Click here to download all references as Bib-File.

Enter keywords to filter the library entries below or Propose new Entry
2023-05-22The DFIR ReportThe DFIR Report
@online{report:20230522:icedid:ecec658, author = {The DFIR Report}, title = {{IcedID Macro Ends in Nokoyawa Ransomware}}, date = {2023-05-22}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/}, language = {English}, urldate = {2023-05-23} } IcedID Macro Ends in Nokoyawa Ransomware
IcedID Nokoyawa Ransomware
2023-04-03The DFIR ReportThe DFIR Report
@online{report:20230403:malicious:238465b, author = {The DFIR Report}, title = {{Malicious ISO File Leads to Domain Wide Ransomware}}, date = {2023-04-03}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2023-04-06} } Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker
2023-01-09The DFIR ReportThe DFIR Report
@online{report:20230109:unwrapping:d36b45f, author = {The DFIR Report}, title = {{Unwrapping Ursnifs Gifts}}, date = {2023-01-09}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/}, language = {English}, urldate = {2023-01-13} } Unwrapping Ursnifs Gifts
ISFB
2022-11-28The DFIR ReportThe DFIR Report
@online{report:20221128:emotet:53a5fed, author = {The DFIR Report}, title = {{Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware}}, date = {2022-11-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2022-11-28} } Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
Emotet Mount Locker
2022-09-26The DFIR ReportThe DFIR Report
@online{report:20220926:bumblebee:bce1e92, author = {The DFIR Report}, title = {{BumbleBee: Round Two}}, date = {2022-09-26}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/09/26/bumblebee-round-two/}, language = {English}, urldate = {2022-10-04} } BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter
2022-09-12The DFIR ReportThe DFIR Report
@online{report:20220912:dead:a6b31c3, author = {The DFIR Report}, title = {{Dead or Alive? An Emotet Story}}, date = {2022-09-12}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/}, language = {English}, urldate = {2022-09-12} } Dead or Alive? An Emotet Story
Cobalt Strike Emotet
2022-08-08The DFIR ReportThe DFIR Report
@online{report:20220808:bumblebee:74d81a8, author = {The DFIR Report}, title = {{BumbleBee Roasts Its Way to Domain Admin}}, date = {2022-08-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/}, language = {English}, urldate = {2022-08-09} } BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike
2022-07-11The DFIR ReportThe DFIR Report
@online{report:20220711:select:6de0c30, author = {The DFIR Report}, title = {{SELECT XMRig FROM SQLServer}}, date = {2022-07-11}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/}, language = {English}, urldate = {2022-07-12} } SELECT XMRig FROM SQLServer
2022-06-06The DFIR ReportThe DFIR Report
@online{report:20220606:will:ad3aa0f, author = {The DFIR Report}, title = {{Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration}}, date = {2022-06-06}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/}, language = {English}, urldate = {2022-06-09} } Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
2022-05-09The DFIR ReportThe DFIR Report
@online{report:20220509:seo:cc8b1c2, author = {The DFIR Report}, title = {{SEO Poisoning – A Gootloader Story}}, date = {2022-05-09}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/}, language = {English}, urldate = {2022-06-09} } SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit
2022-04-25The DFIR ReportThe DFIR Report
@online{report:20220425:quantum:128d2b3, author = {The DFIR Report}, title = {{Quantum Ransomware}}, date = {2022-04-25}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/}, language = {English}, urldate = {2022-04-25} } Quantum Ransomware
Cobalt Strike IcedID
2022-04-04The DFIR Report@0xtornado, @yatinwad, @MettalicHack, @_pete_0
@online{0xtornado:20220404:stolen:3df91a7, author = {@0xtornado and @yatinwad and @MettalicHack and @_pete_0}, title = {{Stolen Images Campaign Ends in Conti Ransomware}}, date = {2022-04-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/}, language = {English}, urldate = {2022-04-04} } Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID
2022-03-21The DFIR ReportThe DFIR Report
@online{report:20220321:apt35:9f4291d, author = {The DFIR Report}, title = {{APT35 Automates Initial Access Using ProxyShell}}, date = {2022-03-21}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/}, language = {English}, urldate = {2022-03-22} } APT35 Automates Initial Access Using ProxyShell
2022-03-07The DFIR ReportThe DFIR Report
@online{report:20220307:2021:c2e2fbe, author = {The DFIR Report}, title = {{2021 Year In Review}}, date = {2022-03-07}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/03/07/2021-year-in-review/}, language = {English}, urldate = {2022-03-07} } 2021 Year In Review
Cobalt Strike
2022-03-01Twitter (@TheDFIRReport)The DFIR Report
@online{report:20220301:twitter:fbd496d, author = {The DFIR Report}, title = {{Twitter thread with highlights from conti leaks}}, date = {2022-03-01}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1498642512935800833}, language = {English}, urldate = {2022-03-02} } Twitter thread with highlights from conti leaks
Conti
2022-02-21The DFIR Report
@online{report:20220221:qbot:8b10b52, author = {The DFIR Report}, title = {{Qbot and Zerologon Lead To Full Domain Compromise}}, date = {2022-02-21}, url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/}, language = {English}, urldate = {2022-02-26} } Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot
2022-02-07The DFIR ReportThe DFIR Report
@online{report:20220207:qbot:35410a9, author = {The DFIR Report}, title = {{Qbot Likes to Move It, Move It}}, date = {2022-02-07}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/}, language = {English}, urldate = {2022-02-09} } Qbot Likes to Move It, Move It
QakBot
2022-01-24The DFIR ReportThe DFIR Report
@online{report:20220124:cobalt:b0b48ee, author = {The DFIR Report}, title = {{Cobalt Strike, a Defender’s Guide – Part 2}}, date = {2022-01-24}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/}, language = {English}, urldate = {2022-01-25} } Cobalt Strike, a Defender’s Guide – Part 2
Cobalt Strike
2021-12-13The DFIR ReportThe DFIR Report
@online{report:20211213:diavol:7b6e4e6, author = {The DFIR Report}, title = {{Diavol Ransomware}}, date = {2021-12-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/12/13/diavol-ransomware/}, language = {English}, urldate = {2021-12-22} } Diavol Ransomware
BazarBackdoor Conti Diavol
2021-11-29The DFIR ReportThe DFIR Report
@online{report:20211129:continuing:646e622, author = {The DFIR Report}, title = {{CONTInuing the Bazar Ransomware Story}}, date = {2021-11-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/}, language = {English}, urldate = {2021-12-07} } CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti