Analyst @TheDFIRReport | Passionate about all things DFIR 🇳🇱
Joined April 2011
- Tweets 71
- Following 137
- Followers 752
- Likes 886
4 Photos and videos
Pierre retweeted
Feb 16
New logo. New website. Same DFIR Report team. 🔎
Check out the incredible analysts behind the research:
thedfirreport.com/company/an…
4
21
225
19,386
Pierre retweeted
29 Sep 2025
🌟New report out today!🌟
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
5
53
152
49,646
Pierre retweeted
30 Jun 2025
🌟New report out today!🌟
Hide Your RDP: Password Spray Leads to RansomHub Deployment
Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2
🔊Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/06/30…
1
39
111
10,077
Pierre retweeted
31 Mar 2025
🌟New report out today!🌟
Fake Zoom Ends in BlackSuit Ransomware
Analysis and reporting completed by @pigerlin, UC1 and @Miixxedup
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/03/31…
1
47
155
14,069
Pierre retweeted
1 Dec 2023
New report out Monday 12/4 by @yatinwad!
➡️This intrusion starts with a MSSQL server being brute forced and ends in BlueSky ransomware.
➡️The threat actor went from initial access to network wide ransomware in under 1 hour.
2
15
49
9,047
Pierre retweeted
28 Aug 2023
HTML Smuggling Leads to Domain Wide Ransomware
➡️Initial Access: Thread-Hijacked Email > HTML Attachment
➡️Credentials: LSASS Access, SessionGopher
➡️Lateral Movement: RDP, PsExec
➡️C2: IcedID, Cobalt Strike
➡️Impact: Nokoyawa Ransomware
thedfirreport.com/2023/08/28…
1/X
5
163
370
96,965
Pierre retweeted
12 Jun 2023
A Truly Graceful Wipe Out
➡️Initial Access: Email > TDS > Truebot download
➡️Credentials: LSASS & Registry Dump
➡️Persistence: Scheduled Task
➡️C2: Truebot, FlawedGrace, Cobalt Strike
➡️Exfiltration: FlawedGrace
➡️Impact: MBR Killer
thedfirreport.com/2023/06/12…
1/X
1
159
346
86,087
Pierre retweeted
7 Feb 2023
Here's an interesting batch script you'll see in an upcoming report:
➡️Do you know what it's doing?
➡️Would you struggle to do analysis on a system if it ran? Why or Why not?
➡️Are there any rules available to detect this activity?
Post your answers below
25
37
145
61,004
RT @TheDFIRReport: Unwrapping Ursnifs Gifts
➡️Initial Access: Ursnif ISO/LNK/DLL
➡️Discovery: Get-ADComputer, nltest, net view, etc.
➡️Cr…
94
RT @TheDFIRReport: 📢New report out Monday 1/9 by @svch0st, @_pete_0 and UC1!
If you subscribed, you'll receive an email when we publish th…
8
Pierre retweeted
6 Dec 2022
How often do ya'll see emojis in command line params and can you detect them?
Try hunting your environment using this sigma rule by @kostastsale - github.com/tsale/Sigma_rules…
Was it easy or hard to hunt your env for emojis? Find anything?
Thx to @0xToxin for sharing the sample!
2
23
74
RT @TheDFIRReport: Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
➡️TTR: 154 hours
➡️Discovery: nltest, net group, ShareF…
142
RT @TheDFIRReport: BumbleBee Zeros in on Meterpreter
➡️Initial Access: Contact Forms/Stolen Images/ISO
➡️PrivEsc: WSReset & Slui UAC Bypas…
104
Pierre retweeted
31 Oct 2022
Follina Exploit Leads to Domain Compromise
➡️Initial Access: Word Doc exploiting Follina
➡️Persistence: Scheduled Tasks
➡️Discovery: ADFind, Netscan, etc.
➡️Lat Movement: SMB, Service Creation, RDP
➡️C2: #CobaltStrike, Qbot, NetSupport, Atera/Splashtop
thedfirreport.com/2022/10/31…
3
176
364
Pierre retweeted
12 Sep 2022
Dead or Alive? An Emotet Story
➡️Initial Access: Emotet XLS
➡️Persistence: RegRunKeys, Atera
➡️Discovery: LOLbins, AdFind, ShareFinder
➡️Credentials: LSASS access, Kerberoast
➡️Lateral: SMB, Remote Services
➡️C2: Emotet, CobaltStrike
➡️Exfil: Rclone/Mega
thedfirreport.com/2022/09/12…
5
118
286
Pierre retweeted
8 Aug 2022
BumbleBee Roasts Its Way to Domain Admin
➡️Initial Access: BumbleBee (zipped ISO /w LNK DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDesk
thedfirreport.com/2022/08/08…
5
199
474
Weaponized disk images files are still a thing. Are you able to detect ISO files being downloaded from the internet? ISO files being mounted by end users? Process and network connections being started from a mounted drive? Check out the importance in our latest report. #DFIR
8 Aug 2022
BumbleBee Roasts Its Way to Domain Admin
➡️Initial Access: BumbleBee (zipped ISO /w LNK DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDesk
thedfirreport.com/2022/08/08…
21
74
Pierre retweeted
21 Jul 2022
Are you going to @Steel_Con Saturday (7/23)? If so,
➡️Check out @_pete_0's talk "Can you detect this? Inside The Ransomware Operator’s Toolkit" at 14:00 in Track 3!
➡️Find @_pete_0 and he'll give you a free t-shirt! while supplies last
17
28
RT @TheDFIRReport: SELECT XMRig FROM SQLServer
➡️Initial Access: Brute Force
➡️Execution: xp_cmdshell, batch scripts, certutil
➡️Persisten…
88
Pierre retweeted
10 Jun 2022
Can you Detect This? | Inside The Ransomware Operator's Toolkit
➡️@_pete_0 and @yatinwad will be presenting @ 14:40 UTC on 6/16.
Sign up for the free #RansomwareSummit ⬇️
sans.org/cyber-security-trai…
7 Jun 2022
Have you registered for the free #RansomwareSummit It is going to be awesome! I had the privilege of working with speakers for 2 different talks and so excited for them. One is from @TheDFIRReport which you all know I am a huge fan of. #ransomware
sans.org/cyber-security-trai…
1
18
66