 2020

Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as … Read More

adfindbazarcobalt strikekegtapryuk
NetWalker Ransomware in 1 Hour
adfind cobaltstrike psexec ransomware rdp

NetWalker Ransomware in 1 Hour

August 31, 2020

The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes … Read More

Tricky Pyxie
cobaltstrike pyxie trickbot

Tricky Pyxie

April 30, 2020

Trickbot has been seen often as a payload dropped by other malware like Emotet, and has been seen dropping many payloads, most notably ransomware. But while Emotet sleeps it may … Read More

bloodhoundcobalt strikepyxietrickbot
Ursnif via LOLbins
cobaltstrike tvrat ursnif

Ursnif via LOLbins

April 24, 2020

Ursnif is a variant of the Gozi malware family has recently been responsible for a growing campaign targeting various entities across North America and Europe. The campaign looks to have … Read More

cobalt strikemalspamphishingtvratursnif

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Follow us on Twitter

My Tweets

Recent Posts: The DFIR Report

Ryuk in 5 Hours

Ryuk in 5 Hours

Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More

Ryuk’s Return

Ryuk’s Return

Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as … Read More

NetWalker Ransomware in 1 Hour

NetWalker Ransomware in 1 Hour

The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes … Read More

Dridex – From Word to Domain Dominance

Dridex – From Word to Domain Dominance

Ransomware Again…But We Changed the RDP Port!?!?!

Ransomware Again…But We Changed the RDP Port!?!?!

Here’s another example of threat actors brute forcing RDP to install ransomware, this time the brute forced system was not using the default RDP port. The threat actors installed ransomware … Read More

Translate

Proudly powered by WordPress | Theme: FreeNews | By ThemeSpiral.com.