From thedfirreport.com
1 2
Key Takeaways In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor leveraged va…
#infosec #malware #Ransomware #threatintel #cybersecurity
on Aug 26
From thedfirreport.com
Stolen Images Campaign Ends in Conti Ransomware
0 1
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam ca…
on Wed, 12PM
From thedfirreport.com
0 0
In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for this case was an Ic…
on Nov 8
From thedfirreport.com
Dagon Locker Ransomware - Private Case #23825
0 0
This lab is based on a Private Threat Brief that starts with IcedID and ends in Dagon Locker Ransomware. To read more about DFIR Labs click here. Your access time starts at purchase time. You will receive an email within 5 minutes of purchase with instructions on how to connect to the lab....
on Oct 18
From thedfirreport.com
BlackSuit Ransomware - Private Case #29354
0 0
This lab is based on a Private Threat Brief that starts with a phishing vector for the initial access via malware and ends in Blacksuit Ransomware. To read more about DFIR Labs click here. Your access time starts at purchase time. You will receive an email within 5 minutes of purchase with...
on Oct 10
From thedfirreport.com
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
0 0
Key Takeaways In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sli…
on Sep 30
From thedfirreport.com
Backdoors and LockBit - Private Case #27138
0 0
This case involves a sophisticated intrusion that began with the execution of a malicious file and a multi-day intrusion that ended in LockBit Ransomware. To read more about DFIR Labs click here. Your access time starts at purchase time. You will receive an email within 5 minutes of purchase...
on Sep 27
From thedfirreport.com
Cobalt Strike, a Defender’s Guide – Part 2
0 0
Our previous report on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this report, we will focus on the network traffic it produced, and provide some easy w…
on Sep 10
From thedfirreport.com
0 1
Welcome to the DFIR Labs Capture The Flag (CTF) winners page! Our CTFs challenge cybersecurity enthusiasts from all around the globe. The following tables list the top performers from our recent CT…
on Sep 5
From thedfirreport.com
Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts
0 6
Key Takeaways In early December of 2023, we discovered an open directory filled with batch scripts, primarily designed for defense evasion and executing command and control payloads. These scripts …
on Aug 12
From thedfirreport.com
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
0 0
Key Takeaways In October 2023, we observed an intrusion that began with a spam campaign, distributing a forked IcedID loader. The threat actor used Impacket’s wmiexec and RDP to install Scree…
on Jun 26
From thedfirreport.com
0 0
Threat Feed Our Threat Feed service specializes in monitoring Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, Viper, Mythic, Havoc, Meterpreter, and more. This feed comprise…
on Jun 26
From thedfirreport.com
0 0
Get ready to elevate your DFIR skills with our exciting DFIR Labs Capture The Flag (CTF) competition! This event will immerse you in real-world intrusion scenarios, crafted to evaluate various face…
on Jun 25
From thedfirreport.com
0 0
Points are awarded when a quiz is successfully passed for the first time. Your score is calculated by multiplying the number of correct answers by the difficulty level of the case, as indicated bel…
on May 7
From thedfirreport.com
Exchange Exploit Leads to Domain Wide Ransomware
0 0
In late September 2021, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. The threat actors in this case wer…
on May 6
From thedfirreport.com
From IcedID to Dagon Locker Ransomware in 29 Days
0 0
Key Takeaways In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. IcedID dropped and executed a Cobalt Strike beacon, which was …
on May 5
From thedfirreport.com
0 0
Explore Real-World Cybersecurity Intrusions with Our Interactive DFIR Labs! Our cloud-based DFIR (Digital Forensics and Incident Response) Labs offer a hands-on learning experience, using real data from real intrusions.
on Apr 8
From thedfirreport.com
From OneNote to RansomNote: An Ice Cold Intrusion - The DFIR Report
0 0
Key Takeaways We provide a range of services, one of which is our Threat Feed, specializing in monitoring Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, Viper, Mythic, Havoc, … Read More
on Apr 2
From thedfirreport.com
Threat Brief: WordPress Exploit Leads to Godzilla Web Shell, Discovery & New CVE - The DFIR Report
0 0
Below is a recent Threat Brief that we shared with our customers. Each year, we produce over 50 detailed Threat Briefs, which follow a format similar to the below. Typically, … Read More
on Mar 4
From thedfirreport.com
SEO Poisoning to Domain Control: The Gootloader Saga Continues - The DFIR Report
0 0
Key Takeaways More information about Gootloader can be found in the following reports: The DFIR Report, GootloaderSites, Mandiant, Red Canary, & Kroll. An audio version of this report can be … Read More
on Mar 1
From thedfirreport.com
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - The DFIR Report
0 0
Key Takeaways In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware. On … Read More
on Jan 29
From thedfirreport.com
Detection Rules - The DFIR Report
0 0
This private ruleset focuses on Sigma but will include YARA and Suricata over time. These rules are developed from Private Threat Briefs or internal cases. All rules developed for public … Read More
on Jan 24
From thedfirreport.com
IcedID Macro Ends in Nokoyawa Ransomware - The DFIR Report
0 0
Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can … Read More
on Jan 1
From thedfirreport.com
ShareFinder: How Threat Actors Discover File Shares - The DFIR Report
0 0
Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all … Read More
on Jan 1
From thedfirreport.com
Collect, Exfiltrate, Sleep, Repeat - The DFIR Report
0 0
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command … Read More
on Jan 1
From thedfirreport.com
Unwrapping Ursnifs Gifts - The DFIR Report
0 0
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment … Read More
on Jan 1
From thedfirreport.com
From ScreenConnect to Hive Ransomware in 61 hours - The DFIR Report
0 0
In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such … Read More
on Jan 1
From thedfirreport.com
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity - The DFIR Report
0 0
This report is a little different than our typical content. We were able to analyze data from a perspective we typically don’t get to see… a threat actor’s host! In … Read More
on Dec 18
From thedfirreport.com
SQL Brute Force leads to Bluesky Ransomware - The DFIR Report
0 0
In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and … Read More
on Dec 4
From thedfirreport.com
Netsupport Intrusion Results in Domain Compromise - The DFIR Report
0 0
NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report … Read More
on Oct 30, 2023