Ransomware Encryption Analysis: Attack Mechanics on Windows
Forty-Seven Alerts at 2 AM and One of Them Was Real A managed services client called our SOC at 2:14 AM on a Tuesday. Their file server was throwing access…
Using Autoruns to Audit Every Windows Autostart Location
A Backdoor Hiding in Plain Sight During a quarterly security review for a client running a 200-seat Windows environment, we found a DLL registered under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls that had been…
Forensic Triage on Windows: Rapid Evidence Collection
The Clock Is Already Running Your SIEM flags a suspicious PowerShell execution on a domain controller at 11:43 PM. The endpoint detection tool confirms process injection consistent with MITRE ATT&CK…
Encoding Passwords Securely in PowerShell Enterprise Scripts
A Plaintext Password That Cost a Client $200K Last year we inherited a managed environment from another vendor—a mid-size logistics company running 40+ scheduled PowerShell scripts across their domain controllers…
Using the PowerShell Certificate Provider for Cert Management
It is 3 AM. Your SIEM is generating Kerberos pre-authentication failures across 47 workstations. You escalate to Tier 3 and begin triage. The answer is not malware, not a credential…
PowerShell NetIPsec Module: IPsec Policies on Server 2025
When Unencrypted East-West Traffic Becomes the Attacker’s Highway We were brought in after a healthcare provider’s internal audit flagged something alarming: a credential-harvesting tool had been sitting quietly on a…
Set-NetIPsecMainModeCryptoSet: Enforce IKE Encryption in PowerShell
During a network security review for a logistics company we took over last year, we pulled their Windows Server 2025 IPsec policy and found the main mode crypto set negotiating…
IPsec Main Mode Crypto Sets: PowerShell Hardening Guide
A financial services client we took on last year had been running IPsec between their domain controllers and application servers for three years. Solid concept. The execution was a different…
Docker Container Security: 15-Checkpoint Audit
It is 2:47 AM. Your SIEM fires a privilege escalation alert on a production Linux host. You pull the process tree and find the origin: a Docker container launched six…
Backup Encryption and Ransomware: A Post-Mortem
The alert came in at 2:47 AM. File shares encrypted. Domain controllers unreachable. The backup server — also encrypted. The client’s IT lead called it a total loss. Twenty minutes…