Real Intrusions by Real Attackers, The Truth Behind the Intrusion.
The DFIR Report Real Intrusions by Real Attackers, The Truth Behind the Intrusion
- Hide Your RDP: Password Spray Leads to RansomHub Deploymentby editor on June 30, 2025 at 12:20 am
Key Takeaways Case Summary This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted … Read More
- Another Confluence Bites the Dust: Falling to ELPACO-team Ransomwareby editor on May 19, 2025 at 12:05 am
Key Takeaways The DFIR Report Services Table of Contents: Case Summary In late June 2024, an unpatched Confluence server was compromised via CVE-2023-22527, a template injection vulnerability, first from IP … Read More
- Navigating Through The Fogby editor on April 28, 2025 at 12:03 am
Key Takeaways An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence…
- Fake Zoom Ends in BlackSuit Ransomwareby editor on March 31, 2025 at 12:01 am
Key Takeaways Case Summary This case from May 2024 started with a malicious download from a website mimicking the teleconferencing application Zoom. When visiting the website and downloading a file … Read More
- Confluence Exploit Leads to LockBit Ransomwareby editor on February 24, 2025 at 12:06 am
Key Takeaways Case Summary The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat actor … Read More
- Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomwareby editor on January 27, 2025 at 1:42 am
Key Takeaways Case Summary This intrusion began near the end of January 2024 when the user downloaded and executed a file using the same name (setup_wm.exe) and executable icon, as … Read More
- The Curious Case of an Egg-Cellent Resumeby editor on December 2, 2024 at 1:50 am
Key Takeaways Private Threat Briefs: Over 20 private DFIR reports annually. Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc. All Intel: Includes everything from … Read More
- Inside the Open Directory of the “You Dun” Threat Groupby editor on October 28, 2024 at 1:05 am
Key Takeaways The DFIR Report Services Reports such as this one are part of our All Intel service and are categorized as Threat Actor Insights. Private Threat Briefs: Over 20 … Read More
- Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomwareby editor on September 30, 2024 at 12:45 am
Key Takeaways Contact us today for pricing or a demo! Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command … Read More
- BlackSuit Ransomwareby editor on August 26, 2024 at 12:30 am
Key Takeaways In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor … Read More
