The DFIR Report (@TheDFIRReport )

The DFIR Report

Bio Real Intrusions by Real Attackers, the Truth Behind the Intrusion. Help support this project - patreon.com/thedfirreport
Tweets 62
Followers 3,2K
Following 0
Account created 03-04-2020 01:33:43
ID 1245886895458078722

Twitter Web App : IOCs @ misppriv.circl.lu/events/view/81… &
otx.alienvault.com/pulse/5fbb23c7…

Enjoy our reports? Please consider donating $1 or more to the project using Patreon.

We also have pcaps, files, memory images, and Kape packages available.

patreon.com/thedfirreport

TweetDeck : PYSA/Mespinoza Ransomware

➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, net, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral
Movement
➡️Files exfiltrated
➡️PYSA ransomware for Impact

thedfirreport.com/2020/11/23/pys…

Twitter Web App : New report on Mespinoza/PYSA ransomware coming soon!
Youll see mentions of Koadic, Empire, and 5+ different credential access methods.

Limited supply of The DFIR Report t-shirts available @ patreon.com/thedfirreport.

Twitter Web App : A threat actor recently dropped/executed Network Scanner (NS.exe) in the honeypot. This time, it was bundled with NJRAT.

➡️NJRAT: C:\ProgramData\Synaptics\Synaptics.exe
➡️C2: 69.42.215[.]252:80
➡️VT: virustotal.com/gui/file/e4b0f…
➡️Any Run: app.any.run/tasks/566223f6…

Twitter Web App : ATT&CK) 's Twitter Profile">ATT&CK recently updated Ryuk (Wizard Spider/UNC1878) Techniques.

➡️attack.mitre.org/groups/G0102

Thanks for including our reports ATT&CK) 's Twitter Profile">ATT&CK!!

Twitter Web App : Another cryptominer exploiting CVE-2020-14882.

➡️Exploit srcip: 185.153.199[.]102
➡️Miner install script: virustotal.com/gui/file/a6fc5…
➡️Sandbox run: app.any.run/tasks/d963ab1a…

Twitter Web App : Cryptominers Exploiting WebLogic RCE CVE-2020-14882

thedfirreport.com/2020/11/12/cry…

IOCS @ misppriv.circl.lu/events/view/81… & otx.alienvault.com/pulse/5fac81c5…

Twitter Web App : Thank you malCOM!! We appreciate you and everyone else who supports this project!

patreon.com/thedfirreport twitter.com/EricaZeli/stat…

Twitter Web App : If you enjoy our reports, please consider donating $1 or more to the project using Patreon.

We also have pcaps, files, memory images, and Kape packages available at Patreon.

patreon.com/thedfirreport

Twitter Web App : Ryuk Speed Run, 2 Hours to Ransom

➡️Discovery using Net, Nltest, and AdFind
➡️Cobalt Strike and Bazar for C2
➡️Zerologon for Privilege Escalation
➡️Credential Access via Rubeus
➡️Lateral Movement via SMB

thedfirreport.com/2020/11/05/ryu…

Twitter Web App : Chris Krebs #Protect2020 Here's a couple more reports on recent Ryuk intrusions with TTPs & timelines.

Did you patch Zerologon? Can you detect Kerberoasting? Can you detect the discovery commands used in these reports? Can you respond in 2-4 hours?

thedfirreport.com/2020/10/18/ryu…

thedfirreport.com/2020/10/08/ryu…

Twitter Web App : Along with the gov alert, The DFIR Report has two incredible write-ups on previous ryuk investigations.

I created a splunk lookup of the most common binaries used and searched for scenarios where >= 3 ran on the same host w/ same users in 15 mins. twitter.com/USCERT_gov/sta…

Twitter Web App : 📌Free #SIGMA rule: SINGLEMALT / KEGTAP / #Ryuk Techniques and Procedures by SOC Prime Team based on reports by The DFIR Report and FireEye 🔥:
📘fireeye.com/blog/threat-re…
📘thedfirreport.com/2020/10/18/ryu…

All in One Rule:
➡️tdm.socprime.com/tdm/info/lf753…

#ThreatHunting #BlueTeam #Ransomware

Twitter Web App : IOCs available at misppriv.circl.lu/events/view/80… & otx.alienvault.com/pulse/5f8cce76…

PCAPS, files, memory images, Kape and Redline packages available at patreon.com/thedfirreport