Skip to content
  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Digital Forensics Challenge
      • Leaderboard
      • Digital Forensics Challenge Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Digital Forensics Challenge
    • Leaderboard
    • Digital Forensics Challenge Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Digital Forensics Challenge
      • Leaderboard
      • Digital Forensics Challenge Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
Wednesday, July 02, 2025
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Digital Forensics Challenge
    • Leaderboard
    • Digital Forensics Challenge Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

Search Results for: process injection

Stolen Images Campaign Ends in Conti Ransomware
adfind cobaltstrike conti exploit icedid ransomware

Stolen Images Campaign Ends in Conti Ransomware

editor April 4, 2022

In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered … Read More

2021 Year In Review
Uncategorized

2021 Year In Review

editor March 7, 2022

As we come to the end of the first quarter of 2022, we want to take some time to look back over our cases from 2021, in aggregate, and look … Read More

Qbot and Zerologon Lead To Full Domain Compromise
adfind cobaltstrike Qbot

Qbot and Zerologon Lead To Full Domain Compromise

editor February 21, 2022

In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot … Read More

Qbot Likes to Move It, Move It
Qbot

Qbot Likes to Move It, Move It

editor February 7, 2022

Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following … Read More

Diavol Ransomware
adfind bazar cobaltstrike diavol ransomware

Diavol Ransomware

editor December 13, 2021

In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of … Read More

CONTInuing the Bazar Ransomware Story
adfind bazar cobaltstrike conti ransomware

CONTInuing the Bazar Ransomware Story

editor November 29, 2021

In this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt Strike to accomplish their mission of encrypting systems with Conti … Read More

Exchange Exploit Leads to Domain Wide Ransomware
exploit Fast Reverse Proxy PHOSPHORUS Plink ProxyShell ransomware

Exchange Exploit Leads to Domain Wide Ransomware

editor November 15, 2021

In late September 2021, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. The threat actors in this case … Read More

From Zero to Domain Admin
cobaltstrike exploit hancitor

From Zero to Domain Admin

editor November 1, 2021

Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a … Read More

IcedID to XingLocker Ransomware in 24 hours
adfind cobaltstrike icedid mountlocker xinglocker

IcedID to XingLocker Ransomware in 24 hours

editor October 18, 2021

Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early … Read More

BazarLoader and the Conti Leaks
adfind bazar cobaltstrike

BazarLoader and the Conti Leaks

editor October 4, 2021

Intro In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while … Read More

BazarLoader to Conti Ransomware in 32 Hours
bazar cobaltstrike conti

BazarLoader to Conti Ransomware in 32 Hours

editor September 13, 2021

Intro Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report. The groups deploying this RaaS have only grown … Read More

Cobalt Strike, a Defender’s Guide
cobaltstrike Tools

Cobalt Strike, a Defender’s Guide

editor August 29, 2021

Intro In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we … Read More

Trickbot Leads Up to Fake 1Password Installation
cobaltstrike trickbot

Trickbot Leads Up to Fake 1Password Installation

editor August 16, 2021

Intro  Over the past years, Trickbot has established itself as modular and multifunctional malware. Initially focusing on bank credential theft, the Trickbot operators have extended its capabilities. More recently, Trickbot … Read More

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
adfind BazarCall cobaltstrike conti ransomware trickbot

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike

editor August 1, 2021

Intro This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which … Read More

From Word to Lateral Movement in 1 Hour
adfind cobaltstrike icedid

From Word to Lateral Movement in 1 Hour

editor June 20, 2021

Introduction  In May 2021, we observed a threat actor conducting an intrusion utilizing the IcedID payloads for initial access. They later performed a number of techniques from host discovery to … Read More

Conti Ransomware
cobaltstrike conti icedid ransomware

Conti Ransomware

editor May 12, 2021

Introduction First seen in May 2020, Conti ransomware has quickly become one of the most common ransomware variants, according to Coveware. As per Coveware’s Quarterly Ransomware Report (Q1 2021), Conti … Read More

Trickbot Brief: Creds and Beacons
trickbot

Trickbot Brief: Creds and Beacons

editor May 2, 2021

Intro “TrickBot malware—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. The cybercrime group initially designed TrickBot as a banking trojan to steal … Read More

Sodinokibi (aka REvil) Ransomware
adfind cobaltstrike icedid ransomware revil Sodinokibi

Sodinokibi (aka REvil) Ransomware

editor March 29, 2021

Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind … Read More

Bazar Drops the Anchor
anchor bazar cobaltstrike

Bazar Drops the Anchor

editor March 8, 2021

Intro The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage … Read More

Trickbot Still Alive and Well
adfind cobaltstrike trickbot

Trickbot Still Alive and Well

editor January 11, 2021

In October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under concerted pressure applied by US Cyber Command infiltrating … Read More

Ryuk Speed Run, 2 Hours to Ransom
adfind bazar cobaltstrike ransomware ryuk

Ryuk Speed Run, 2 Hours to Ransom

editor November 5, 2020

Intro Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, … Read More

bazarcobalt strikekegtapransomwareryuk

Posts pagination

Previous 1 2 3 Next

Register For Our Next CTF

Reports

Threat Intelligence

Detection Rules

DFIR Labs

Mentoring and Coaching

Proudly powered by WordPress | Copyright 2023 | The DFIR Report | All Rights Reserved