Research on how attackers abuse legitimate Microsoft tools and Windows features.
Pass-the-Hash (PtH) attacks are an insidious and effective technique for lateral movement and privilege escalation in Windows environments. This article explores how PtH works and …
Pass-the-Hash (PtH) is an insidious technique for lateral movement and privilege escalation in Windows environments. This article explores how to unmask PtH by leveraging Windows …
Active Directory (AD) is crucial for identity and access management in enterprises, making it a prime target for attackers. A compromised AD can lead to …
Attackers are increasingly abusing legitimate Microsoft binaries like `InstallUtil.exe` to execute malicious code, blending into normal network operations for 'living off the land' (LOTL) lateral …
Active Directory (AD) and Group Policy Objects (GPOs) are vital for enterprise security and configuration. This article explores the silent threat of Group Policy hijacking, …
Discover how to leverage Windows Event Logs to detect and neutralize AMSI bypass techniques used by sophisticated fileless malware and obfuscated scripts.
PowerShell's immense power makes it a prime target for adversaries. Learn how advanced persistent threats bypass Constrained Language Mode (CLM) using runspaces and discover critical …
This article explores DLL sideloading, a sophisticated evasion technique used by attackers. Learn how to detect these stealthy threats and maintain persistence within compromised environments …
This article explores how attackers leverage DLL sideloading with legitimate applications to load malicious Dynamic Link Libraries. Learn to use Windows Event Logs for in-depth …
Active Directory is the backbone of enterprise security, but it's vulnerable to sophisticated threats like the Skeleton Key attack. This article explores how to unmask …
Attackers are increasingly leveraging legitimate system tools like `certutil.exe` for "Living Off The Land" (LOTL) strategies. This technique allows them to blend in, bypass security …
Attackers can leverage legitimate Microsoft signed binaries to load and inject malicious DLLs into running processes, effectively bypassing application whitelisting and endpoint security.
Advanced malware can execute PowerShell commands without ever calling powershell.exe, effectively bypassing many endpoint security solutions. This research explores the techniques used and how to …
Dynamic Data Exchange (DDE) is a legitimate Microsoft Office feature that attackers exploit to execute arbitrary commands without requiring macro-enabled documents.
Microsoft HTML Application Host (mshta.exe) and other HTML interpreters can be leveraged by attackers to execute malicious scripts while evading traditional security controls.