Hackers made it onto one of our production servers 😅. We've isolated it from the internet until we can clean the machine up. The IR team reported eight difference backdoors on the server, but didn't say what they were and we can't get in touch with them. We need to get this server back into prod ASAP - we're losing money every second it's down. Please find the eight backdoors (both remote access and privilege escalation) and remove them. Once...

First examine the pcap Trace the TCP/HTTP. "tcp.stream eq 1" looks like an obfuscated powershell "tcp.stream eq 2" looks like an execuable "tcp.stream eq 3" shows a traffic which can not understand So far we had an idea that:1. Requested to 147.182.172.189 and received a response with 4A7xH.ps12. Requested to the same IP and received an executable user32.dll3. Requested to the same IP and received the response that we can not understand so far De-obfuscated the PS script leverage pwsh...