Alessandro Di Carlo's Avatar

Alessandro Di Carlo

@samaritan0.bsky.social

Forensics & Product Manager at @Certego_IRT @TheDFIRReport Analyst 3x @SANSInstitute Lethal Forensicator - GCFA - GASF

51 Followers  |  16 Following  |  8 Posts  |  Joined: 09.07.2023  |  1.6201

Latest posts by samaritan0.bsky.social on Bluesky

Preview
Collect, Exfiltrate, Sleep, Repeat - The DFIR Report In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command … ...

6/6

Collect, Exfiltrate, Sleep, Repeat

➡️Initial Access: Job App VBA Maldoc
➡️Discovery: PS Cmdlets, net, tzutil, etc.
➡️Persistence: Scheduled Tasks
➡️Collection: AutoHotkey Keylogger, Compress-Archive, makecab.exe
➡️C2: Custom PowerShell Framework

https://t.co/uFbJzqkDWr

09.07.2023 14:55 — 👍 0    🔁 0    💬 0    📌 0
Preview
2022 Year in Review - The DFIR Report As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More

5/n

🚨2022 Year in Review is OUT🚨

➡️ Test your detection rules
➡️ Ensure you have the visibility your company need
➡️ Enjoy the stats
➡️ Remember to print any visuals included 😜

Report written by me, @Kostastsale and @iiamaleks (/cc @TheDFIRReport)

https://t.co/8aS2miNRF5

09.07.2023 14:53 — 👍 0    🔁 0    💬 1    📌 0
Preview
Malicious ISO File Leads to Domain Wide Ransomware - The DFIR Report IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and ��...

4/n

New report out from @_pete_0 and @MetallicHack

➡️Initial Access: IcedID ISO
➡️Credentials: DCsync
➡️PrivEsc: ZeroLogon
➡️Lateral: RDP, SMB/Remote Service, WMI
➡️C2: IcedID, Cobalt Strike, Anydesk
➡️Exfil: Rclone to Mega
➡️Impact: Quantum Ransomware

https://t.co/yjp0CsKj80

09.07.2023 14:52 — 👍 0    🔁 0    💬 1    📌 0
Preview
IcedID Macro Ends in Nokoyawa Ransomware - The DFIR Report Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can … Read More

3/n

🚨Are you curious to read something new regarding #Nokoyawa Ransomware? Here we are:
🔨In.Acc: IcedID XLS Macro
🔪Credentials: LSASS, Creds in Files
🪚Persistence: Scheduled Task
💣Lateral: RDP, SMB, WMI, WinRM, Psexec
🪓C2: IcedID, Cobalt Strike, VNC

https://t.co/G4QGdGGPRF

09.07.2023 14:50 — 👍 0    🔁 0    💬 1    📌 0
Preview
A Truly Graceful Wipe Out - The DFIR Report In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read M...

2/n

🚨Finally something “new” here!🚨

➡️Initial Access: Email > TDS > #Truebot download
➡️Credentials: LSASS & Registry Dump
➡️Persistence: Scheduled Task
➡️C2: Truebot, FlawedGrace, Cobalt Strike
➡️Exfiltration: FlawedGrace
➡️Impact: MBR Killer

https://t.co/GpV6uRpHho

09.07.2023 14:49 — 👍 0    🔁 0    💬 1    📌 0

1/n

📣 To all forensicators out there 📣

*don't be afraid to admit when your analysis was incorrect!*
Nothing is wrong with that.

I made a huge mistake just the other day! When these situations arise, it is important to reset everything and restart better than before. #DFIR

09.07.2023 14:47 — 👍 0    🔁 0    💬 1    📌 0

I'd like to repurpose some of my most popular tweets, just to have a "copy" here 👇🏻

09.07.2023 14:47 — 👍 1    🔁 0    💬 1    📌 0

Let's try to play this game 🥲

09.07.2023 14:44 — 👍 5    🔁 0    💬 0    📌 0

@samaritan0 is following 16 prominent accounts