サクサク読めて、アプリ限定の機能も多数!
トップへ戻る
ノーベル賞
thedfirreport.com
Credential Access Multiple tools and scripts were used to access and collect credentials from compromised hosts. There were several variants of Mimikatz in binary and PowerShell form: "C:\ProgramData\mimikatz.exe" "C:\ProgramData\mimikatz.exe.exe" "C:\ProgramData\mimikatz_cryptovanniy.exe" "C:\ProgramData\notepad.exe" "C:\ProgramData\katz.ps1 Commands used to collect credentials and export to text
As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report looks at the types of intrusions that have been most prevalent and the malware we have come across. We’ll also look at some of the most commonly used tactics, techniques, and procedures threat actors use to infiltrate networks, a
PowerTool PowerTool was observed, dropped and executed on the server used to deploy the ransomware payload. This tool has the ability to kill a process, delete its process file, unload drivers, and delete the driver files. It has been reportedly used by several ransomware groups to aid in their operations [1][2][3][4]. As a byproduct of execution, PowerTool will drop a driver to disk and load it i
UAC Bypass The threat actors were observed bypassing UAC via WSReset and DelegateExecute, spawning new processes at a High integrity level. While executing this UAC bypass, the threat actors seemed to be running into some kind of trouble during execution, which required them to try the technique several times and tried to kill one of their processes from a prior attempt. In addition to the WSReset
The DFIR Report Real Intrusions by Real Attackers, The Truth Behind the Intrusion Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following links: Microsoft & Red Canary In this case, from October 2021, we will break down how Qbot quickly spread across all workstations in an environment, while s
The DFIR Report Real Intrusions by Real Attackers, The Truth Behind the Intrusion Our previous report on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this report, we will focus on the network traffic it produced, and provide some easy wins defenders can be on the look out for to detect beaconing activity. We cover topics such as domain fronting, SOCKS pro
The DFIR Report Real Intrusions by Real Attackers, The Truth Behind the Intrusion Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. Upon the user enabling macros, a Hancitor dll was executed, which called the usual suspect, Cobalt Strike. Various different enum
The DFIR Report Real Intrusions by Real Attackers, The Truth Behind the Intrusion Intro Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report. The groups deploying this RaaS have only grown more prevalent. Despite the group having it’s affiliate guide leaked, which revealed many techniques already covered in previous reports, the g
Cobalt Strike Infrastructure Changing infrastructure will always be inconvenient for the threat actors, but it is not a difficult task. Additionally, Cobalt Strike is able to make use of “redirectors.” Therefore, some of these servers could be a redirector instead of the actual Cobalt Strike C2 server. Redirectors are hosts that do what the name implies, redirect traffic to the real C2 server. Thr
The DFIR Report Real Intrusions by Real Attackers, The Truth Behind the Intrusion Introduction In May 2021, we observed a threat actor conducting an intrusion utilizing the IcedID payloads for initial access. They later performed a number of techniques from host discovery to lateral movement, using RDP and SMB to access the file servers within an enterprise domain. IcedID (known as BokBot) first o
このページを最初にブックマークしてみませんか?
『The DFIR Report』の新着エントリーを見る
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く