Windows USB Forensics: Tracking External Device Connections
Forty-Seven USB Drives Walk Into a Network A financial services client called us on a Friday afternoon. Their DLP solution flagged 14 GB of data copied to a removable device,…
Ransomware Encryption Analysis: Attack Mechanics on Windows
Forty-Seven Alerts at 2 AM and One of Them Was Real A managed services client called our SOC at 2:14 AM on a Tuesday. Their file server was throwing access…
Forensic Triage on Windows: Rapid Evidence Collection
The Clock Is Already Running Your SIEM flags a suspicious PowerShell execution on a domain controller at 11:43 PM. The endpoint detection tool confirms process injection consistent with MITRE ATT&CK…
Using the PowerShell Certificate Provider for Cert Management
It is 3 AM. Your SIEM is generating Kerberos pre-authentication failures across 47 workstations. You escalate to Tier 3 and begin triage. The answer is not malware, not a credential…
Set-NetIPsecMainModeCryptoSet: Enforce IKE Encryption in PowerShell
During a network security review for a logistics company we took over last year, we pulled their Windows Server 2025 IPsec policy and found the main mode crypto set negotiating…
Docker Container Security: 15-Checkpoint Audit
It is 2:47 AM. Your SIEM fires a privilege escalation alert on a production Linux host. You pull the process tree and find the origin: a Docker container launched six…
Microsoft Defender for Office 365: Configuration Audit Checklist
The Audit Starts Before You Open the Console A financial services client came to us after a compliance review flagged an eleven-day gap in their Office 365 threat detection. They…
Threat Hunting Techniques: A SOC Readiness Audit
Your SIEM generated zero critical alerts during the four-hour window on Tuesday night. Your first instinct is to call it a quiet shift. But three of the most damaging incidents…