The DFIR Report on Twitter: "Collect, Exfiltrate, Sleep, Repeat ➡️Initial Access: Job App VBA Maldoc ➡️Discovery: PS Cmdlets, net, tzutil, etc. ➡️Persistence: Scheduled Tasks ➡️Collection: AutoHotkey Keylogger, Compress-Archive, makecab.exe ➡️C2: Custom PowerShell Framework https://t.co/uFbJzqkDWr 1/X" / Twitter
https://twitter.com/thedfirreport/status/1622586081513205760