Skip to content
  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Digital Forensics Challenge
      • Leaderboard
      • Digital Forensics Challenge Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Digital Forensics Challenge
    • Leaderboard
    • Digital Forensics Challenge Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Digital Forensics Challenge
      • Leaderboard
      • Digital Forensics Challenge Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
Sunday, July 06, 2025
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Digital Forensics Challenge
    • Leaderboard
    • Digital Forensics Challenge Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

Search Results for: 72a589da586844d7f0818ce684948eea

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
blackcat cobaltstrike ransomware sliver

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

editor September 30, 2024

Key Takeaways Contact us today for pricing or a demo! Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command … Read More

SEO Poisoning to Domain Control: The Gootloader Saga Continues
gootloader

SEO Poisoning to Domain Control: The Gootloader Saga Continues

editor February 26, 2024

Key Takeaways More information about Gootloader can be found in the following reports: The DFIR Report, GootloaderSites, Mandiant, Red Canary, & Kroll. An audio version of this report can be … Read More

HTML Smuggling Leads to Domain Wide Ransomware
adfind Attribution icedid nokoyawa ransomware

HTML Smuggling Leads to Domain Wide Ransomware

editor August 28, 2023

We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved … Read More

A Truly Graceful Wipe Out
adfind Attribution cobaltstrike Exfiltrate Data FIN11 FlawedGrace Lace Tempest truebot

A Truly Graceful Wipe Out

editor June 12, 2023

In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read More

IcedID Macro Ends in Nokoyawa Ransomware
adfind cobaltstrike icedid macro nokoyawa ransomware xls

IcedID Macro Ends in Nokoyawa Ransomware

editor May 22, 2023

Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can … Read More

Malicious ISO File Leads to Domain Wide Ransomware
adfind cobaltstrike icedid quantum ransomware rclone ShareFinder

Malicious ISO File Leads to Domain Wide Ransomware

editor April 3, 2023

IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and … Read More

2022 Year in Review
Year in Review

2022 Year in Review

editor March 6, 2023

As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More

Unwrapping Ursnifs Gifts
cobaltstrike Exfiltrate Data ursnif wmiexec

Unwrapping Ursnifs Gifts

editor January 9, 2023

In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment … Read More

Follina Exploit Leads to Domain Compromise
adfind cobaltstrike Qbot

Follina Exploit Leads to Domain Compromise

editor October 31, 2022

In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. Qbot, also known … Read More

Dead or Alive? An Emotet Story
adfind cobaltstrike emotet Exfiltrate Data Kerberoast ShareFinder

Dead or Alive? An Emotet Story

editor September 12, 2022

In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after … Read More

SEO Poisoning – A Gootloader Story
cobaltstrike gootloader lazagne psexec

SEO Poisoning – A Gootloader Story

editor May 9, 2022

In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense … Read More

Quantum Ransomware
adfind cobaltstrike icedid psexec quantum ransomware

Quantum Ransomware

editor April 25, 2022

In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for … Read More

Qbot Likes to Move It, Move It
Qbot

Qbot Likes to Move It, Move It

editor February 7, 2022

Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following … Read More

Cobalt Strike, a Defender’s Guide – Part 2
cobaltstrike

Cobalt Strike, a Defender’s Guide – Part 2

editor January 24, 2022

Our previous report on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this report, we will focus on the network traffic it produced, and provide … Read More

Diavol Ransomware
adfind bazar cobaltstrike diavol ransomware

Diavol Ransomware

editor December 13, 2021

In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of … Read More

CONTInuing the Bazar Ransomware Story
adfind bazar cobaltstrike conti ransomware

CONTInuing the Bazar Ransomware Story

editor November 29, 2021

In this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt Strike to accomplish their mission of encrypting systems with Conti … Read More

From Zero to Domain Admin
cobaltstrike exploit hancitor

From Zero to Domain Admin

editor November 1, 2021

Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a … Read More

BazarLoader to Conti Ransomware in 32 Hours
bazar cobaltstrike conti

BazarLoader to Conti Ransomware in 32 Hours

editor September 13, 2021

Intro Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report. The groups deploying this RaaS have only grown … Read More

Cobalt Strike, a Defender’s Guide
cobaltstrike Tools

Cobalt Strike, a Defender’s Guide

editor August 29, 2021

Intro In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we … Read More

Hancitor Continues to Push Cobalt Strike
cobaltstrike hancitor

Hancitor Continues to Push Cobalt Strike

editor June 28, 2021

First observed in 2014, Hancitor (also known as Chanitor and Tordal) is a downloader trojan that has been used to deliver multiple different malware such as Pony, Vawtrak, and DELoader. … Read More

Sodinokibi (aka REvil) Ransomware
adfind cobaltstrike icedid ransomware revil Sodinokibi

Sodinokibi (aka REvil) Ransomware

editor March 29, 2021

Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind … Read More

Posts pagination

1 2 Next

Register For Our Next CTF

Reports

Threat Intelligence

Detection Rules

DFIR Labs

Mentoring and Coaching

Proudly powered by WordPress | Copyright 2023 | The DFIR Report | All Rights Reserved