The DFIR Report - Page 4 of 4 - Real Intrusions by Real Attackers, The Truth Behind the Intrusion

cobaltstrike tvrat ursnif

Ursnif via LOLbins

Ursnif is a variant of the Gozi malware family has recently been responsible for a growing campaign targeting various entities across North America and Europe. The campaign looks to have … Read More

cryptominer rdp

Sqlserver, or the Miner in the Basement

A threat actor logged into the honeypot via RDP and installed XMRig with multiple persistence mechanisms. The actor used icacls and attrib to lock down directories and files to make … Read More

Dharma Ransomware

An attacker logged into the honeypot via RDP from 178.239.173[.]172. Within 10 minutes the attacker went from local admin, to domain admin to installing ransomware on multiple machines. The attacker … Read More

GoGoogle Ransomware

An attacker logged into the honeypot from 93.174.95[.]73, disabled security tools, dropped their toolkit and started recon. Recon was quickly followed by an onslaught of password dumping tools such as … Read More

Ryuk in 5 Hours

Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More

Ryuk’s Return

Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as … Read More

NetWalker Ransomware in 1 Hour

The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes … Read More

Dridex – From Word to Domain Dominance

Ransomware Again…But We Changed the RDP Port!?!?!

Here’s another example of threat actors brute forcing RDP to install ransomware, this time the brute forced system was not using the default RDP port. The threat actors installed ransomware … Read More