The DFIR Report (@TheDFIRReport )

The DFIR Report

Bio real intrusions by real attackers, the truth behind the intrusion
Tweets 23
Followers 587
Following 18
Account created 03-04-2020 01:33:43
ID 1245886895458078722

Twitter Web App : Another coin miner (XMRig) dropped in the honeypot...


-Attrib used to hide C:\Windows\Fonts\Windows
-Cacls used to restrict folder access to System
-Scheduled Tasks used for persistence