The DFIR Report - Blog post I worked on

If you've arrived here, you're probably aware that I've been working with the guys from The DFIR Report for several years. To make it easier for readers who want to know which reports I worked on, I've included all of the references below:

  • WebLogic RCE Leads to XMRig
WebLogic RCE Leads to XMRig
Intro This report will review an intrusion where, the threat actor took advantage of a WebLogic remote code execution vulnerability (CVE-2020–14882) to gain initial access to the system before inst…
  • From Zero to Domain Admin
From Zero to Domain Admin
Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. Up…
  • Exchange Exploit Leads to Domain Wide Ransomware
Exchange Exploit Leads to Domain Wide Ransomware
Intro In late September, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. The threat actors in this case we…
  • Diavol Ransomware
Diavol Ransomware
In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Di…
  • APT35 Automates Initial Access Using ProxyShell
APT35 Automates Initial Access Using ProxyShell
In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities an…
  • Quantum Ransomware
Quantum Ransomware
In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for this case was an Ic…
  • BumbleBee Zeros in on Meterpreter
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, … Read More
  • Emotet Strikes Again – Lnk File Leads to Domain Wide Ransomware
Emotet Strikes Again - Lnk File Leads to Domain Wide Ransomware - The DFIR Report
In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of … Read More