Pierre

New logo. New website. Same DFIR Report team. 🔎 Check out the incredible analysts behind the research: thedfirreport.com/company/analys…

🌟New report out today!🌟 From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st. Audio: Available on Spotify, Apple, YouTube and more! Report:⬇️

🌟New report out today!🌟 Hide Your RDP: Password Spray Leads to RansomHub Deployment Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/06/30/hid…

🌟New report out today!🌟 Fake Zoom Ends in BlackSuit Ransomware Analysis and reporting completed by @pigerlin, UC1 and @Miixxedup Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/03/31/fak…

New report out Monday 12/4 by @yatinwad! ➡️This intrusion starts with a MSSQL server being brute forced and ends in BlueSky ransomware. ➡️The threat actor went from initial access to network wide ransomware in under 1 hour.

HTML Smuggling Leads to Domain Wide Ransomware ➡️Initial Access: Thread-Hijacked Email > HTML Attachment ➡️Credentials: LSASS Access, SessionGopher ➡️Lateral Movement: RDP, PsExec ➡️C2: IcedID, Cobalt Strike ➡️Impact: Nokoyawa Ransomware thedfirreport.com/2023/08/28/htm… 1/X

A Truly Graceful Wipe Out ➡️Initial Access: Email > TDS > Truebot download ➡️Credentials: LSASS & Registry Dump ➡️Persistence: Scheduled Task ➡️C2: Truebot, FlawedGrace, Cobalt Strike ➡️Exfiltration: FlawedGrace ➡️Impact: MBR Killer thedfirreport.com/2023/06/12/a-t… 1/X

Here's an interesting batch script you'll see in an upcoming report: ➡️Do you know what it's doing? ➡️Would you struggle to do analysis on a system if it ran? Why or Why not? ➡️Are there any rules available to detect this activity? Post your answers below

Unwrapping Ursnifs Gifts ➡️Initial Access: Ursnif ISO/LNK/DLL ➡️Discovery: Get-ADComputer, nltest, net view, etc. ➡️Credentials: LSASS access ➡️Lateral: Impacket ➡️Persistence: Registry Run Key ➡️C2: Ursnif, Cobalt Strike thedfirreport.com/2023/01/09/unw… 1/X

📢New report out Monday 1/9 by @svch0st, @_pete_0 and UC1! If you subscribed, you'll receive an email when we publish the report. If you haven't subscribed - thedfirreport.com/subscribe/

How often do ya'll see emojis in command line params and can you detect them? Try hunting your environment using this sigma rule by @kostastsale - github.com/tsale/Sigma_ru… Was it easy or hard to hunt your env for emojis? Find anything? Thx to @0xToxin for sharing the sample!

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware ➡️TTR: 154 hours ➡️Discovery: nltest, net group, ShareFinder, etc. ➡️Exfil: Rclone Transfer to Mega ➡️C2: CobaltStrike, AnyDesk, Tactical RMM Agent ➡️Impact: Quantum Ransomware thedfirreport.com/2022/11/28/emo… 1/X

BumbleBee Zeros in on Meterpreter ➡️Initial Access: Contact Forms/Stolen Images/ISO ➡️PrivEsc: WSReset & Slui UAC Bypass, Zerologon CVE2020-1472 ➡️Cred Access: Procdump LSASS, reg dump SAM/SEC/SYS hives ➡️C2: BumbleBee, Meterpreter, CobaltStrike thedfirreport.com/2022/11/14/bum… 1/X

Follina Exploit Leads to Domain Compromise ➡️Initial Access: Word Doc exploiting Follina ➡️Persistence: Scheduled Tasks ➡️Discovery: ADFind, Netscan, etc. ➡️Lat Movement: SMB, Service Creation, RDP ➡️C2: #CobaltStrike, Qbot, NetSupport, Atera/Splashtop thedfirreport.com/2022/10/31/fol…

Dead or Alive? An Emotet Story ➡️Initial Access: Emotet XLS ➡️Persistence: RegRunKeys, Atera ➡️Discovery: LOLbins, AdFind, ShareFinder ➡️Credentials: LSASS access, Kerberoast ➡️Lateral: SMB, Remote Services ➡️C2: Emotet, CobaltStrike ➡️Exfil: Rclone/Mega thedfirreport.com/2022/09/12/dea…

BumbleBee Roasts Its Way to Domain Admin ➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL) ➡️Persistence: AnyDesk ➡️Discovery: VulnRecon, Seatbelt, AdFind, etc. ➡️Credentials: Kerberoast, comsvcs.dll, ProcDump ➡️C2: BumbleBee, CobaltStrike, AnyDesk thedfirreport.com/2022/08/08/bum…

Weaponized disk images files are still a thing. Are you able to detect ISO files being downloaded from the internet? ISO files being mounted by end users? Process and network connections being started from a mounted drive? Check out the importance in our latest report. #DFIR

Are you going to @Steel_Con Saturday (7/23)? If so, ➡️Check out @_pete_0's talk "Can you detect this? Inside The Ransomware Operator’s Toolkit" at 14:00 in Track 3! ➡️Find @_pete_0 and he'll give you a free t-shirt! while supplies last

SELECT XMRig FROM SQLServer ➡️Initial Access: Brute Force ➡️Execution: xp_cmdshell, batch scripts, certutil ➡️Persistence: Hidden accounts, schtasks, WMI event subscription via mof files ➡️Defense Evasion: Kill AVs, Disabling UAC ➡️Impact: XMRig Miner thedfirreport.com/2022/07/11/sel…

Can you Detect This? | Inside The Ransomware Operator's Toolkit ➡️@_pete_0 and @yatinwad will be presenting @ 14:40 UTC on 6/16. Sign up for the free #RansomwareSummit ⬇️ sans.org/cyber-security…