Shooting Up: On-Prem to Cloud — Detecting “AADConnect” Creds DumpAssumption: It is assumed that the attacker has got hold of the local admin account on the domain controller (dc) where AAD Connect is…Dec 30, 2021Dec 30, 2021
UserAssist — with a pinch of Salt — As an “Evidence of Execution”Lately, I have been experimenting with UserAssist keys on my Windows 10 machine with an OS build 18362. I have seen some interesting…Nov 2, 20201Nov 2, 20201
Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 5] — A…In this series of articles of “Must know Process Internals for Memory Forensics” — we have traversed through ActiveProcessLinks…Sep 13, 2020Sep 13, 2020
Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 4] —…What is Virtual Address Descriptor (VAD)?Sep 1, 2020Sep 1, 2020
Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 3] —…This is the Part-3 of the series of article “Windows Process Internals: A few Concepts to know before jumping on Memory Forensics”.Aug 29, 2020Aug 29, 2020
Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 2] —…Ldrmodules is one of the trusted plugins of Volatility suit to detect a dll-hiding or injection kind of activities in a process memory. I…Aug 25, 2020Aug 25, 2020
Windows Process Internals : A few Concepts to know before jumping on Memory ForensicsI have been revising memory forensics lately and realized that there are very important concepts related to Windows Internals that need to…Jul 26, 2020Jul 26, 2020
Detecting Lateral Movement 101 (Part-2): Hunting for malcode Execution via WMI using Windows Event…MITER ATT&CK Reference Tactic: Execution Technique ID: T1047 — Windows Management Instrumentation (WMI)Jul 22, 2020Jul 22, 2020