The DFIR Report - Blog post I worked on

If you've arrived here, you're probably aware that I've been working with the guys from The DFIR Report for several years. To make it easier for readers who want to know which reports I worked on, I've included all of the references below:

• WebLogic RCE Leads to XMRig

WebLogic RCE Leads to XMRig

Intro This report will review an intrusion where, the threat actor took advantage of a WebLogic remote code execution vulnerability (CVE-2020–14882) to gain initial access to the system before inst…

The DFIR ReportSkip to content

• From Zero to Domain Admin

From Zero to Domain Admin

Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. Up…

The DFIR ReportSkip to content

• Exchange Exploit Leads to Domain Wide Ransomware

Exchange Exploit Leads to Domain Wide Ransomware

Intro In late September, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. The threat actors in this case we…

The DFIR ReportSkip to content

• Diavol Ransomware

Diavol Ransomware

In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Di…

The DFIR ReportSkip to content

• APT35 Automates Initial Access Using ProxyShell

APT35 Automates Initial Access Using ProxyShell

In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities an…

The DFIR ReportSkip to content

• Quantum Ransomware

Quantum Ransomware

In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for this case was an Ic…

The DFIR ReportSkip to content

• BumbleBee Zeros in on Meterpreter

BumbleBee Zeros in on Meterpreter

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, … Read More

The DFIR Reporteditor

• Emotet Strikes Again – Lnk File Leads to Domain Wide Ransomware

Emotet Strikes Again - Lnk File Leads to Domain Wide Ransomware - The DFIR Report

In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of … Read More

The DFIR Reporteditor

• 2022 Year in Review

2022 Year in Review - The DFIR Report

As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More

The DFIR Reporteditor