Skip to content
  • Analysts
  • Contact Us
  • Services
  • Subscribe

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Analysts
  • Contact Us
  • Services
  • Subscribe
Monday, March 20, 2023

Category: psexec

SEO Poisoning – A Gootloader Story
cobaltstrike gootloader lazagne psexec

SEO Poisoning – A Gootloader Story

May 9, 2022

In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense … Read More

Quantum Ransomware
adfind cobaltstrike icedid psexec quantum ransomware

Quantum Ransomware

April 25, 2022

In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for … Read More

PYSA/Mespinoza Ransomware
empire koadic mespinoza psexec ransomware rdp

PYSA/Mespinoza Ransomware

November 23, 2020

Intro Over the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move laterally throughout the environment, grabbing credentials from as many … Read More

empirekoadicmespinozaransomwarerdp
NetWalker Ransomware in 1 Hour
adfind cobaltstrike psexec ransomware rdp

NetWalker Ransomware in 1 Hour

August 31, 2020

The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes … Read More

Tweets by TheDFIRReport

Copyright 2023 | The DFIR Report | All Rights Reserved