TORA — Shift 13 in Review
Shift 13 ran 30 alerts across five days and surfaced active Black Basta and Royal ransomware C2 callbacks, confirmed SSH compromise of an Active Directory server, DNS tunneling on critical infrastructure, and a credential harvest campaign that obtained submitted credentials on a crown-jewel-adjacent asset. Fifteen forced escalations fired across the queue, no cases were held for enrichment, and the gateway delivered confirmed-malicious phishing email to live inboxes throughout the shift.
↗