Configuring AD Audit Policies with PowerShell and GPO
A Missed Event Log Cost a Client Their Domain Admin Last year, a mid-size logistics company we manage came to us after discovering that a domain admin account had been…
Windows USB Forensics: Tracking External Device Connections
Forty-Seven USB Drives Walk Into a Network A financial services client called us on a Friday afternoon. Their DLP solution flagged 14 GB of data copied to a removable device,…
Kubernetes Secrets Management: Encryption at Rest Audit
A Base64 String Is Not a Security Strategy Last year we were brought in to assess a mid-sized fintech company’s Kubernetes environment after a failed compliance audit. Their security team…
Ransomware Encryption Analysis: Attack Mechanics on Windows
Forty-Seven Alerts at 2 AM and One of Them Was Real A managed services client called our SOC at 2:14 AM on a Tuesday. Their file server was throwing access…
Using Autoruns to Audit Every Windows Autostart Location
A Backdoor Hiding in Plain Sight During a quarterly security review for a client running a 200-seat Windows environment, we found a DLL registered under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls that had been…
Forensic Triage on Windows: Rapid Evidence Collection
The Clock Is Already Running Your SIEM flags a suspicious PowerShell execution on a domain controller at 11:43 PM. The endpoint detection tool confirms process injection consistent with MITRE ATT&CK…
Encoding Passwords Securely in PowerShell Enterprise Scripts
A Plaintext Password That Cost a Client $200K Last year we inherited a managed environment from another vendor—a mid-size logistics company running 40+ scheduled PowerShell scripts across their domain controllers…
Using the PowerShell Certificate Provider for Cert Management
It is 3 AM. Your SIEM is generating Kerberos pre-authentication failures across 47 workstations. You escalate to Tier 3 and begin triage. The answer is not malware, not a credential…
PowerShell NetIPsec Module: IPsec Policies on Server 2025
When Unencrypted East-West Traffic Becomes the Attacker’s Highway We were brought in after a healthcare provider’s internal audit flagged something alarming: a credential-harvesting tool had been sitting quietly on a…
Set-NetIPsecMainModeCryptoSet: Enforce IKE Encryption in PowerShell
During a network security review for a logistics company we took over last year, we pulled their Windows Server 2025 IPsec policy and found the main mode crypto set negotiating…