Skip to content
  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Capture The Flag (CTF)
      • Leaderboard
      • CTF Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Capture The Flag (CTF)
    • Leaderboard
    • CTF Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Capture The Flag (CTF)
      • Leaderboard
      • CTF Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
Wednesday, May 28, 2025
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Capture The Flag (CTF)
    • Leaderboard
    • CTF Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

Category: exploit

Confluence Exploit Leads to LockBit Ransomware
exploit lockbit ransomware

Confluence Exploit Leads to LockBit Ransomware

February 24, 2025

Key Takeaways Case Summary The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat actor … Read More

SELECT XMRig FROM SQLServer
coinminer exploit

SELECT XMRig FROM SQLServer

July 11, 2022

In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner … Read More

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
CVE-2021-44077 Exfiltrate Data exploit Plink

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration

June 6, 2022

In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the … Read More

Stolen Images Campaign Ends in Conti Ransomware
adfind cobaltstrike conti exploit icedid ransomware

Stolen Images Campaign Ends in Conti Ransomware

April 4, 2022

In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered … Read More

PHOSPHORUS Automates Initial Access Using ProxyShell
exploit Fast Reverse Proxy PHOSPHORUS ProxyShell

PHOSPHORUS Automates Initial Access Using ProxyShell

March 21, 2022

In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks … Read More

Exchange Exploit Leads to Domain Wide Ransomware
exploit Fast Reverse Proxy PHOSPHORUS Plink ProxyShell ransomware

Exchange Exploit Leads to Domain Wide Ransomware

November 15, 2021

In late September 2021, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. The threat actors in this case … Read More

From Zero to Domain Admin
cobaltstrike exploit hancitor

From Zero to Domain Admin

November 1, 2021

Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a … Read More

Cryptominers Exploiting WebLogic RCE CVE-2020-14882
cryptominer CVE-2020-14882 exploit

Cryptominers Exploiting WebLogic RCE CVE-2020-14882

November 12, 2020

Intro Towards the end of October, we started seeing attackers take advantage of a WebLogic RCE vulnerability (CVE-2020-14882). Recently, SANS ISC talked about this vulnerability being exploited in the wild, … Read More

Register For Our Next CTF

Reports

Threat Intelligence

Detection Rules

DFIR Labs

Mentoring and Coaching

Proudly powered by WordPress | Copyright 2023 | The DFIR Report | All Rights Reserved