From ScreenConnect to Hive Ransomware in 61 hours

This DFIR investigation documents a multi-stage intrusion (Oct 2022) where an initial user-executed dropper installed ScreenConnect RMM, enabling attackers to run discovery, stage Cobalt Strike and Metasploit backdoors (including trojanized ApacheBench and Powerfun shells), perform credential dumping (Mimikatz), exfiltrate large volumes with Rclone over SFTP, and deploy Hive ransomware (manual and attempted domain-wide GPO deployment), with a time-to-ransom of 61 hours and numerous IoCs and detection guidance provided.