Spraying the Microsoft CloudAdversaries continue to probe and make entry via the cloud perimeter of organisations. Multi-Factor Authentication (MFA) and additional…Jul 9, 2023Jul 9, 2023
Secedit and I know it!First, let’s talk a bit about auditpol.exe, previous occasions of it being misused and how security policies gets applied to Windows hosts.Nov 24, 2022Nov 24, 2022
Supercharging Bulk DFIR triage with Node-RED, Google’s Log2timeline & Google’s TimesketchDuring the COVID19 lockdown period, I spent time creating a rule set to get the most of Google’s Timesketch tagging feature. The tagging…Sep 26, 2021Sep 26, 2021
RDP GoodiesRemote Desktop Protocol (T1021.001) continues to be one of the most favoured lateral movement techniques used by adversaries. This writeup…Jan 31, 2021Jan 31, 2021
Ngrok TunnelsFireEye’s blogpost about MAZE group identifies the use of RDP over Ngrok service as an alternative C2 channel. This article describes…Aug 19, 2020Aug 19, 2020
Extracting PowerShell Script Blocks Easily via block-parserMicrosoft-Windows-PowerShell%4Operational.evtx can be used to uncover malicious script usage during DFIR investigations. The Scriptblock…Aug 19, 2020Aug 19, 2020
Shimcache Flush!A cleanup routine that can be performed by threat actors to flush the Shimcache to remove traces of their malicious activities.May 27, 20201May 27, 20201