For those that are dealing with ISO based malware downloads, might I suggest the following solution: winaero.com/remove-mount-c… Basically add "ProgrammaticAccessOnly" to HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount as a REG_SZ This can be done at a GPO level :)

SEO Poisoning – A Gootloader Story ➡️Initial Access: Gootloader ➡️Discovery: BloodHound, Port Scanning ➡️Credential Access: LaZagne & Mimikatz ➡️Defense Evasion: Defender Service Deletion ➡️Lat Movement: Remote Service Creation & RDP ➡️C2: #CobaltStrike thedfirreport.com/2022/05/09/seo…

Reports out! x.com/TheDFIRReport/…

Can you Detect This? | Inside The Ransomware Operator's Toolkit ➡️Pete and Yatin Wadhwa will be presenting @ 14:40 UTC on 6/16. Sign up for the free #RansomwareSummit ⬇️ sans.org/cyber-security…

SELECT XMRig FROM SQLServer ➡️Initial Access: Brute Force ➡️Execution: xp_cmdshell, batch scripts, certutil ➡️Persistence: Hidden accounts, schtasks, WMI event subscription via mof files ➡️Defense Evasion: Kill AVs, Disabling UAC ➡️Impact: XMRig Miner thedfirreport.com/2022/07/11/sel…

Are you going to SteelCon Saturday (7/23)? If so, ➡️Check out Pete's talk "Can you detect this? Inside The Ransomware Operator’s Toolkit" at 14:00 in Track 3! ➡️Find Pete and he'll give you a free t-shirt! while supplies last

BumbleBee Roasts Its Way to Domain Admin ➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL) ➡️Persistence: AnyDesk ➡️Discovery: VulnRecon, Seatbelt, AdFind, etc. ➡️Credentials: Kerberoast, comsvcs.dll, ProcDump ➡️C2: BumbleBee, CobaltStrike, AnyDesk thedfirreport.com/2022/08/08/bum…

Weaponized disk images files are still a thing. Are you able to detect ISO files being downloaded from the internet? ISO files being mounted by end users? Process and network connections being started from a mounted drive? Check out the importance in our latest report. #DFIR

Dead or Alive? An Emotet Story ➡️Initial Access: Emotet XLS ➡️Persistence: RegRunKeys, Atera ➡️Discovery: LOLbins, AdFind, ShareFinder ➡️Credentials: LSASS access, Kerberoast ➡️Lateral: SMB, Remote Services ➡️C2: Emotet, CobaltStrike ➡️Exfil: Rclone/Mega thedfirreport.com/2022/09/12/dea…

Follina Exploit Leads to Domain Compromise ➡️Initial Access: Word Doc exploiting Follina ➡️Persistence: Scheduled Tasks ➡️Discovery: ADFind, Netscan, etc. ➡️Lat Movement: SMB, Service Creation, RDP ➡️C2: #CobaltStrike, Qbot, NetSupport, Atera/Splashtop thedfirreport.com/2022/10/31/fol…

BumbleBee Zeros in on Meterpreter ➡️Initial Access: Contact Forms/Stolen Images/ISO ➡️PrivEsc: WSReset & Slui UAC Bypass, Zerologon CVE2020-1472 ➡️Cred Access: Procdump LSASS, reg dump SAM/SEC/SYS hives ➡️C2: BumbleBee, Meterpreter, CobaltStrike thedfirreport.com/2022/11/14/bum… 1/X

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware ➡️TTR: 154 hours ➡️Discovery: nltest, net group, ShareFinder, etc. ➡️Exfil: Rclone Transfer to Mega ➡️C2: CobaltStrike, AnyDesk, Tactical RMM Agent ➡️Impact: Quantum Ransomware thedfirreport.com/2022/11/28/emo… 1/X

How often do ya'll see emojis in command line params and can you detect them? Try hunting your environment using this sigma rule by @kostastsale - github.com/tsale/Sigma_ru… Was it easy or hard to hunt your env for emojis? Find anything? Thx to Ne0ne | Igal for sharing the sample!

📢New report out Monday 1/9 by Zach, Pete and UC1! If you subscribed, you'll receive an email when we publish the report. If you haven't subscribed - thedfirreport.com/subscribe/

Unwrapping Ursnifs Gifts ➡️Initial Access: Ursnif ISO/LNK/DLL ➡️Discovery: Get-ADComputer, nltest, net view, etc. ➡️Credentials: LSASS access ➡️Lateral: Impacket ➡️Persistence: Registry Run Key ➡️C2: Ursnif, Cobalt Strike thedfirreport.com/2023/01/09/unw… 1/X

Here's an interesting batch script you'll see in an upcoming report: ➡️Do you know what it's doing? ➡️Would you struggle to do analysis on a system if it ran? Why or Why not? ➡️Are there any rules available to detect this activity? Post your answers below

A Truly Graceful Wipe Out ➡️Initial Access: Email > TDS > Truebot download ➡️Credentials: LSASS & Registry Dump ➡️Persistence: Scheduled Task ➡️C2: Truebot, FlawedGrace, Cobalt Strike ➡️Exfiltration: FlawedGrace ➡️Impact: MBR Killer thedfirreport.com/2023/06/12/a-t… 1/X

HTML Smuggling Leads to Domain Wide Ransomware ➡️Initial Access: Thread-Hijacked Email > HTML Attachment ➡️Credentials: LSASS Access, SessionGopher ➡️Lateral Movement: RDP, PsExec ➡️C2: IcedID, Cobalt Strike ➡️Impact: Nokoyawa Ransomware thedfirreport.com/2023/08/28/htm… 1/X

New report out Monday 12/4 by Yatin Wadhwa! ➡️This intrusion starts with a MSSQL server being brute forced and ends in BlueSky ransomware. ➡️The threat actor went from initial access to network wide ransomware in under 1 hour.

🌟New report out today!🌟 Fake Zoom Ends in BlackSuit Ransomware Analysis and reporting completed by Pierre, UC1 and Miixxedup Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/03/31/fak…