Just Another Blue Teamer

Good day everyone!

I don't know how I missed this one but here is your #readoftheday:

The DFIR Report published an article on Monday that details an attack that started with a vulnerable Confluence server and ended with the deployment of the ELPAC-team ransomware. There were multiple tools that were used that are publicly available, including Anydesk.exe, Mimikatz, ProcessHacker, and Impacket Secretsdump. Side note, they mention that this case is featured in one of their labs, so go check it out! Also, go find out all the details that I couldn't post here and read the article! Enjoy and Happy Hunting!

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#impact

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

Key Takeaways The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution. Using this access…

The DFIR Report
May 22 at 3:43pmWeb
Show threadJust Another Blue TeamerMay 22

If RMM tool abuse is something you are concerned about check out this community hunt package! This hunt package is designed to identify when a service is created to run AnyDesk, which was a tactic the adversary used in this report! Hope you enjoy and Happy Hunting!

AnyDesk Service Installation - Potentially Malicious RMM Tool Installation
https://hunter.cyborgsecurity.io/research/hunt-package/4103B086-F093-4084-9125-15B9A6C872B8

#huntoftheday #gethunting

Intel 471 | HUNTER