Conversation

Another banger from @TheDFIRReport. Some important takeaways:

  • 9 days from foothold to C2? That's quite a wait, and one that would flummox most analysts if they missed something on the first alerts.
  • Use of Brute Ratel as a vanguard for Cobalt Strike. The threat actor sees value in both.
  • Added Defender exceptions, meaning the compromised user was a local admin. Stoppp.
  • vssadmin still? Seriously? Almost every commercial tool alerts on this, but we can do better. Alias the command to something else. Use a command canary. This is often the last step before ransomware detonation, and should be massively risky for the attacker.

https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/

2
3
0
@mttaggart @TheDFIRReport BR has pretty neat evasion capabilities that you'd have to develop for CS. CS on the other hand is more "operator friendly"...
1
0
1

@buherator @TheDFIRReport Yeah I'm familiar with both. It's just interesting to see where the switch happens.

0
1
1

@TheDFIRReport Speaking of vssadmin, here's what doing the same thing without touching the command line looks like: https://codeberg.org/mttaggart/corrodedshadow

0
1
0