Hejely Lab
DFIR | Threat Hunting
List of all categories
IRC
How to find out if there is persistence using WMI?
How to identify malicious processes by comparing an infected memory image with a clean baseline one?
How to identify process hollowing in a memory image?
How to find out if there is persistence using Image File Execution Options (IFEO)?
How to find out if there is persistence using Registry run keys or Startup Folders?
How to prove there was a lateral movement using PsExec via EventLogs?
What information can you retrieve from lateral movement performed via RDP?
What folders were accessed by a specific user?
Was a USB connected to system?
Was a specific file deleted from filesystem?
Was a malicious application executed on system?
Was a specific file accessed by this user?
Was there timestomping on the analyzed system?
Timestomping
Was there timestomping on the analyzed system?
Digital Forensics
How to find out if there is persistence using WMI?
Windows Management Instrumentation (WMI)
How to identify malicious processes by comparing an infected memory image with a clean baseline one?
How to identify process hollowing in a memory image?
How to find out if there is persistence using Image File Execution Options (IFEO)?
How to find out if there is persistence using Registry run keys or Startup Folders?
How to prove there was a lateral movement using PsExec via EventLogs?
What information can you retrieve from lateral movement performed via RDP?
What folders were accessed by a specific user?
Was a USB connected to system?
Was a specific file deleted from filesystem?
Was a malicious application executed on system?
Was a specific file accessed by this user?
NTFS
Was a specific file deleted from filesystem?
Journaling
Was a specific file deleted from filesystem?
Shellbags
What folders were accessed by a specific user?
Lateral Movement
Windows Management Instrumentation (WMI)
How to prove there was a lateral movement using PsExec via EventLogs?
Persistence
Incident Response & Threat Hunting Series, Autoruns
How to find out if there is persistence using WMI?
Windows Management Instrumentation (WMI)
How to find out if there is persistence using Image File Execution Options (IFEO)?
How to find out if there is persistence using Registry run keys or Startup Folders?
Memory Investigation
How to identify malicious processes by comparing an infected memory image with a clean baseline one?
How to identify process hollowing in a memory image?
Incident Response & Threat Hunting Series
Incident Response & Threat Hunting Series, Evidence Collection
Incident Response & Threat Hunting Series, Autoruns
Incident Response & Threat Hunting Series, Search Files & Content
Incident Response & Threat Hunting Series, Asset Inventory
Incident Response & Threat Hunting Series, Velociraptor EDR GUI Introduction
Incident Response & Threat Hunting Series, Velociraptor EDR Deployment in an AD Domain
Incident Response & Threat Hunting Series, Introduction