Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
The DFIR Report Profile picture
@TheDFIRReport
Aug 5, 2021 9 tweets 10 min read Read on X
Scrolly
This content looks VERY familiar...



1. "Initial Actions"
2. rclone config using Mega
3. rclone instructions
4.Powerview/UserHunter instructions

Thanks @vxunderground!!
1. NTDS dumping
2. Kerberoasting
3. Netscan (Thanks Perry)
4. Ping script
1. Dump LSASS via #CobaltStrike, RDP, Mimikatz
2. AnyDesk install/exec
3. Scheduled task and wmic exec
4. AdFind! The same script we've been seeing since 2019
1. How and what to exfil (#CobaltStrike/rclone)

2,3,4 AD info, PowerView, Mimikatz, DCSync, Cobalt Strike, Get-ADComputer, ShareFinder, and so much more.

So this is why we see soooo much programdata. Its hard coded all over.
1. Tor/Whonix setup
2. Bash script to sort AdFind results
3. PsExec and Wmic exec commands/instructions
4. Operating CVE-2020-1472 Zerologon in Cobalt Strike
1. Ransomware exec on Linux
2. Ngrok setup for RDP tunneling
3/4. Using #CobaltStrike to exec nltest, net, PowerView, dump hashes, enable rdp, disable Defender, nltest, etc.
1. Change RDP port
2. Brute force instructions (seasons and year, this sounds familiar)
3/4. Getting Domain Admin via SMB brute force - net, Invoke-SMBAutoBrute
1/2/3/4 Hunting backup admins

➡️"If it is not clear who this is after the survey, see adfind + check linkedin"
All for now!

Great teamwork @IcsNick,@Kostastsale, @pigerlin, @iiamaleks, and @0xtornado!!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with The DFIR Report

The DFIR Report Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @TheDFIRReport

The DFIR Report Profile picture
Nov 14, 2022
BumbleBee Zeros in on Meterpreter

➡️Initial Access: Contact Forms/Stolen Images/ISO
➡️PrivEsc: WSReset & Slui UAC Bypass, Zerologon CVE2020-1472
➡️Cred Access: Procdump LSASS, reg dump SAM/SEC/SYS hives
➡️C2: BumbleBee, Meterpreter, CobaltStrike

thedfirreport.com/2022/11/14/bum…

1/X
Analysis and reporting completed by @0xtornado, @samaritan_o, @RoxpinTeddy.

Shout outs to @MsftSecIntel, @threatinsight, @malpedia, @TheRecord_Media, @campuscodi
Thanks for all you do!!

2/X
IOC's (Case from May 2022)

➡️BumbleBee

StolenImages_Evidence.iso
759688d1245aacd0ed067b0f0388786e911aaf28

documents.lnk
38eef0cdaa8faa27c9e2cedeafcfe842e2e0e08e

mkl2n.dll
fa3649b0472ba7fd9b31a22c904b2de4c008f540

C2:
45.153.243[.]93:443
213.232.235[.]199:443

3/X
Read 5 tweets
The DFIR Report Profile picture
Oct 31, 2022
Follina Exploit Leads to Domain Compromise

➡️Initial Access: Word Doc exploiting Follina
➡️Persistence: Scheduled Tasks
➡️Discovery: ADFind, Netscan, etc.
➡️Lat Movement: SMB, Service Creation, RDP
➡️C2: #CobaltStrike, Qbot, NetSupport, Atera/Splashtop

thedfirreport.com/2022/10/31/fol…
Analysis and reporting completed by @pigerlin, @yatinwad and @_pete_0.

Shout outs to @CISAgov, @GossiTheDog, @msftsecresponse, @malware_traffic and @sans_isc.
IOC's for intrusion, dated June 2022

Maldoc:
doc532.docx
03ef0e06d678a07f0413d95f0deb8968190e4f6b

Qbot Dll:
liidfxngjotktx.dll
dab316b8973ecc9a1893061b649443f5358b0e64

Netsupport Client
client32.exe
3112a39aad950045d6422fb2abe98bed05931e6c
Read 5 tweets
The DFIR Report Profile picture
Aug 8, 2022
BumbleBee Roasts Its Way to Domain Admin

➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDesk

thedfirreport.com/2022/08/08/bum…
Analysis and reporting completed by @Tornado and @MetallicHack

Shout outs: @threatinsight, Google's Threat Analysis Group, @vladhiewsha, @benoitsevens, @DidierStevens, @malpedia, @k3dg3, @malware_traffic, @Unit42_Intel, @EricRZimmerman, & @svch0st. Thanks ya'll!
IOC's

#Bumblebee
BC_invoice_Report_CORP_46.zip
6c87ca630c294773ab760d88587667f26e0213a3
142.91.3[.]109:443
45.140.146[.]30:443

#CobaltStrike
fuvataren[.]com
45.153.243[.]142:443

dofixifa[.]co
108.62.12[.]174:443

CS Payload Hosting
hxxp://104.243.33.50:80/a
Read 6 tweets
The DFIR Report Profile picture
Mar 1, 2022
Here's a thread on some of the interesting things we've seen in the #ContiLeaks.

If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translat…. He will be adding more as things get leaked.
New chat logs from the 26 Feb to the 28 Feb were released. It included an entertaining exchange where the user "pumba" was not happy with their work partner "tramp" (also referred to as “trump”). “Pumba” ends the conversation by asking to be moved to another team. #ContiLeaks Image
Leaked Bazar Bot panels show hundreds of past infected clients. Entries contain comments that include reconnaissance of revenue, and tracking work to be done. #ContiLeaks ImageImageImageImage
Read 78 tweets
The DFIR Report Profile picture
Jul 8, 2021
Here's some newer #CobaltStrike servers we're tracking:

scripts[.]arshmedicalfoundation[.]com
3.142.144[.]90:443

servers[.]indiabullamc[.]com
139.180.214[.]187:80

rce[.]accountrecovery[.]co[.]uk
134.209.118[.]184:80

Full list available @ thedfirreport.com/services
#AllIntel
Here's some newer #CobaltStrike servers we're tracking:

azurecloud[.]dynssl[.]com
136.244.113[.]93:443

securesoftme[.]azureedge[.]net
162.244.80[.]181:80|443

www[.]msclientweb[.]com
147.182.175[.]159:443

Full list available @ thedfirreport.com/services
#AllIntel
Here's some newer #CobaltStrike servers we're tracking:

macrodown[.]azureedge[.]net
85.93.88[.]165:80

taobao[.]alibaba-cn[.]ga
155.94.163[.]56:80

upload[.]dwi22g[.]com
185.244.150[.]52:443

Full list available @ thedfirreport.com/services
#AllIntel
Read 4 tweets
The DFIR Report Profile picture
Mar 29, 2021
Sodinokibi (aka REvil) Ransomware

➡️TTR: 4 hours
➡️Initial Access: IcedID
➡️Discovery: nltest, net, wmic, AdFind, BloodHound, etc.
➡️PrivEsc: UAC-TokenMagic & Invoke-SluiBypass
➡️Defense Evasion: Safe Mode & new GPO
➡️Exfil: Rclone
➡️C2: CobaltStrike

thedfirreport.com/2021/03/28/sod… ImageImageImageImage
Shout-out to @hatching_io, @lazyactivist192, @malwrhunterteam, and @R3MRUM. Thanks for doing what you do!

IOCs, ransomware files, PCAPs, logs, memory captures, etc. available @ thedfirreport.com/services Image
🔥C2🔥:

CobaltStrike:
smalleststores[.]com
cloudmetric[.]online
45.86.163[.]78:80
45.86.163[.]78:443
195.189.99[.]74:8080
195.189.99[.]74:80
45.86.163[.]78:8080

IcedID:
nomovee[.]website
cikawemoret34[.]space
161.35.109[.]168:443
206.189.10[.]247:80
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(