The DFIR Report (@TheDFIRReport )

The DFIR Report

Bio real intrusions by real attackers, the truth behind the intrusion
Tweets 23
Followers 580
Following 18
Account created 03-04-2020 01:33:43
ID 1245886895458078722

Twitter Web App : So this happened...

➡️Threat Actor logs in via RDP
➡️Drops browser
➡️Logs into personal social media account
➡️Transfers files/links through social media
➡️Fails to accomplish mission
➡️Disconnects RDP session leaving social media on screen on the messages tab

👀 👀 👀

#opsec

Twitter Web App : Enjoy our report on Snatch Team? Donate to the project to keep it running!

patreon.com/thedfirreport

We also offer early access to reports and access to all artifacts including PCAPs, memory captures, event logs, etc.

Twitter Web App : H. C:\arvey MISP We didnt see Defender Control during this intrusion and we didnt see any commands run or reg keys created around that time, which leads us to believe it was manually turned off but cant confirm. Heres the log

Twitter Web App : Another RDP brute force ransomware strikes again, this time, Snatch Team!

-Lateral movement via RDP
-C2 via Meterpreter/RDP Proxy via Tor
-Persistence via Scheduled Tasks
-Domain ransomed in less than 5 hours

#infosec #malware MISP

thedfirreport.com/2020/06/21/sna…

Twitter Web App : Another coin miner (XMRig) dropped in the honeypot...

rig2.exe

-Attrib used to hide C:\Windows\Fonts\Windows
-Cacls used to restrict folder access to System
-Scheduled Tasks used for persistence

13/71
virustotal.com/gui/file/eb45d…

app.any.run/tasks/cb70da65…

Twitter Web App : While it may be annoying getting hit by these smaller players may save you if you can initiate controls before the Big Game Hunters show up. Biggest advice, keep single factor remote access (RDP) off the internet!

Full IOC's
Hash
File
Network
#yara

present in MISP Priv

Twitter Web App : For every big game ransomware attacker out there you also have many low level actors just waiting to pounce.
RDP -> Recon -> Whoops local account!
Only one ransomed machine for you!

Read about the Dharma/Crysis attack here:

thedfirreport.com/2020/06/16/the…

#DFIR #Ransomware #infosec pic.twitter.com/Pz4CFOKl9G

Twitter Web App : A threat actor recently logged into the honeypot and dropped HAKOPS Keylogger 15, Desktop Locker and #Lockbit #ransomware. #infosec #dfir #IOC MISP

thedfirreport.com/2020/06/10/loc…

Twitter Web App : Short write-up on a threat actor using AdFind for recon in the honeypot.

thedfirreport.com/2020/05/08/adf…

Maze, FIN6 and Trickbot have been seen using AdFind for recon.

Maze - fireeye.com/blog/threat-re…
FIN6 - fireeye.com/blog/threat-re…
Trickbot - cybereason.com/blog/dropping-…

iPhone : 2020-05-06:🔥[Ransomware TTP] Possible Overlap Between #REvil & #Maze #Ransomware Affiliate on VPS🤔

Popular Open Source Pentesting Tools via Pulse VPN Exploit #CVE201911510:

ADRecon
CrackMapExec
ghost
secretsdump
mimikatz
Metasploit
PowerSploit
PsTools

blog.redteam.pl/2020/05/sodino…

iPhone : Published Sysinternals updates, including Sysmon file delete monitoring, and trying something new: I recorded a video describing the updates and demoing the new Sysmon feature. twitter.com/Sysinternals/s…

Twitter Web App : And thanks to Ryan Tracy of Cylance for the great write up that helped us understand the newer PyXie RAT:

threatvector.cylance.com/en_us/home/mee…

Twitter Web App : Earlier this month we saw a #trickbot infection #gtag man6 pivot to drop Cobalt Strike and PyXie malware. Full IOCs available in MISP Priv.

Check out the infection chain and TTPs in the write up below:

#DFIR

thedfirreport.com/2020/04/30/tri…

Twitter Web App : looking at the DNS associated to the C2 IP's this looks likely related to previous campaigns investigated by reecDeep

twitter.com/reecdeep/statu…

Twitter Web App : Ongoing #Ursnif campaign loads DLL that claims to be txt file into memory. Follow on activity from both #tvrat and #cobaltstrike

C2 8.208.90.2, 47.241.106.208, various domains usually starting with f1[.]pipen[.]at

IOCs in MISP Priv.

#DFIR

thedfirreport.com/2020/04/24/urs…

Twitter Web App : An actor logged into the honeypot via RDP and installed XMRig with multiple persistence mechanisms. The actor used icacls and attrib to lock down directories and files to make detection and eradication difficult. #infosec #dfir #iocs

thedfirreport.com/2020/04/20/sql…