Click here to download all references as Bib-File.

Enter keywords to filter the library entries below or Propose new Entry
2022-09-26The DFIR ReportThe DFIR Report
@online{report:20220926:bumblebee:bce1e92, author = {The DFIR Report}, title = {{BumbleBee: Round Two}}, date = {2022-09-26}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/09/26/bumblebee-round-two/}, language = {English}, urldate = {2022-09-29} } BumbleBee: Round Two
BumbleBee
2022-09-12The DFIR ReportThe DFIR Report
@online{report:20220912:dead:a6b31c3, author = {The DFIR Report}, title = {{Dead or Alive? An Emotet Story}}, date = {2022-09-12}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/}, language = {English}, urldate = {2022-09-12} } Dead or Alive? An Emotet Story
Cobalt Strike Emotet
2022-08-08The DFIR ReportThe DFIR Report
@online{report:20220808:bumblebee:74d81a8, author = {The DFIR Report}, title = {{BumbleBee Roasts Its Way to Domain Admin}}, date = {2022-08-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/}, language = {English}, urldate = {2022-08-09} } BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike
2022-07-11The DFIR ReportThe DFIR Report
@online{report:20220711:select:6de0c30, author = {The DFIR Report}, title = {{SELECT XMRig FROM SQLServer}}, date = {2022-07-11}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/}, language = {English}, urldate = {2022-07-12} } SELECT XMRig FROM SQLServer
2022-06-06The DFIR ReportThe DFIR Report
@online{report:20220606:will:ad3aa0f, author = {The DFIR Report}, title = {{Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration}}, date = {2022-06-06}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/}, language = {English}, urldate = {2022-06-09} } Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
2022-05-09The DFIR ReportThe DFIR Report
@online{report:20220509:seo:cc8b1c2, author = {The DFIR Report}, title = {{SEO Poisoning – A Gootloader Story}}, date = {2022-05-09}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/}, language = {English}, urldate = {2022-06-09} } SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit
2022-04-25The DFIR ReportThe DFIR Report
@online{report:20220425:quantum:128d2b3, author = {The DFIR Report}, title = {{Quantum Ransomware}}, date = {2022-04-25}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/}, language = {English}, urldate = {2022-04-25} } Quantum Ransomware
Cobalt Strike IcedID
2022-04-04The DFIR Report@0xtornado, @yatinwad, @MettalicHack, @_pete_0
@online{0xtornado:20220404:stolen:3df91a7, author = {@0xtornado and @yatinwad and @MettalicHack and @_pete_0}, title = {{Stolen Images Campaign Ends in Conti Ransomware}}, date = {2022-04-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/}, language = {English}, urldate = {2022-04-04} } Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID
2022-03-21The DFIR ReportThe DFIR Report
@online{report:20220321:apt35:9f4291d, author = {The DFIR Report}, title = {{APT35 Automates Initial Access Using ProxyShell}}, date = {2022-03-21}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/}, language = {English}, urldate = {2022-03-22} } APT35 Automates Initial Access Using ProxyShell
2022-03-07The DFIR ReportThe DFIR Report
@online{report:20220307:2021:c2e2fbe, author = {The DFIR Report}, title = {{2021 Year In Review}}, date = {2022-03-07}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/03/07/2021-year-in-review/}, language = {English}, urldate = {2022-03-07} } 2021 Year In Review
Cobalt Strike
2022-03-01Twitter (@TheDFIRReport)The DFIR Report
@online{report:20220301:twitter:fbd496d, author = {The DFIR Report}, title = {{Twitter thread with highlights from conti leaks}}, date = {2022-03-01}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1498642512935800833}, language = {English}, urldate = {2022-03-02} } Twitter thread with highlights from conti leaks
Conti
2022-02-21The DFIR Report
@online{report:20220221:qbot:8b10b52, author = {The DFIR Report}, title = {{Qbot and Zerologon Lead To Full Domain Compromise}}, date = {2022-02-21}, url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/}, language = {English}, urldate = {2022-02-26} } Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot
2022-02-07The DFIR ReportThe DFIR Report
@online{report:20220207:qbot:35410a9, author = {The DFIR Report}, title = {{Qbot Likes to Move It, Move It}}, date = {2022-02-07}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/}, language = {English}, urldate = {2022-02-09} } Qbot Likes to Move It, Move It
QakBot
2022-01-24The DFIR ReportThe DFIR Report
@online{report:20220124:cobalt:b0b48ee, author = {The DFIR Report}, title = {{Cobalt Strike, a Defender’s Guide – Part 2}}, date = {2022-01-24}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/}, language = {English}, urldate = {2022-01-25} } Cobalt Strike, a Defender’s Guide – Part 2
Cobalt Strike
2021-12-13The DFIR ReportThe DFIR Report
@online{report:20211213:diavol:7b6e4e6, author = {The DFIR Report}, title = {{Diavol Ransomware}}, date = {2021-12-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/12/13/diavol-ransomware/}, language = {English}, urldate = {2021-12-22} } Diavol Ransomware
BazarBackdoor Conti Diavol
2021-11-29The DFIR ReportThe DFIR Report
@online{report:20211129:continuing:646e622, author = {The DFIR Report}, title = {{CONTInuing the Bazar Ransomware Story}}, date = {2021-11-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/}, language = {English}, urldate = {2021-12-07} } CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti
2021-11-15The DFIR Report0xtornado, v3t0_
@online{0xtornado:20211115:exchange:2920728, author = {0xtornado and v3t0_}, title = {{Exchange Exploit Leads to Domain Wide Ransomware}}, date = {2021-11-15}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2021-11-17} } Exchange Exploit Leads to Domain Wide Ransomware
2021-11-01The DFIR Report@iiamaleks, @samaritan_o
@online{iiamaleks:20211101:from:2348d47, author = {@iiamaleks and @samaritan_o}, title = {{From Zero to Domain Admin}}, date = {2021-11-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/}, language = {English}, urldate = {2021-11-03} } From Zero to Domain Admin
Cobalt Strike Hancitor
2021-10-18The DFIR ReportThe DFIR Report
@online{report:20211018:icedid:0b574b0, author = {The DFIR Report}, title = {{IcedID to XingLocker Ransomware in 24 hours}}, date = {2021-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/}, language = {English}, urldate = {2021-10-22} } IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-04The DFIR ReportThe DFIR Report
@online{report:20211004:bazarloader:fe3adf3, author = {The DFIR Report}, title = {{BazarLoader and the Conti Leaks}}, date = {2021-10-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/}, language = {English}, urldate = {2021-10-11} } BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti