Malicious ISO File Leads to Domain Wide Ransomware

This DFIR report documents a late-September 2022 intrusion that began with IcedID delivered via a malicious ISO, escalated to Cobalt Strike beacons and hands-on-keyboard activity, leveraged ZeroLogon and named-pipe/Winlogon token impersonation for privilege escalation, exfiltrated backups to Mega using rclone, and culminated in deployment of Quantum ransomware that encrypted all domain-joined systems; the report provides detailed TTPs, network and file IOCs (domains, IPs, file names, and hashes), and detection guidance.