ShareFinder: How Threat Actors Discover File Shares Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the... 2023-1-23 09:11:17 | 阅读: 41 | 收藏 | The DFIR Report - thedfirreport.com network sharefinder powershell queried sigma

Unwrapping Ursnifs Gifts In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobal... 2023-1-9 10:16:40 | 阅读: 58 | 收藏 | The DFIR Report - thedfirreport.com bd2c bin1 ursnif windows cobalt

Emotet Strikes Again – Lnk File Leads to Domain Wide Ransomware In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operat... 2022-11-28 09:13:34 | 阅读: 93 | 收藏 | thedfirreport.com cobalt remote windows rmm feodo

BumbleBee Zeros in on Meterpreter In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector fro... 2022-11-14 09:48:26 | 阅读: 33 | 收藏 | thedfirreport.com bumblebee cobalt windows bypass rundll32

Follina Exploit Leads to Domain Compromise In early June 2022, we observed an intrusion where a threat actor gained initial access by exploit... 2022-10-31 08:47:53 | 阅读: 40 | 收藏 | thedfirreport.com 995 qbot 2222 remote windows

BumbleBee: Round Two In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. Bu... 2022-9-26 09:5:36 | 阅读: 43 | 收藏 | thedfirreport.com windows bumblebee rundll32 remote x90

Dead or Alive? An Emotet Story In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware... 2022-9-12 08:32:41 | 阅读: 42 | 收藏 | thedfirreport.com hxxps cobalt windows nocase network

BumbleBee Roasts Its Way to Domain Admin In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector.... 2022-8-8 09:36:3 | 阅读: 78 | 收藏 | thedfirreport.com vulnrecon windows cobalt 0x0002 0x0003

SELECT XMRig FROM SQLServer In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of t... 2022-7-11 09:51:24 | 阅读: 47 | 收藏 | thedfirreport.com windows taskkill miner bigfile microsoft

SANS Ransomware Summit 2022, Can You Detect This? This report is a companion to the SANS Ransomware Summit 2022 “Can You Detect This” presentation t... 2022-6-16 22:20:39 | 阅读: 59 | 收藏 | thedfirreport.com sigma github windows sigmahq dfir

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration In this multi-day intrusion, we observed a threat actor gain initial access to an organization b... 2022-6-6 09:28:7 | 阅读: 77 | 收藏 | thedfirreport.com msiexec windows powershell ssh fm2

SEO Poisoning – A Gootloader Story In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initia... 2022-5-9 09:53:53 | 阅读: 54 | 收藏 | thedfirreport.com powershell cobalt uo beacon windows

Quantum Ransomware In one of the fastest ransomware cases we have observed, in under four hours the threat actors wen... 2022-4-25 09:16:30 | 阅读: 75 | 收藏 | thedfirreport.com windows cobalt icedid ransomware beacon

Stolen Images Campaign Ends in Conti Ransomware In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vect... 2022-4-4 09:6:56 | 阅读: 74 | 收藏 | thedfirreport.com cobalt windows beacon icedid c2

APT35 Automates Initial Access Using ProxyShell In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabil... 2022-3-21 09:55:6 | 阅读: 56 | 收藏 | thedfirreport.com windows sigma sigmahq github powershell

2021 Year In Review As we come to the end of the first quarter of 2022, we want to take some time to look back over ou... 2022-3-7 10:30:33 | 阅读: 36 | 收藏 | thedfirreport.com ransomware cobalt windows intrusions security

Qbot and Zerologon Lead To Full Domain Compromise In this intrusion (from November 2021), a threat actor gained its initial foothold in the environm... 2022-2-21 10:4:48 | 阅读: 50 | 收藏 | thedfirreport.com qbot windows zerologon cobalt occured

Qbot Likes to Move It, Move It Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed... 2022-2-7 09:2:36 | 阅读: 56 | 收藏 | thedfirreport.com qbot windows microsoft regsvr32

Cobalt Strike, a Defender’s Guide – Part 2 Our previous article on Cobalt Strike focused on the most frequently used capabilities that we... 2022-1-24 11:3:49 | 阅读: 83 | 收藏 | thedfirreport.com cobalt c2 beacon jarm ja3

Diavol Ransomware In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported o... 2021-12-13 11:13:31 | 阅读: 127 | 收藏 | thedfirreport.com windows rubeus cobalt ransomware rundll32