Most PowerShell-based attacks rely on the same trick: pass a Base64-encoded command, a string concatenation, or a script downloaded at ru...
Detecting Kerberoasting with Windows Event ID 4769
0 Comments
10 min read
Kerberoasting ( MITRE ATT&CK T1558.003 ) is one of the few credential-access techniques that produces a clean, on-prem audit signal —...
Sysmon Configuration for Windows Security Monitoring
0 Comments
10 min read
Native Windows auditing covers a surprising amount of ground, but it has known gaps: no file hashes on process creation, no outbound netw...