imp hashShooting Up: On-Prem to Cloud — Detecting “AADConnect” Creds DumpAssumption: It is assumed that the attacker has got hold of the local admin account on the domain controller (dc) where AAD Connect is…7 min read·Dec 30, 2021----
imp hashUserAssist — with a pinch of Salt — As an “Evidence of Execution”Lately, I have been experimenting with UserAssist keys on my Windows 10 machine with an OS build 18362. I have seen some interesting…6 min read·Nov 2, 2020--1--1
imp hashWindows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 5] — A…In this series of articles of “Must know Process Internals for Memory Forensics” — we have traversed through ActiveProcessLinks…7 min read·Sep 13, 2020----
imp hashWindows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 4] —…What is Virtual Address Descriptor (VAD)?6 min read·Sep 1, 2020----
imp hashWindows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 3] —…This is the Part-3 of the series of article “Windows Process Internals: A few Concepts to know before jumping on Memory Forensics”.4 min read·Aug 29, 2020----
imp hashWindows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 2] —…Ldrmodules is one of the trusted plugins of Volatility suit to detect a dll-hiding or injection kind of activities in a process memory. I…4 min read·Aug 25, 2020----
imp hashWindows Process Internals : A few Concepts to know before jumping on Memory ForensicsI have been revising memory forensics lately and realized that there are very important concepts related to Windows Internals that need to…6 min read·Jul 26, 2020----
imp hashDetecting Lateral Movement 101 (Part-2): Hunting for malcode Execution via WMI using Windows Event…MITER ATT&CK Reference Tactic: Execution Technique ID: T1047 — Windows Management Instrumentation (WMI)5 min read·Jul 22, 2020----