Real Intrusions by Real Attackers, the Truth Behind the Intrusion.
Detections: http://github.com/The-DFIR-Report | Services: http://thedfirreport.com/services |
🧪 DFIR Labs | LockBit Ransomware Case #27244
Investigate a real intrusion where a compromised Confluence server led to rapid domain-wide access.
Step through the investigation and see how LockBit was deployed end-to-end.
👉 https://dfirlabs.thedfirreport.com/auth/login
DFIR Labs is closing out the year with 25% off all cases and subscriptions.
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
DFIR Labs is closing out the year with 25% off all cases and subscriptions.
✔ Buy now, redeem anytime over the next 3 months
⏰ Offer ends January 1
💳 Discount applied automatically at checkout
Extracting VNC screenshots and keylog data from #Latrodectus 🕷️ BackConnect
https://netresec.com/?b=25Cfd08
"The unusual command copied to the user's clipboard abused the SSH ProxyCommand option to quietly invoke the Windows Installer (msiexec) and download a payload, marking the start of the intrusion."
➡️ The above is from a Private Threat Brief: "SSH by ClickFix: Node.js RAT Leads to SystemBC and S3 Exfiltration "
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - https://lnkd.in/gk-yfpJm
🎁 DFIR Labs Giveaway 🎁
We’re giving away 5 FREE DFIR Labs cases!
How to enter:
➡️Post your favorite DFIR Report in the replies
➡️Tell us why it's your favorite
That’s it! 🙌 We’ll select 5 winners before Christmas!
DFIR Labs - https://dfirlabs.thedfirreport.com/auth/login
Reports - https://thedfirreport.com/
"Approximately 20 minutes after the initial successful whoami command execution from 45.227.254[.]124, the intrusion commenced from a new IP address, 91.191.209[.]46, utilizing a slightly modified version of the exploit. It’s plausible that the exploitation script used in the second instance, which downloaded and executed the Metasploit payload...."
Report: https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/ #DFIR #CyberSecurity #InfoSec #ThreatHunting #IncidentResponse #DigitalForensics #BlueTeam
We identified a malvertising campaign targeting users searching for legitimate software, leading to the download of a trojanized WinSCP installer that deployed Broomstick/OysterLoader. The infection chain established persistence through scheduled tasks and ultimately dropped a Supper (SocksShell/ZAPCAT) variant, enabling remote access and SOCKS5 proxying.
All files involved in the initial access phase were signed with valid certificates.
➡️ The above is from a Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - https://thedfirreport.com/contact/
#DFIR #ThreatIntel #IncidentResponse #CyberSecurity #InfoSec #ThreatHunting #IncidentResponse #DigitalForensics #BlueTeam
"On day six of the intrusion, the threat actor started preparing for the automated deployment of the ransomware payload throughout the network.
After the initial execution of the ransomware binary on a system, the spawned process began establishing connections with other internal systems..."
Report: https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
Services: https://thedfirreport.com/services/
Contact Us for pricing or a demo https://thedfirreport.com/contact/
🎉 BLACK FRIDAY DEAL IS LIVE! 🎉
Now until December 1st, all swag in our store is 50% OFF — shirts, hoodies, and stickers, while supplies last!
🛒 Prices are already reflected in the cart:
• Stickers: $1
• T-Shirts: $10
• Hoodies: $16
🎁 Bonus: Every order comes with 2 FREE DFIR Report stickers!
Don’t miss it — once it’s gone, it’s gone.
https://store.thedfirreport.com/collections/dfir-report-branded-items
➡️ The above is from a Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - https://thedfirreport.com/contact/
"Checking the registry and network traffic, we could identify ranges they scanned. They most likely ran several scans in Advanced IP scanner. We found evidence of scans for private IP ranges as well as multiple public IP ranges belonging to Microsoft and other entities. It's unclear why they scanned these external IPs. An interesting observation is that they scanned public IP ranges which hosted the C2 addresses used by Supper:"
#DFIR #ThreatIntel #IncidentResponse #CyberSecurity #InfoSec
🐈 Cat’s Got Your Files: Lynx Ransomware
🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉
Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more!
https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/
#DFIR #ThreatIntel #IncidentResponse #CyberSecurity #InfoSec #ThreatHunting #IncidentResponse #DigitalForensics #BlueTeam
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"Artifacts of this SMB enumeration were left behind in the smb.db database stored by NetExec in C:\Users\%UserProfile%\nxc\workspaces\smb.db. This database confirms that a number of domains and hosts were successfully enumerated using the domain admin credentials during scanning."
Want a heads-up when we drop a new report? Sign up here: https://thedfirreport.com/subscribe/
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"In this case, Netscan was run with domain administrator privileges, so all discovered shares were writable. As a result, NetScan was able to create and delete the delete[.]me file on each discovered share.
These actions generated Windows Security Event ID 5145 object access entries referencing the delete[.]me file."
Want a heads-up when we drop a new report? Sign up here: https://thedfirreport.com/subscribe/
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"On the domain controller, they used the "Active Directory Users and Computers" snap-in (dsa.msc) to create three users for persistence. All of the newly created accounts have usernames that mimic legitimate accounts already present in the environment."
Want a heads-up when we drop a new report? Sign up here: https://thedfirreport.com/subscribe/
🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec!
"The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and there was no indication of brute force or password spraying occurring, indicating these credentials were obtained prior to the intrusion...
1/2
...The threat actor was also observed using credentials for a second account with domain administrator privileges to pivot from the beachhead host without performing any credential access activities, indicating these credentials were also obtained prior to initial access."
Want a heads-up when we drop a new report? Sign up here: https://thedfirreport.com/subscribe/
2/2
➡️ The above is from a recent Private Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - https://thedfirreport.com/contact/
#DFIR #ThreatIntel #IncidentResponse #CyberSecurity #InfoSec #ThreatHunting #IncidentResponse #DigitalForensics #BlueTeam
