Another banger from @TheDFIRReport. Some important takeaways:

• 9 days from foothold to C2? That's quite a wait, and one that would flummox most analysts if they missed something on the first alerts.
• Use of Brute Ratel as a vanguard for Cobalt Strike. The threat actor sees value in both.
• Added Defender exceptions, meaning the compromised user was a local admin. Stoppp.
• vssadmin still? Seriously? Almost every commercial tool alerts on this, but we can do better. Alias the command to something else. Use a command canary. This is often the last step before ransomware detonation, and should be massively risky for the attacker.

https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/

@mttaggart @TheDFIRReport BR has pretty neat evasion capabilities that you'd have to develop for CS. CS on the other hand is more "operator friendly"...

@buherator @TheDFIRReport Yeah I'm familiar with both. It's just interesting to see where the switch happens.

@TheDFIRReport Speaking of vssadmin, here's what doing the same thing without touching the command line looks like: https://codeberg.org/mttaggart/corrodedshadow