Lateral Movement - Remote Desktop Protocol (RDP) Event Logs
top of page
Search
Identify the important Windows Event logs to hunt RDP lateral movement, both from the source and target system.
- Jul 28
- 6 min
RDP Bitmap Cache - Piece(s) of the Puzzle
Investigate the puzzle pieces of RDP bitmap cache and how to stitch these together to get the (sorta) full picture.
- Jun 19
- 5 min
Windows Defender MP Logs - A Story of Artifacts
What are the Windows Defender MP logs? What information do they contain and how can we use them in an investigation?
- May 8
- 6 min
SUM UAL - Investigating Server Access with User Access Logging
Learn what the SUM UAL database is and how it can help make or break DFIR analysis.
- Apr 27
- 5 min
Linux Forensics - Collecting a Triage Image Using The UAC Tool
Learn how to take a triage image of a *nix based system using the UAC tool.
- Apr 16
- 6 min
Respond and Investigate a Compromised Google Workspace User
Learn how to respond and investigate a compromised Google Workspace user.
- Mar 28
- 4 min
Minimizing Malicious Script Execution
Learn some quick wins to minimize malicious script execution.
- Mar 11
- 5 min
Evidence of Program Existence - Amcache
Learn the mystery of the Amcache artifact and how to use it in your DFIR cases
- Jan 21
- 4 min
Evidence of Program Existence - Shimcache
Learn what Shimcache is, how to analyze it, and why it's misunderstood.
- Oct 15, 2023
- 8 min
Investigating a Compromised Web Server
Learn how to investigate a compromised web server and the logs that exist to assist in your analysis.
- Oct 9, 2023
- 5 min
Artifacts of Execution: Prefetch - Part One
Learn how to identify what programs were executed during an incident with the Prefetch artifact
- Oct 5, 2023
- 4 min
Windows Artifacts For Intrusion Analysis: A Treasure Trove of Evidence
During an Incident Response (IR) engagement, I'm often asked what artifacts I look at for analysis. Sure, Event Logs are fantastic, the...
- Sep 22, 2023
- 8 min
Cloud Incident Response: Investigating AWS Incidents
Learn the basics of AWS investigations and the logs that exist.
- Aug 18, 2023
- 5 min
Sysmon: When Visibility is Key
Learn why visibility is everything when responding to an incident.
- Aug 12, 2023
- 5 min
A LNK To The Past: Utilizing LNK Files For Your Investigations
We've all heard of "Link" or "LNK" files, right? You want a faster way to open your favorite game, document or application without need...
We love automation, right? Subscribe to get notifications from us.
Follow Us On:
bottom of page