Another banger from @TheDFIRReport. Some important takeaways:
vssadmin
still? Seriously? Almost every commercial tool alerts on this, but we can do better. Alias the command to something else. Use a command canary. This is often the last step before ransomware detonation, and should be massively risky for the attacker.https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/
@buherator @TheDFIRReport Yeah I'm familiar with both. It's just interesting to see where the switch happens.
@TheDFIRReport Speaking of vssadmin, here's what doing the same thing without touching the command line looks like: https://codeberg.org/mttaggart/corrodedshadow