Lateral Movement - Remote Desktop Protocol (RDP) Artifacts
top of page
Search
Learn about the various artifacts created to help investigate lateral movement via RDP on both the source and target system
Oct 17 min read
Lateral Movement - Remote Desktop Protocol (RDP) Event Logs
Identify the important Windows Event logs to hunt RDP lateral movement, both from the source and target system.
Jul 286 min read
RDP Bitmap Cache - Piece(s) of the Puzzle
Investigate the puzzle pieces of RDP bitmap cache and how to stitch these together to get the (sorta) full picture.
Jun 195 min read
Windows Defender MP Logs - A Story of Artifacts
What are the Windows Defender MP logs? What information do they contain and how can we use them in an investigation?
May 86 min read
SUM UAL - Investigating Server Access with User Access Logging
Learn what the SUM UAL database is and how it can help make or break DFIR analysis.
Apr 275 min read
Linux Forensics - Collecting a Triage Image Using The UAC Tool
Learn how to take a triage image of a *nix based system using the UAC tool.
Apr 166 min read
Respond and Investigate a Compromised Google Workspace User
Learn how to respond and investigate a compromised Google Workspace user.
Mar 284 min read
Minimizing Malicious Script Execution
Learn some quick wins to minimize malicious script execution.
Mar 115 min read
Evidence of Program Existence - Amcache
Learn the mystery of the Amcache artifact and how to use it in your DFIR cases
Jan 214 min read
Evidence of Program Existence - Shimcache
Learn what Shimcache is, how to analyze it, and why it's misunderstood.
Oct 15, 20238 min read
Investigating a Compromised Web Server
Learn how to investigate a compromised web server and the logs that exist to assist in your analysis.
Oct 9, 20235 min read
Artifacts of Execution: Prefetch - Part One
Learn how to identify what programs were executed during an incident with the Prefetch artifact
Oct 5, 20234 min read
Windows Artifacts For Intrusion Analysis: A Treasure Trove of Evidence
During an Incident Response (IR) engagement, I'm often asked what artifacts I look at for analysis. Sure, Event Logs are fantastic, the...
Sep 22, 20238 min read
Cloud Incident Response: Investigating AWS Incidents
Learn the basics of AWS investigations and the logs that exist.
Aug 18, 20235 min read
Sysmon: When Visibility is Key
Learn why visibility is everything when responding to an incident.
Aug 12, 20235 min read
A LNK To The Past: Utilizing LNK Files For Your Investigations
We've all heard of "Link" or "LNK" files, right? You want a faster way to open your favorite game, document or application without need...
bottom of page