Cyber Incident Response
Ransomware containment, breach triage, BEC, credential compromise, forensic preservation, and nation-state TTPs — the first hours decide outcomes and notification obligations.
-
Ransomware in progress — first 4 hoursActive or suspected ransomware. Goal: contain spread, preserve evidence, protect ability to report accurately under UK GDPR / NIS2.
-
Suspected breach — unusual activity, no smoking gun yetIndicators of compromise without confirmed impact: anomalous logins, unfamiliar processes, antivirus quiet. Triage before escalation; preserve evidence either way.
-
Business Email Compromise / mailbox takeoverAttacker has access to a mailbox and is sending fraudulent emails (invoice redirects, supplier impersonation). Containment + invoice protection + notification.
-
Privileged account compromiseA domain admin / global admin / service account credential is suspected stolen. Treat as worst-case until evidence rules it out.
-
Forensic evidence preservation during a live incidentRecovery and forensics often pull in opposite directions. Take what you can, in the right order, before doing the things that destroy evidence.
-
GRU-Linked Router Exploitation Harvesting Microsoft 365 Authentication TokensRussian GRU-linked threat actors are exploiting known vulnerabilities in unpatched and end-of-life internet-facing routers to intercept and exfiltrate Microsoft 365 authentication tokens across 18,00…
-
VENOMOUS#HELPER Phishing Campaign Abusing SimpleHelp and ScreenConnect RMM ToolsActive phishing campaign (VENOMOUS#HELPER) tricks users into installing legitimate RMM agents (SimpleHelp, ScreenConnect/ConnectWise Control) to gain persistent remote access, with 80+ organizations…
-
Persistent OAuth Tokens from SaaS/AI Integrations Create Unmonitored Backdoors in Microsoft 365 and Google WorkspaceThird-party AI tools, automation platforms, and productivity apps connected to Microsoft 365 or Google Workspace via OAuth leave behind long-lived refresh tokens that bypass MFA and perimeter control…
-
De-obfuscating Malicious PHP Code Found on a Compromised Web ServerAttackers who compromise PHP-based web servers commonly plant obfuscated scripts using eval(), preg_replace() with the /e modifier, base64_decode(), hex encoding, and XOR techniques to conceal malici…
-
PowerShell AD Enumeration via ADWS Bypasses LDAP-Based Detection ControlsPowerShell ActiveDirectory module cmdlets (e.g., Get-ADComputer, Get-ADUser) communicate with Domain Controllers over TCP port 9389 via Active Directory Web Services (ADWS) rather than raw LDAP (port…
-
ADWS LDAP Query Attribution Failure: Correlating Event 1644 Localhost Source with Event 5156 to Recover True Attacker IPWhen attackers query Active Directory via ADWS (port 9389), Event 1644 records the source IP as localhost (127.0.0.1) because ADWS acts as a local proxy to the LDAP service, masking the true origin o…
-
Signed PUP Supply Chain Attack Deploys AV Killers with SYSTEM Privileges (Dragon Boss Solutions)Dragon Boss Solutions' digitally signed Potentially Unwanted Program (PUP) was found to contain an insecure update mechanism exploitable for approximately $10, allowing attackers to deliver AV killer…
-
UNC6671 BlackFile Vishing + AiTM SSO Extortion Campaign — Microsoft 365 & Okta Identity CompromiseUNC6671 (operating as 'BlackFile') conducts voice phishing attacks targeting employees' personal phones, using adversary-in-the-middle (AiTM) proxies to bypass MFA and steal SSO session tokens for Mi…
-
Proactive Hardening Against Destructive Malware, Wipers, and Modified Ransomware — 2026 Edition (Mandiant/Google Cloud)Threat actors deploy wipers, destructive malware, and modified ransomware (where decryption is never intended) to render systems inoperable, destroy forensic evidence, and eliminate incident coordina…
-
CVE-2026-22769: Dell RecoverPoint for Virtual Machines Zero-Day RCE — UNC6201 GRIMBOLT/BRICKSTORM Backdoor DeploymentCritical (CVSSv3.1 10.0) zero-day in Dell RecoverPoint for Virtual Machines actively exploited by UNC6201 (PRC-nexus) since mid-2024. Exploitation enables RCE, lateral movement into VMware infrastruc…