The DFIR Report on Twitter: "Collect, Exfiltrate, Sleep, Repeat ➡️Initial Access: Job App VBA Maldoc ➡️Discovery: PS Cmdlets, net, tzutil, etc. ➡️Persistence: Scheduled Tasks ➡️Collection: AutoHotkey Keylogger, Compress-Archive, makecab.exe ➡️C2: Custom PowerShell Framework https://t.co/uFbJzqkDWr 1/X" / Twitter

https://twitter.com/thedfirreport/status/1622586081513205760

https://twitter.com/home/status/1622586597408473091

https://twitter.com/home/status/1622591950976176130

https://twitter.com/home/status/1622620663050653698

https://twitter.com/home/status/1622643324841492487

https://twitter.com/home/status/1622643366860128257

https://twitter.com/home/status/1622659416972566542

https://twitter.com/home/status/1622661762850951170

https://twitter.com/home/status/1622671903897919509

https://twitter.com/home/status/1622696268207165463