Alessandro Di Carlo
@samaritan0.bsky.social
Forensics & Product Manager at @Certego_IRT
@TheDFIRReport Analyst
3x @SANSInstitute Lethal Forensicator - GCFA - GASF
@TheDFIRReport Analyst
3x @SANSInstitute Lethal Forensicator - GCFA - GASF
6/6
Collect, Exfiltrate, Sleep, Repeat
➡️Initial Access: Job App VBA Maldoc
➡️Discovery: PS Cmdlets, net, tzutil, etc.
➡️Persistence: Scheduled Tasks
➡️Collection: AutoHotkey Keylogger, Compress-Archive, makecab.exe
➡️C2: Custom PowerShell Framework
https://t.co/uFbJzqkDWr
Collect, Exfiltrate, Sleep, Repeat
➡️Initial Access: Job App VBA Maldoc
➡️Discovery: PS Cmdlets, net, tzutil, etc.
➡️Persistence: Scheduled Tasks
➡️Collection: AutoHotkey Keylogger, Compress-Archive, makecab.exe
➡️C2: Custom PowerShell Framework
https://t.co/uFbJzqkDWr
Collect, Exfiltrate, Sleep, Repeat - The DFIR Report
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command … ...
t.co
July 9, 2023 at 2:55 PM
6/6
Collect, Exfiltrate, Sleep, Repeat
➡️Initial Access: Job App VBA Maldoc
➡️Discovery: PS Cmdlets, net, tzutil, etc.
➡️Persistence: Scheduled Tasks
➡️Collection: AutoHotkey Keylogger, Compress-Archive, makecab.exe
➡️C2: Custom PowerShell Framework
https://t.co/uFbJzqkDWr
Collect, Exfiltrate, Sleep, Repeat
➡️Initial Access: Job App VBA Maldoc
➡️Discovery: PS Cmdlets, net, tzutil, etc.
➡️Persistence: Scheduled Tasks
➡️Collection: AutoHotkey Keylogger, Compress-Archive, makecab.exe
➡️C2: Custom PowerShell Framework
https://t.co/uFbJzqkDWr
5/n
🚨2022 Year in Review is OUT🚨
➡️ Test your detection rules
➡️ Ensure you have the visibility your company need
➡️ Enjoy the stats
➡️ Remember to print any visuals included 😜
Report written by me, @Kostastsale and @iiamaleks (/cc @TheDFIRReport)
https://t.co/8aS2miNRF5
🚨2022 Year in Review is OUT🚨
➡️ Test your detection rules
➡️ Ensure you have the visibility your company need
➡️ Enjoy the stats
➡️ Remember to print any visuals included 😜
Report written by me, @Kostastsale and @iiamaleks (/cc @TheDFIRReport)
https://t.co/8aS2miNRF5
2022 Year in Review - The DFIR Report
As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More
t.co
July 9, 2023 at 2:53 PM
5/n
🚨2022 Year in Review is OUT🚨
➡️ Test your detection rules
➡️ Ensure you have the visibility your company need
➡️ Enjoy the stats
➡️ Remember to print any visuals included 😜
Report written by me, @Kostastsale and @iiamaleks (/cc @TheDFIRReport)
https://t.co/8aS2miNRF5
🚨2022 Year in Review is OUT🚨
➡️ Test your detection rules
➡️ Ensure you have the visibility your company need
➡️ Enjoy the stats
➡️ Remember to print any visuals included 😜
Report written by me, @Kostastsale and @iiamaleks (/cc @TheDFIRReport)
https://t.co/8aS2miNRF5
4/n
New report out from @_pete_0 and @MetallicHack
➡️Initial Access: IcedID ISO
➡️Credentials: DCsync
➡️PrivEsc: ZeroLogon
➡️Lateral: RDP, SMB/Remote Service, WMI
➡️C2: IcedID, Cobalt Strike, Anydesk
➡️Exfil: Rclone to Mega
➡️Impact: Quantum Ransomware
https://t.co/yjp0CsKj80
New report out from @_pete_0 and @MetallicHack
➡️Initial Access: IcedID ISO
➡️Credentials: DCsync
➡️PrivEsc: ZeroLogon
➡️Lateral: RDP, SMB/Remote Service, WMI
➡️C2: IcedID, Cobalt Strike, Anydesk
➡️Exfil: Rclone to Mega
➡️Impact: Quantum Ransomware
https://t.co/yjp0CsKj80
Malicious ISO File Leads to Domain Wide Ransomware - The DFIR Report
IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and ��...
t.co
July 9, 2023 at 2:52 PM
4/n
New report out from @_pete_0 and @MetallicHack
➡️Initial Access: IcedID ISO
➡️Credentials: DCsync
➡️PrivEsc: ZeroLogon
➡️Lateral: RDP, SMB/Remote Service, WMI
➡️C2: IcedID, Cobalt Strike, Anydesk
➡️Exfil: Rclone to Mega
➡️Impact: Quantum Ransomware
https://t.co/yjp0CsKj80
New report out from @_pete_0 and @MetallicHack
➡️Initial Access: IcedID ISO
➡️Credentials: DCsync
➡️PrivEsc: ZeroLogon
➡️Lateral: RDP, SMB/Remote Service, WMI
➡️C2: IcedID, Cobalt Strike, Anydesk
➡️Exfil: Rclone to Mega
➡️Impact: Quantum Ransomware
https://t.co/yjp0CsKj80
3/n
🚨Are you curious to read something new regarding #Nokoyawa Ransomware? Here we are:
🔨In.Acc: IcedID XLS Macro
🔪Credentials: LSASS, Creds in Files
🪚Persistence: Scheduled Task
💣Lateral: RDP, SMB, WMI, WinRM, Psexec
🪓C2: IcedID, Cobalt Strike, VNC
https://t.co/G4QGdGGPRF
🚨Are you curious to read something new regarding #Nokoyawa Ransomware? Here we are:
🔨In.Acc: IcedID XLS Macro
🔪Credentials: LSASS, Creds in Files
🪚Persistence: Scheduled Task
💣Lateral: RDP, SMB, WMI, WinRM, Psexec
🪓C2: IcedID, Cobalt Strike, VNC
https://t.co/G4QGdGGPRF
IcedID Macro Ends in Nokoyawa Ransomware - The DFIR Report
Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can … Read More
t.co
July 9, 2023 at 2:50 PM
3/n
🚨Are you curious to read something new regarding #Nokoyawa Ransomware? Here we are:
🔨In.Acc: IcedID XLS Macro
🔪Credentials: LSASS, Creds in Files
🪚Persistence: Scheduled Task
💣Lateral: RDP, SMB, WMI, WinRM, Psexec
🪓C2: IcedID, Cobalt Strike, VNC
https://t.co/G4QGdGGPRF
🚨Are you curious to read something new regarding #Nokoyawa Ransomware? Here we are:
🔨In.Acc: IcedID XLS Macro
🔪Credentials: LSASS, Creds in Files
🪚Persistence: Scheduled Task
💣Lateral: RDP, SMB, WMI, WinRM, Psexec
🪓C2: IcedID, Cobalt Strike, VNC
https://t.co/G4QGdGGPRF
2/n
🚨Finally something “new” here!🚨
➡️Initial Access: Email > TDS > #Truebot download
➡️Credentials: LSASS & Registry Dump
➡️Persistence: Scheduled Task
➡️C2: Truebot, FlawedGrace, Cobalt Strike
➡️Exfiltration: FlawedGrace
➡️Impact: MBR Killer
https://t.co/GpV6uRpHho
🚨Finally something “new” here!🚨
➡️Initial Access: Email > TDS > #Truebot download
➡️Credentials: LSASS & Registry Dump
➡️Persistence: Scheduled Task
➡️C2: Truebot, FlawedGrace, Cobalt Strike
➡️Exfiltration: FlawedGrace
➡️Impact: MBR Killer
https://t.co/GpV6uRpHho
A Truly Graceful Wipe Out - The DFIR Report
In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read M...
t.co
July 9, 2023 at 2:49 PM
2/n
🚨Finally something “new” here!🚨
➡️Initial Access: Email > TDS > #Truebot download
➡️Credentials: LSASS & Registry Dump
➡️Persistence: Scheduled Task
➡️C2: Truebot, FlawedGrace, Cobalt Strike
➡️Exfiltration: FlawedGrace
➡️Impact: MBR Killer
https://t.co/GpV6uRpHho
🚨Finally something “new” here!🚨
➡️Initial Access: Email > TDS > #Truebot download
➡️Credentials: LSASS & Registry Dump
➡️Persistence: Scheduled Task
➡️C2: Truebot, FlawedGrace, Cobalt Strike
➡️Exfiltration: FlawedGrace
➡️Impact: MBR Killer
https://t.co/GpV6uRpHho
1/n
📣 To all forensicators out there 📣
*don't be afraid to admit when your analysis was incorrect!*
Nothing is wrong with that.
I made a huge mistake just the other day! When these situations arise, it is important to reset everything and restart better than before. #DFIR
📣 To all forensicators out there 📣
*don't be afraid to admit when your analysis was incorrect!*
Nothing is wrong with that.
I made a huge mistake just the other day! When these situations arise, it is important to reset everything and restart better than before. #DFIR
July 9, 2023 at 2:47 PM
1/n
📣 To all forensicators out there 📣
*don't be afraid to admit when your analysis was incorrect!*
Nothing is wrong with that.
I made a huge mistake just the other day! When these situations arise, it is important to reset everything and restart better than before. #DFIR
📣 To all forensicators out there 📣
*don't be afraid to admit when your analysis was incorrect!*
Nothing is wrong with that.
I made a huge mistake just the other day! When these situations arise, it is important to reset everything and restart better than before. #DFIR