The DFIR Report (@TheDFIRReport )

The DFIR Report

Bio Real Intrusions by Real Attackers, the Truth Behind the Intrusion. Help support this project -
Tweets 62
Followers 3,2K
Following 0
Account created 03-04-2020 01:33:43
ID 1245886895458078722

Twitter Web App : IOCs @… &…

Enjoy our reports? Please consider donating $1 or more to the project using Patreon.

We also have pcaps, files, memory images, and Kape packages available.

TweetDeck : PYSA/Mespinoza Ransomware

➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, net, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral
➡️Files exfiltrated
➡️PYSA ransomware for Impact…

Twitter Web App : New report on Mespinoza/PYSA ransomware coming soon!
Youll see mentions of Koadic, Empire, and 5+ different credential access methods.

Limited supply of The DFIR Report t-shirts available @

Twitter Web App : A threat actor recently dropped/executed Network Scanner (NS.exe) in the honeypot. This time, it was bundled with NJRAT.

➡️NJRAT: C:\ProgramData\Synaptics\Synaptics.exe
➡️C2: 69.42.215[.]252:80
➡️Any Run:…

Twitter Web App : ATT&CK) 's Twitter Profile">ATT&CK recently updated Ryuk (Wizard Spider/UNC1878) Techniques.


Thanks for including our reports ATT&CK) 's Twitter Profile">ATT&CK!!

Twitter Web App : Another cryptominer exploiting CVE-2020-14882.

➡️Exploit srcip: 185.153.199[.]102
➡️Miner install script:…
➡️Sandbox run:…

Twitter Web App : Cryptominers Exploiting WebLogic RCE CVE-2020-14882…

IOCS @… &…

Twitter Web App : Thank you malCOM!! We appreciate you and everyone else who supports this project!…

Twitter Web App : If you enjoy our reports, please consider donating $1 or more to the project using Patreon.

We also have pcaps, files, memory images, and Kape packages available at Patreon.

Twitter Web App : Ryuk Speed Run, 2 Hours to Ransom

➡️Discovery using Net, Nltest, and AdFind
➡️Cobalt Strike and Bazar for C2
➡️Zerologon for Privilege Escalation
➡️Credential Access via Rubeus
➡️Lateral Movement via SMB…

Twitter Web App : Chris Krebs #Protect2020 Here's a couple more reports on recent Ryuk intrusions with TTPs & timelines.

Did you patch Zerologon? Can you detect Kerberoasting? Can you detect the discovery commands used in these reports? Can you respond in 2-4 hours?……

Twitter Web App : Along with the gov alert, The DFIR Report has two incredible write-ups on previous ryuk investigations.

I created a splunk lookup of the most common binaries used and searched for scenarios where >= 3 ran on the same host w/ same users in 15 mins.…

Twitter Web App : 📌Free #SIGMA rule: SINGLEMALT / KEGTAP / #Ryuk Techniques and Procedures by SOC Prime Team based on reports by The DFIR Report and FireEye 🔥:

All in One Rule:

#ThreatHunting #BlueTeam #Ransomware

Twitter Web App : IOCs available at… &…

PCAPS, files, memory images, Kape and Redline packages available at