PowerShell Providers: Navigate the Registry Like a Filesystem
The 2 AM Page That Started This Post A managed services client called us at 2 AM because a fleet of 180 Windows Server 2022 boxes had stopped autoloading their…
Multipartite Virus: Hunting Multi-Vector Malware in Production
A manufacturing client called us on a Tuesday morning with a problem that didn’t add up. Their endpoint agent had flagged and quarantined a suspicious executable on three workstations. Good.…
MITRE ATT&CK Integration in Tabletop Exercises: A Checklist
Last quarter, we facilitated a tabletop exercise for a financial services client. Their CISO was confident the IR team could handle a ransomware scenario. Forty-five minutes in, three participants couldn’t…
Internal vs External IP Analysis in Threat Hunting
Two Addresses, Two Investigations Your SIEM fires a high-severity alert at 3 AM. A workstation on the finance VLAN just made an outbound connection to an IP address flagged in…
Windows USB Forensics: Tracking External Device Connections
Forty-Seven USB Drives Walk Into a Network A financial services client called us on a Friday afternoon. Their DLP solution flagged 14 GB of data copied to a removable device,…
Ransomware Encryption Analysis: Attack Mechanics on Windows
Forty-Seven Alerts at 2 AM and One of Them Was Real A managed services client called our SOC at 2:14 AM on a Tuesday. Their file server was throwing access…
Using Autoruns to Audit Every Windows Autostart Location
A Backdoor Hiding in Plain Sight During a quarterly security review for a client running a 200-seat Windows environment, we found a DLL registered under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls that had been…
Forensic Triage on Windows: Rapid Evidence Collection
The Clock Is Already Running Your SIEM flags a suspicious PowerShell execution on a domain controller at 11:43 PM. The endpoint detection tool confirms process injection consistent with MITRE ATT&CK…
Digital Forensics for Incident Response: Field Guide
Three weeks into a ransomware investigation at a mid-size logistics firm, the IR team handed me what they called a “forensic copy” of the infected server. It had been rebooted…
Cybersecurity Naming Conventions: A Complete IT Guide
Cybersecurity naming conventions are standardized rules for labeling digital assets – including user accounts, firewall rules, log files, and security policies. Organizations that adopt consistent naming standards reduce misconfiguration risk,…