Skip to content
  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Capture The Flag (CTF)
      • Leaderboard
      • CTF Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Capture The Flag (CTF)
    • Leaderboard
    • CTF Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Capture The Flag (CTF)
      • Leaderboard
      • CTF Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
Thursday, May 15, 2025
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Capture The Flag (CTF)
    • Leaderboard
    • CTF Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

Category: Exfiltrate Data

From OneNote to RansomNote: An Ice Cold Intrusion
adfind Exfiltrate Data icedid nokoyawa ransomware

From OneNote to RansomNote: An Ice Cold Intrusion

April 1, 2024

Key Takeaways We provide a range of services, one of which is our Threat Feed, specializing in monitoring Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, Viper, Mythic, Havoc, … Read More

Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
Exfiltrate Data ransomware rdp trigona

Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours

January 29, 2024

Key Takeaways In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware. On … Read More

A Truly Graceful Wipe Out
adfind Attribution cobaltstrike Exfiltrate Data FIN11 FlawedGrace Lace Tempest truebot

A Truly Graceful Wipe Out

June 12, 2023

In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read More

Unwrapping Ursnifs Gifts
cobaltstrike Exfiltrate Data ursnif wmiexec

Unwrapping Ursnifs Gifts

January 9, 2023

In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment … Read More

Dead or Alive? An Emotet Story
adfind cobaltstrike emotet Exfiltrate Data Kerberoast ShareFinder

Dead or Alive? An Emotet Story

September 12, 2022

In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after … Read More

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
CVE-2021-44077 Exfiltrate Data exploit Plink

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration

June 6, 2022

In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the … Read More

Register For Our Next CTF

Reports

Threat Intelligence

Detection Rules

DFIR Labs

Mentoring and Coaching

Proudly powered by WordPress | Copyright 2023 | The DFIR Report | All Rights Reserved