{
	"id": "e0318a0b-8bec-4fad-85f4-8f9b82428b99",
	"created_at": "2026-04-06T00:12:58.30038Z",
	"updated_at": "2026-04-10T03:27:55.863558Z",
	"deleted_at": null,
	"sha1_hash": "5b984bbed623c6fb862952fb0f8fd70eb9aff4f0",
	"title": "2021 Year In Review",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2432380,
	"plain_text": "2021 Year In Review\r\nBy editor\r\nPublished: 2022-03-07 · Archived: 2026-04-05 17:17:09 UTC\r\nAs we come to the end of the first quarter of 2022, we want to take some time to look back over our cases from\r\n2021, in aggregate, and look at some of the top tactics, techniques and procedures (TTP’s) we observed. In total,\r\nwe reported on 20 incidents in 2021, the vast majority were initial access broker malware (Trickbot, IcedID,\r\nBazarLoader, etc.), which often lead to full domain compromise and ransomware.\r\nThis report will contain details from all of our public reports over 2021, this is not comprehensive of overall threat\r\nactor activity, as there is always inherit sampling and collection bias. However, reviewing these common activities\r\ncan help a defender prioritize their time and budget, to protect against some of the most common threat actor\r\nbehaviors.\r\nShout out to our analysts who put this report together!\r\nReport lead @kostastsale\r\nContributing analysts @ICSNick, @yatinwad, @_pete_0 and 1 unnamed contributor\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such\r\nas Cobalt Strike, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here.\r\nWe also have artifacts available from our cases such as pcaps, memory captures, files, event logs including\r\nSysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nIntrusion statistics aligned to the MITRE ATT\u0026CK framework\r\nInitial Access\r\nOver the last year, we have witnessed numerous intrusions where malware variants such as Trickbot, Hancitor,\r\nBazar, and IcedID have been utilized as an entry point for ransomware attacks. In the majority of the intrusions,\r\nthe malware was distributed in the form of non-targeted phishing, such as mass malware spam campaigns.\r\nInitial Access Sources 2021.\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 1 of 17\n\nOur reports tend to focus on instances where phishing is the initial vector, as was the case in 16 of 20 reports.\r\nAlthough we still experience cases of threat actors compromising vulnerable web-facing applications, those cases\r\ndo not always turn into a large-scale intrusion.. Our report on Exchange Exploit Leads to Domain Wide\r\nRansomware, was the only case where the threat actors actively sought to deploy ransomware after getting access\r\nthrough a vulnerable application. The other two cases (All that for a Coinminer? and WebLogic RCE Leads to\r\nXMRig) are a good representation of less impactful malicious activity, where the threat actors installed\r\ncryptominers. However, we believe that these intrusions can signal vulnerabilities that need immediate patching\r\nand remediation before being exploited by a threat actor seeking larger scale objectives.\r\nPhishing was the main initial access vector for our cases in 2021. The malware vectors we saw in 2021 were:\r\n1. TrickBot\r\n2. Bazar\r\n3. IcedID\r\n4. Hancitor\r\nThe below graphic displays the tools/methods used by threat actors after getting initial access via the initial access\r\nmalware listed above.\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 2 of 17\n\nPersistence\r\nAfter execution of the initial access malware, many threat actors deploy persistence mechanisms, such as the\r\ncreation of scheduled tasks, deployment of web shells, remote access software and registry “Run” Keys.\r\nScheduled Task Example (reference)\r\nAdd New User Example (reference)\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 3 of 17\n\nRegistry Run Key Example (reference)\r\nIn 14 of 20 cases, persistence was observed. Scheduled tasks were the most common persistence method observed\r\nin our intrusions. In most, if not all cases, scheduled tasks, bits-jobs, and registry run keys were executed from the\r\ninitial malware vector. When we look at the later stages of the attack, during post-exploitation activities, we can\r\nsee that the threat actors favor new user additions and third-party remote access software as the main persistence\r\ntechniques.\r\nIn some cases, we did not observe any typical form of persistence during the entire intrusion. However, we found\r\nthat these threat actors seem to prefer to broaden their access throughout the network by launching several Cobalt\r\nStrike beacon sessions. In this way, they can maintain their presence even if one or more compromised\r\nworkstations become inaccessible. Servers are often chosen during this beacon deployment phase, which is more\r\nlikely to remain online compared to a typical workstation.\r\nAnother common method observed to maintain access is by installing third-party remote access software such as\r\nAnyDesk, TeamViewer, Splashtop and Atera. An interesting observation is that the majority of this activity\r\noccurred on compromised domain controllers.\r\nHere’s an example from the Conti Leaks that show the process of how they install AnyDesk:\r\nThis AnyDesk activity was also observed in our Diavol Ransomware case.\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 4 of 17\n\nPrivilege Escalation/Credential Access\r\nWith respect to credential access, multiple techniques were utilized by the threat actors. Some of the notable ones\r\nare: Dumping of LSASS using Task Manager and Procdump, creation of a copy of NTDS.dit using ntdsutil.exe\r\nand extraction of SAM, SECURITY and SYSTEM hives.\r\nDepending on the level of access, threat actors are looking to escalate privileges on the beachhead host to leverage\r\nhigh integrity Beacon sessions. Having high integrity access allows them to access credentials from the host using\r\nvarious methods. Below, we highlight the privilege escalation and credential access methods observed across our\r\n2021 reports.\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 5 of 17\n\nAccessing the LSASS process is the method that we see used by threat actors in the majority of the cases. Using\r\nCobalt Strike, attackers can extract credentials from the LSASS process either with the use of Mimikatz or by\r\naccessing the security hives. We covered related detections in our Cobalt Strike, a Defender’s Guide.\r\nThreat actors can also use third-party tools such as ProcDump or even Task Manager in cases where remote\r\ninteractive access is possible. These methods allow them to dump the LSASS process to disk and take it offline to\r\nextract the credentials.\r\nProcDump Example (reference)\r\nTask Manager Example (reference)\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 6 of 17\n\nDefense Evasion\r\nWhen it comes to defense evasion, we noticed that process injection techniques were very common among threat\r\nactors. This allows them to establish additional Beacons on the already compromised hosts, to avoid detection.\r\nIn five separate cases, we encountered threat actors disabling security tools using various methods. One of the\r\nmost notable cases was the IcedID to XingLocker Ransomware in 24 hours case. In that case, the attackers used\r\nmultiple batch files to disable well-known AV and EDR agents on the host. The batch scripts came from the first\r\nrevision of Revisions · quick-disable-windows-defender.bat · GitHub, which was used by the ransomware\r\noperators without making any changes.\r\nMasquerading Example (reference)\r\nObfuscation Example (reference)\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 7 of 17\n\nDiscovery\r\nOnce access is established, threat actors then need to enumerate the victim environment. Common initial\r\ndiscovery tools include Windows built-in utilities (net.exe, nltest.exe, systeminfo, ipconfig, whoami, etc) and the\r\nAdFind tool. In a few cases, adversaries attempted to get a listing of open ports/running services on remote hosts\r\nby performing port scans using tools such as Advanced IP Scanner and KPortScan 3.0.\r\nThe first thing we observe from hands-on keyboard operators is usually additional discovery activity. We see\r\nthreat actors concentrate on searching for the Domain Controllers and general environmental information.\r\nThe statistics below illustrate the most used Windows tools for enumerating the environment. We compare each\r\ntool to the total percent of cases investigated.\r\nWe see the enumeration commands executed in a short time span, between 1-5 seconds. The execution is usually\r\ndone through post-exploitation frameworks (Cobalt Strike in most cases).\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 8 of 17\n\nExample screenshot is taken from the case: From Zero to Domain Admin\r\nC:\\Windows\\system32\\cmd.exe /C net time\r\nC:\\Windows\\system32\\cmd.exe /C ping [Domain Controller]\r\nC:\\Windows\\system32\\cmd.exe /C nltest /dclist:[Domain Name]\r\nC:\\Windows\\system32\\cmd.exe /C Net group \"Domain Admins\" /domain \\\r\nC:\\Windows\\system32\\cmd.exe /C nslookup\r\nC:\\Windows\\system32\\cmd.exe /C ping 190.114.254.116\r\nC:\\Windows\\system32\\cmd.exe /C net group /domain\r\nLateral Movement\r\nLateral movement is a vital component of threat actor TTPs. Once they get the lay of the land through the\r\ndiscovery methods we outlined above, we repeatedly see them move laterally across the network. Domain\r\nControllers, file shares and similarly high-value servers are primary targets.\r\nThe number one post-exploitation framework of choice, Cobalt Strike, allows threat actors to leverage different\r\ntechniques for the purpose of lateral movement.\r\nOther common choices for threat attackers include Remote Desktop connections, remote WMI execution of\r\ntransferred binaries, and the Sysinternals tool PsExec.\r\n(updated 3/7/22 @ 1330 UTC)\r\nWMIC Lateral Movement Example (reference)\r\nPsexec Example (reference)\r\nCommand and Control\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 9 of 17\n\nOne common theme seen across the majority of the intrusions has been the reliance on Cobalt Strike for\r\nperforming post-exploitation activities. In almost all cases, the initial access brokers such as Trickbot and Bazar,\r\ndropped multiple Cobalt Strike beacons across the victim environment.\r\nFor an in-depth breakdown of some of the network operations of Cobalt Strike see our recent report on the topic.\r\nExfiltration\r\nWhile exfiltration of data was not a common sight in our data set, we observed exfil in 6 of the 20 cases. In the\r\ncases where data exfiltration was observed, the threat actors used tools such as RClone, FileZilla, or WinSCP to\r\ntransfer the data to their controlled servers. In many other cases, threat actors downloaded sensitive data via\r\nCobalt Strike Beacons.\r\nOne notable case for the year was the Diavol Ransomware. Ransomware operators used ufile.io to upload the\r\nLSASS dump file they extracted from one of the domain controllers.\r\nTo wrap up this chapter, we’d like to provide an overview of the tools that we’ve seen attackers employ this year.\r\nWe included the tools in their respective phases of attack after seeing them in action. We used the MITRE\r\nATT\u0026CK framework to show how these tools work at various phases of an attack.\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 10 of 17\n\nIndicators of Attack/Behavior-based information focusing on the human element\r\nIn our cases, we frequently observe hands-on keyboard activity by the threat actor during the intrusion. This\r\nprovides a unique insight into the human side of the attack – how they conduct operations, respond to challenges,\r\nand how they use the tooling to achieve effects. This provides additional detection opportunities – in addition to\r\nIndicators of Compromise (IoC) and Indicators of Activity (IoA).\r\nIt is impressive to see that, in some instances, threat actors have adapted their tools, techniques, and procedures\r\n(TTPs) to evade detection. In other cases, we’ve observed operator mistakes, errors of judgement, and operational\r\nsecurity (OPSEC) failures. We have also witnessed some of the challenges they encounter during intrusions.\r\nLooking into the early Cyber Kill Chain steps of the intrusions, we see that some tasks are automated. However,\r\nonce an attacker is within a target’s operating environment, many activities often require hands-on keyboard\r\nintervention by the operator in order to continue with their objectives. During this period, all the attacker’s hands-on keyboard activities can bring risk of detection or bring them one step closer to their objectives. Some of the\r\ntypical hands-on keyboard activities include:\r\nDiscovering security audit tools\r\nOvercoming security tools by disabling them all together\r\nEncountering lateral movement barriers and seeking alternative approaches, etc.\r\nWe looked into our most popular and unusual activities related to attackers’ activities, which we will discuss\r\nbelow, from attackers’ tooling configurations, to usage, and conduct during intrusions.\r\nCobalt Strike\r\nA common trend observed in our cases is the use of Cobalt Strike which is usually configured with a standard\r\nmalleable C2 profile. A malleable C2 profile specifies a number of parameters, such as user agent string, spawn to\r\nprocess, jitter etc. Most of the default profiles are well known and can be detected by host and network monitoring\r\nrules.\r\nCobalt Strike continues to be the top post-exploitation tool favored by most threat actor groups, with the most\r\npopular malleable c2 profile observed this year being ‘jquery-3.3.1.min.js’ with the relevant Beacon spawning\r\nunder Rundll32.exe. The chart below illustrates the most popular spawn-as executable types and some rare ones,\r\nsuch as calc.exe that we saw in 2021.\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 11 of 17\n\nFor further information on Cobalt Strike malleable C2 profiles and possible avenues for detection, check out our\r\nsecond Cobalt Strike report –  Cobalt Strike, a Defender’s Guide – Part 2.\r\nThou shall follow the playbook\r\nFollowing the playbook in the literal sense, copying and pasting commands are more common than expected. We\r\nhave observed cases where operators kept entering misspelled commands taken from documentation. In one case,\r\nwe observed the operator copying and pasting commands from a script, neglecting to provide the actual IPv4\r\naddresses as the required parameter:\r\nIn the case BazarLoader and the Conti Leaks, the operator accidentally entered a Cobalt Strike command via the\r\nWindows command line:\r\nWe can only assume that the operators attempted to invoke a Cobalt Strike aggressor script to enumerate and\r\ndiscover the installed AV. Later on, in 2021, the Conti playbooks were leaked, allowing us to link this activity with\r\nthe operator’s hands-on keyboard-related task. We were then able to reference many of the observed activities in\r\nour previous cases and provide insights through our Twitter account:\r\nBYOT (Bring Your Own Tools)\r\nWe are astonished by the number of tools brought into an intrusion. Along with third-party tooling, living-off-the-land techniques are routinely observed – especially during the discovery phase. Bringing tools into an\r\nenvironment introduces several risks for the operator and opportunities for the defender from a detection point of\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 12 of 17\n\nview. Some of those risks include detection and blocking by AV, software incompatibilities, software restriction\r\npolicies, etc. As discussed in the sections above, the most popular tool observed this year is AdFind. AdFind is the\r\nusual suspect in almost every intrusion we report. In 2020, we published a whole article covering this tool.\r\nOther tools and scripts we have encountered during the past year across a number of published cases are illustrated\r\nbelow:\r\nOccasionally, we observe threat actors making changes to their tool configurations inside the infected host. Below\r\nis an example where threat actors made the necessary changes before a successful ransomware execution.\r\nCase: CONTInuing the Bazar Ransomware Story\r\nEvery Contact Leaves a Trace\r\nEvery case provides us with a range of artifacts that are left behind on hosts, either intentionally (threat actor\r\nbringing own tools) or as a byproduct (execution of commands via prefetch). Artifacts can include scripts, tools,\r\nbeacons, staged files, etc.\r\nA common trend observed, is that there is very little effort to remove traces during and after the intrusion. Some\r\nexamples from our cases include:\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 13 of 17\n\nRunning beacons that have failed to call home, resulting in persistent DNS callback requests from processes that\r\nwouldn’t be expected to make high volume of requests. Look for domain traffic, where the polling requests have a\r\nconsistent trend profile. In this example, a beacon is sending heartbeats to an unreachable C2 server, notice that\r\nthe requests per-hour and per-day are consistent. \r\nResults of various Tools/scripts are left behind along with the tools themselves, i.e. text files containing collected\r\nhost details from discovery, executable beacons in user folders etc.\r\nBloodHound files dropped to disk\r\nAdFind results written to disk\r\nTask Manager dumping Lsass\r\nAttacker Infrastructure\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 14 of 17\n\nWe have observed several instances where the threat actor’s infrastructure becomes exposed during the intrusion.\r\nOne example includes the operator’s source machine during a remote desktop session – CONTInuing the Bazar\r\nRansomware.\r\nAnother case, was during what we believed to have been a technical issue – a hosted beacon, was remotely pulled\r\n(out of band coms) – rather than through the standard C2 that was already established – BazarCall to Conti\r\nRansomware via Trickbot and Cobalt Strike. The payload was available from a public facing IP, and pulled using\r\nthe curl command (evident by the Curl user agent string).\\\r\nNot all intrusions are successful; sometimes, attackers come across technical issues. Some issues include tooling\r\nthat doesn’t function as expected and other environmental-specific challenges that would slow down expansion\r\nwithin the network.\r\nFingerprinting\r\nFingerprinting threat actors’ craftsmanship is one of the more fascinating conclusions made when investigating\r\nartifacts. In the case of CONTInuing the Bazar Ransomware Story the use of profanity was embedded within the\r\nHTA file.\r\nThese can be useful IoCs in and of themselves. In other circumstances, threat actors spend considerable effort\r\ndeveloping bespoke software, only to leave identifiers such as helpful group names and version numbers.\r\nFinal Advice for Defenders\r\nFrom a defender’s perspective, each of the above points provides various detection opportunities. These could\r\ninclude recognizing outlier behavior, such as binaries executing from non-standard locations, or detecting outlier\r\nactivity, such as a high frequency of crashes within a short period of each other.\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 15 of 17\n\nReducing your attack surface and regular patching can have some big wins and avoid some common scenarios we\r\nhave seen in 2021, such as initial compromises through Log4j and ProxyShell/ProxyLogon exploits. Disabling\r\nmacros and forcing scriptable files to open in notepad will also provide a high level of return on investment.\r\nWe would like to highlight a few guides that CISA has released that can assist defenders and organizations in\r\ngetting their attack surface under control.\r\nStuff off Search\r\nBy using various online search platforms it is possible to get an understanding of what services, assets and devices\r\nare exposed on the internet. Reducing this footprint limits the adversaries’ potential entries into the organization’s\r\nnetwork.\r\nKnown Exploited Vulnerabilities \u0026 Top Routinely Exploited Vulnerabilities in 2021\r\nUsing these resources along with “S.O.S” defenders and organizations can identify the vulnerabilities associated\r\nwith their exposed assets. By prioritizing assets that have known vulnerabilities which are actively exploited, the\r\norganization can remediate risk quicker and focus on things that provide a high return on investment.\r\nCISA, ASD/ACSC, Mandiant, Microsoft and the UK NCSC have plenty of information and guides regarding\r\nprotecting against ransomware and general best practices for logging, network architecture and tips for everyday\r\nusers.\r\nCISA – Ransomware Guide\r\nRansomware Prevention Best Practices\r\nRansomware Response Checklist\r\nUK NCSC – Mitigating malware and ransomware attacks\r\nHow to defend organizations against malware or ransomware attacks\r\nASD/ACSC – Protect yourself against ransomware attacks\r\nHow people can protect themselves against ransomware attacks\r\nMicrosoft – Rapidly protect against ransomware and extortion\r\nHow to protect your organization from ransomware\r\nMandiant – Ransomware Protection and Containment Strategies\r\nPractical Guidance for Endpoint Protection, Hardening and Containment\r\nMany of the ransomware TTPs are not complex or stealthy. One of the primary reasons behind this is that they do\r\nnot need to be stealthy to achieve their goals. We commonly see threat actors use Cobalt Strike more than other\r\nimplants due to the ease of use and the fact that it is a really powerful post-exploitation framework.\r\nWe have released a two-part guide about Cobalt Strike to assist defenders in understanding more, and hopefully;\r\nare better equipped to detect this framework. The guide can be found here:\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nhttps://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/\r\nOutlook\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 16 of 17\n\nThere is no magic bullet to make ransomware disappear, and we anticipate that ransomware-based attacks will\r\ncontinue while incentives remain. Across the globe, multiple countries like USA, Australia and Netherlands have\r\nannounced task forces to focus on the ransomware threat.\r\nAustralia specifically announced their “Ransomware Action Plan” and planned to achieve part of it using\r\noffensive cyber capabilities [1]. The Netherlands has also announced similar efforts [2]. Ransomware actors may\r\nbecome risk-averse and select their targets more carefully to avoid being attacked by such operations. We hope to\r\nsee more ransomware groups brought down in the following year, as well, as a consequence of such operations.\r\n[1] https://www.homeaffairs.gov.au/cyber-security-subsite/files/ransomware-action-plan.pdf\r\n[2] https://securityaffairs.co/wordpress/123113/security/the-netherlands-war-ransomware-operations.html\r\nResources\r\nhttps://www.cisa.gov/stopransomware\r\nhttps://www.ncsc.gov.uk/ransomware/home\r\nhttps://www.cyber.gov.au/ransomware\r\nReferences\r\nOpSec for Russians – https://grugq.github.io/presentations/Keynote_The_Grugq_-\r\n_OPSEC_for_Russians.pdf\r\nA Deep Dive into Cobalt Strike Malleable C2 – https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b\r\nSource: https://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nhttps://thedfirreport.com/2022/03/07/2021-year-in-review/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2022/03/07/2021-year-in-review/"
	],
	"report_names": [
		"2021-year-in-review"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38",
			"created_at": "2023-01-06T13:46:39.487358Z",
			"updated_at": "2026-04-10T02:00:03.344509Z",
			"deleted_at": null,
			"main_name": "BazarCall",
			"aliases": [
				"BazzarCall",
				"BazaCall"
			],
			"source_name": "MISPGALAXY:BazarCall",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434378,
	"ts_updated_at": 1775791675,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b984bbed623c6fb862952fb0f8fd70eb9aff4f0.pdf",
		"text": "https://archive.orkl.eu/5b984bbed623c6fb862952fb0f8fd70eb9aff4f0.txt",
		"img": "https://archive.orkl.eu/5b984bbed623c6fb862952fb0f8fd70eb9aff4f0.jpg"
	}
}