OrcID: 0000-0001-8875-3362 PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS MCITP: Enterprise AdministratorCCNA, CCNP (R&S , Security)ISO/IEC 27001 Lead Auditor

Windows Artifacts for Forensics Investigation

Generic Windows Artifacts Windows 10 Notifications In the path \Users\<username>\AppData\Local\Microsoft\Windows\Notifications you can find the database appdb.dat (before Windows anniversary) or wpndatabase.db (after Windows Anniversary). Inside this SQLite database you can find the Notification table with all the notifications (in xml format) that may contain interesting data. Timeline Timeline is a …

Read More »

Windows Processes Investigation

smss.exe It’s called Session Manager. Session 0 starts csrss.exe and wininit.exe (OS services) while Session 1 starts csrss.exe and winlogon.exe (User session). However, you should see only one process of that binary without children in the processes tree. Also, more sessions apart from 0 and 1 may mean that RDP …

Read More »

PrintNightmare CVE-2021-34527 exploit Mitigation to keep your Print Servers running while Microsoft Patch Doesn’t Really work Effectively

A regular domain user can easily take over the entire Active Directory domain. While we still recommend that the print spooler service should be disabled on any system that does not need it, we also want to provide a temporary workaround to make the exploit ineffective, while allowing you to …

Read More »

Dumping RDP Credentials

Administrators typically use Remote Desktop Protocol (RDP) in order to manage Windows environments remotely. It is also typical RDP to be enabled in systems that act as a jumpstation to enable users to reach other networks. However even though this protocol is widely used most of the times it is …

Read More »

Active Directory Exploitation [EVERYTHING]

Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalation Lateral Movement Powershell Remoting Remote Code Execution with PS Credentials Import a powershell module and execute its functions remotely Executing Remote Stateful commands Mimikatz Useful Tools Domain Privilege …

Read More »