DFIR

Enriching Velociraptor injection findings by cross-referencing memory images, Windows event logs, filesystem artefacts, Zeek network telemetry, and lateral movement indicators into a complete investigation narrative.

A complete walkthrough of using Velociraptor VQL to detect process injection by finding anonymous executable memory regions, PE headers loaded without disk backing, and active threads executing injected code. Includes a full reusable hunt artefact.

Most guides on LSASS credential dumping focus on the attacker side. This one focuses on what you actually see in the event logs when it happens in your environment.

Velociraptor is free, fast, and genuinely useful for rapid triage. A walkthrough of setting it up and collecting artefacts from a simulated compromised host.

If you are not logging process creation with command line arguments enabled, you are missing a significant chunk of attacker activity.

Webshells are among the most persistent post-exploitation tools in web-facing attacks. This covers how they get installed, the most common variants, and the filesystem, process, and network indicators that give them away.

After running a basic VM setup for a year, how I stood up Elastic SIEM without spending money on hardware I did not need.

Two Windows artefacts that consistently come up in investigations because attackers rarely think to clear them.

Prefetch files can tell you what ran, when it ran, and sometimes from where - even after the original executable has been deleted.

After working through enough incidents and CTF challenges, a checklist that covers the things that matter most in the first 30 minutes.