Inside the Open Directory of the “You Dun” Threat Group
Key Takeaways The DFIR Report Services Reports such as this one are part of our All Intel service and are categorized as Threat Actor Insights. Private Threat Briefs: Over 20 … Read More
The DFIR Report
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
Key Takeaways Contact us today for pricing or a demo! Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command … Read More
BlackSuit Ransomware
Key Takeaways In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor … Read More
Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts
Key Takeaways The DFIR Report Services Contact us today for pricing or a demo! Table of Contents: Summary Analysts Adversary Infrastructure Capability Victim Indicators Summary In this report, we delve into … Read More
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
Key Takeaways The DFIR Report Services → Click here to access the DFIR Lab related to this report ← Five new sigma rules were created from this report and added … Read More
From IcedID to Dagon Locker Ransomware in 29 Days
Key Takeaways In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. IcedID dropped and executed a Cobalt Strike beacon, which was … Read More
From OneNote to RansomNote: An Ice Cold Intrusion
Key Takeaways We provide a range of services, one of which is our Threat Feed, specializing in monitoring Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, Viper, Mythic, Havoc, … Read More
Threat Brief: WordPress Plugin Exploit Leads to Godzilla Web Shell, Discovery & New CVE
Below is a recent Threat Brief that we shared with our customers. Each year, we produce over 20 detailed Threat Briefs, which follow a format similar to the below. Typically, … Read More
SEO Poisoning to Domain Control: The Gootloader Saga Continues
Key Takeaways More information about Gootloader can be found in the following reports: The DFIR Report, GootloaderSites, Mandiant, Red Canary, & Kroll. An audio version of this report can be … Read More
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
Key Takeaways In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware. On … Read More
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
This report is a little different than our typical content. We were able to analyze data from a perspective we typically don’t get to see… a threat actor’s host! In … Read More
SQL Brute Force Leads to BlueSky Ransomware
In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and … Read More
Real Intrusions by Real Attackers, The Truth Behind the Intrusion