Reposted
thedfirreport.com/2025/05/19/a...
It was fun working on this Report with @pcsc0ut.bsky.social && 0xtornado. I hope my #threathunting friends will find it helpful. We came up with a new detection for Impacket tools in this investigation
It was fun working on this Report with @pcsc0ut.bsky.social && 0xtornado. I hope my #threathunting friends will find it helpful. We came up with a new detection for Impacket tools in this investigation
a cat and a dog are looking at each other with the words the dust another one written above them
ALT: a cat and a dog are looking at each other with the words the dust another one written above them
media.tenor.com
May 19, 2025 at 7:19 AM
thedfirreport.com/2025/05/19/a...
It was fun working on this Report with @pcsc0ut.bsky.social && 0xtornado. I hope my #threathunting friends will find it helpful. We came up with a new detection for Impacket tools in this investigation
It was fun working on this Report with @pcsc0ut.bsky.social && 0xtornado. I hope my #threathunting friends will find it helpful. We came up with a new detection for Impacket tools in this investigation
Reposted
🌟New report out today!🌟
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Analysis and reporting completed by @pcsc0ut.bsky.social, @irishdeath.bsky.social & @0xtornado
🔊Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/05/19/a...
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Analysis and reporting completed by @pcsc0ut.bsky.social, @irishdeath.bsky.social & @0xtornado
🔊Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/05/19/a...
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Key Takeaways The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution. Using this access…
thedfirreport.com
May 19, 2025 at 11:24 AM
🌟New report out today!🌟
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Analysis and reporting completed by @pcsc0ut.bsky.social, @irishdeath.bsky.social & @0xtornado
🔊Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/05/19/a...
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Analysis and reporting completed by @pcsc0ut.bsky.social, @irishdeath.bsky.social & @0xtornado
🔊Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/05/19/a...
Reposted
PYSA/Mespinoza Ransomware
➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral Movement
➡️Files exfiltrated
➡️PYSA ransomware for Impact
Report link ⬇️
➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral Movement
➡️Files exfiltrated
➡️PYSA ransomware for Impact
Report link ⬇️
March 13, 2025 at 2:18 PM
PYSA/Mespinoza Ransomware
➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral Movement
➡️Files exfiltrated
➡️PYSA ransomware for Impact
Report link ⬇️
➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral Movement
➡️Files exfiltrated
➡️PYSA ransomware for Impact
Report link ⬇️
Reposted
🌟New report out today!🌟
Confluence Exploit Leads to LockBit Ransomware
Analysis & reporting completed by Angelo Violetti, @malforsec, & @teddy_ROxPin
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/02/24/c...
Confluence Exploit Leads to LockBit Ransomware
Analysis & reporting completed by Angelo Violetti, @malforsec, & @teddy_ROxPin
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/02/24/c...
Confluence Exploit Leads to LockBit Ransomware
Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…
thedfirreport.com
February 24, 2025 at 12:48 PM
🌟New report out today!🌟
Confluence Exploit Leads to LockBit Ransomware
Analysis & reporting completed by Angelo Violetti, @malforsec, & @teddy_ROxPin
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/02/24/c...
Confluence Exploit Leads to LockBit Ransomware
Analysis & reporting completed by Angelo Violetti, @malforsec, & @teddy_ROxPin
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/02/24/c...
Reposted
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
➡️Initial Access: CVE-2021-44077 exploited
➡️Execution: Web shell
➡️Credential Access: WDigest + MiniDump
➡️Lat Movement: RDP using Plink
➡️Exfiltration: Sensitive data exfilled
thedfirreport.com/2022/06/06/w...
➡️Initial Access: CVE-2021-44077 exploited
➡️Execution: Web shell
➡️Credential Access: WDigest + MiniDump
➡️Lat Movement: RDP using Plink
➡️Exfiltration: Sensitive data exfilled
thedfirreport.com/2022/06/06/w...
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files o…
thedfirreport.com
February 5, 2025 at 5:23 PM
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
➡️Initial Access: CVE-2021-44077 exploited
➡️Execution: Web shell
➡️Credential Access: WDigest + MiniDump
➡️Lat Movement: RDP using Plink
➡️Exfiltration: Sensitive data exfilled
thedfirreport.com/2022/06/06/w...
➡️Initial Access: CVE-2021-44077 exploited
➡️Execution: Web shell
➡️Credential Access: WDigest + MiniDump
➡️Lat Movement: RDP using Plink
➡️Exfiltration: Sensitive data exfilled
thedfirreport.com/2022/06/06/w...
Reposted
🌟New report out today!🌟
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Analysis & reporting completed by @r3nzsec, @MyDFIR & @MittenSec.
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/01/27/c...
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Analysis & reporting completed by @r3nzsec, @MyDFIR & @MittenSec.
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/01/27/c...
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Key Takeaways This intrusion began with the download and execution of a Cobalt Strike beacon that impersonated a Windows Media Configuration Utility. The threat actor used Rclone to exfiltrate data…
thedfirreport.com
January 27, 2025 at 12:55 PM
🌟New report out today!🌟
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Analysis & reporting completed by @r3nzsec, @MyDFIR & @MittenSec.
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/01/27/c...
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Analysis & reporting completed by @r3nzsec, @MyDFIR & @MittenSec.
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/01/27/c...