Mattison Schuch

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and... 1/3

🌟New report out today!🌟 Hide Your RDP: Password Spray Leads to RansomHub Deployment Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/06/30/hid…

🎉 Announcing DFIR Labs! 🎉 Introducing our DFIR Labs based on real intrusions from our public reports and private threat briefs! Whether you're starting out or looking to deepen your skills, our labs can help. 1/2

🚀 Exciting News Coming Soon! 🌟 🔍 We're launching an innovative platform to help boost your DFIR skills! 🙏 Thanks to our beta testers - your feedback was invaluable! ✨ Curious for a sneak peek? Head to our site to see what's coming!

⭐️New report out Monday 10/30 by @iiamaleks, @MittenSec, & @Miixxedup!!⭐️ ✉️Initial Access began with a ZIP file delivered to a victim through email, which eventually lead to NetSupport. ➡️Want to receive an email when we publish a new report? ➡️➡️thedfirreport.com/subscribe/

Thanks to everyone who listened to me rant for an hour about how to take effective notes in this strange field @bsidesatl My entire talk (and much more) can be found here: grahamhelton.com/blog/atomicnot…

Qakbot malware disrupted in international cyber takedown justice.gov/usao-cdca/pr/q…

Very interesting data and writeup from team cymru on #Qakbot's tiered infrastructure team-cymru.com/post/visualizi…

1/ On a recent BEC investigation, I noticed the entry "Fraud reported - user is blocked for MFA" within the #Azure Audit logs from the compromised user (see screenshot below). I've never encountered this Activity, so let's dig in. 🧵

A macOS vulnerability could allow an attacker with root access to bypass System Integrity Protection (SIP) and perform arbitrary operations on a device. Learn more about CVE-2023-32369, which we refer to as “Migraine”, and its patch in our latest blog: msft.it/6018gegrs

Volt Typhoon, a Chinese state-sponsored actor, uses living-off-the-land (LotL) and hands-on-keyboard TTPs to evade detection and persist in an espionage campaign targeting critical infrastructure organizations in Guam and the rest of the United States. msft.it/6019gj8eH

IcedID Macro Ends in Nokoyawa Ransomware ➡️Initial Access: IcedID XLS Macro ➡️Credentials: LSASS, Creds in Files ➡️Persistence: Scheduled Task ➡️Lateral: RDP, SMB, WMI, WinRM, Psexec ➡️C2: IcedID, Cobalt Strike, VNC ➡️Impact: Nokoyawa Ransomware thedfirreport.com/2023/05/22/ice… 1/X

RT @SentinelOne: 🍎 New from the front lines! The development of a Go implementation of CobaltStrike called ‘Geacon’ appears to be bringing…

🚨#BREAKING: City of Dallas disrupted by large cyberattack impacting multiple Services 

📌#Dallas | #Texas 
 The City of Dallas, in Texas, experienced a large cyberattack that affected many important computer systems. As a result, it became difficult for the city to function properly. For instance, the computer-assisted dispatch system used by 911 dispatchers was not working, so they had to write down reports and give them to officers manually instead of submitting them electronically. To avoid the attack from spreading, the city had to turn off some of its IT systems.

#ESETResearch confirms Lazarus is linked to the recent #3CX supply-chain attacks. Based on code similarities and network infrastructure, we connect the 3CX incident with a Linux case of DreamJob, a long-term Lazarus operation using job offer as lures. 1/6 welivesecurity.com/2023/04/20/lin…

Are you into cloud hacking? Got an MS Graph token but unsure what to do with it? Do you want to forge your own primary refresh token with a malicious device registration. I got you covered. Bypass MFA like a boss with this guide. #Azure trustedsec.com/blog/hacking-y…

Malicious ISO File Leads to Domain Wide Ransomware ➡️Initial Access: IcedID ISO ➡️Credentials: DCsync ➡️PrivEsc: ZeroLogon ➡️Lateral: RDP, SMB/Remote Service, WMI ➡️C2: IcedID, Cobalt Strike, Anydesk ➡️Exfil: Rclone to Mega ➡️Impact: Quantum Ransomware thedfirreport.com/2023/04/03/mal…

Finally! My new book "Arm Assembly Internals & Reverse Engineering" is up for pre-order! Save the date for the official launch on May 9th. Can't wait for you to dive into the world of Arm Assembly! Check out the official book website for more info: arm-assembly.com

Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape @Google TAG, @Mandiant , and Trust & Safety provide insights into changes in the cyber threat landscape triggered by the war. 📰 Full Report here services.google.com/fh/files/blogs…

Collect, Exfiltrate, Sleep, Repeat ➡️Initial Access: Job App VBA Maldoc ➡️Discovery: PS Cmdlets, net, tzutil, etc. ➡️Persistence: Scheduled Tasks ➡️Collection: AutoHotkey Keylogger, Compress-Archive, makecab.exe ➡️C2: Custom PowerShell Framework thedfirreport.com/2023/02/06/col… 1/X