DFIR
Table of Contents
Persistence Techniques
- Get-Variable.exe
- Windows Silent Process Exit
- Word Templates
- PowerShell profile
- SSH Backdoor on Windows
MPLog
- Microsoft Protection Log (MPLog)
- Find WebShells with the MPLog
- Yet another example of why the MPLog is awesome
PowerShell
- Module Cache
- PowerShell V2
- Exfiltration with Copy-Item
- PowerShell Script Block Logs
- AutoSaved files from PowerShell ISE
Misc
- Windows Security Package
- AV Logs
- Bloodhound
- How to check GPO’s for signs of modifications
- WinSCP Artifacts
- RDP Logs
- Vulnerable Drivers
- Various ways to obfuscate an URL
- Ligolo-ng
- Silly misconfiguration - Great impact
- Windows Firewall Rules
- WMI Event Consumers
- Malpedia
- Hacked Wordpress site
- CoinMiner
- FileZilla
- Windows App Sideloading
- Audit breached passwords
- Recover deleted objects from AD