Overview Command and control (C2 or C&C) refers to the communication and coordination between a cyber attacker and the infrastructure they use to launch an attack. This infrastructure can incl...

Overview The adversary is trying to gather data of interest to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected fro...

Overview Link-Local Multicast Name Resolution (LLMNR) and the previous iteration of the service called NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate method...

Overview Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP a...

A question that is typically raised during and post breach investigation is what event logs should be monitored, collected or enabled. The below list aims to provide a cheat sheet of sorts to highl...

Overview Attackers use man-in-the-middle (AiTM/MITM) techniques to attempt to position themselves between two or more networked devices to facilitate follow-up actions such as network sniffing and...

Overview AppCompatCacheParser is a command line tool developed by Eric Zimmerman, to process the ShimCache (AppCompatCache) on Windows operating systems, identifying items such as: Executable ...

Overview Structured Query Language (SQL) is designed for managing data held in a relational database management system (RDBMS). It is particularly useful in handling structured data, i.e. data inc...

Overview The File Transfer Protocol (FTP) is a common protocol that is used across all operating systems to aid in remote file transfers between a client and server. FTP is a plaintext protocol, m...

Overview Relational and Non-Relational databases are a valuable target for attackers, with sensitive information often stored within the database tables such as Personally Identifiable Information...