https://hexpysya.github.io/tags/lsass/Recent content in Lsass on bubka hacks stuffHugo -- gohugo.ioen-usMon, 13 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-bumblebee---gold-cabin/Mon, 13 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-bumblebee---gold-cabin/An employee at CompliantSecure received a phishing email from emkei.cz, downloaded a malicious ISO containing BumbleBee loader 23.dll, which established C2 to 3.68.97.124 and injected into ImagingDevices.exe, dumped LSASS credentials, laterally moved to DC01 via PsExec using markw credentials, staged AdFind and AnyDesk, created sql_admin backdoor account, moved to FileServer01 and Support01, exfiltrated archived share data, and deployed Conti ransomware dropping R3ADM3.txt ransom notes.https://hexpysya.github.io/blue_team/splunk-goldenspray/Fri, 10 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-goldenspray/An attacker from 77.91.78.115 brute-forced mwilliams credentials, connected via RDP, dropped OfficeUpdater.exe with registry persistence, staged Backup_Tools including mimikatz, dumped lsass to obtain jsmith credentials, laterally moved to ST-DC01 and ST-FS01, established scheduled task persistence on the DC, and archived client data for exfiltration.