The DFIR Report (@TheDFIRReport )

The DFIR Report

Bio real intrusions by real attackers, the truth behind the intrusion
Tweets 23
Followers 587
Following 18
Account created 03-04-2020 01:33:43
ID 1245886895458078722

Twitter Web App : An attacker logged into the honeypot from 178.239.173[.]172. They used Defender Control to turn off Defender and Mimikatz to dump credentials. The attacker then used Network Scanner followed shortly by #dharma #ransomware execution.

thedfirreport.com/2020/04/14/dha…