https://hexpysya.github.io/tags/dfir/Recent content in DFIR on bubka hacks stuffHugo -- gohugo.ioen-usWed, 15 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-awsraid/Wed, 15 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-awsraid/An attacker conducted a brute-force attack to compromise the helpdesk.luke account, performed reconnaissance from various VPN IPs, exfiltrated sensitive data including customer backups and secrets, modified bucket permissions, and established persistence by creating an admin backdoor account.https://hexpysya.github.io/blue_team/splunk-shadowroast/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-shadowroast/A masqueraded AdobeUpdater.exe binary established persistence via a registry Run key, injected into cmd.exe, performed AS-REP Roasting with Rubeus against four AD accounts, laterally moved to FileServer using cracked tcooper credentials, enabled RDP, and staged share data for exfiltration.https://hexpysya.github.io/investigations/htb-liberty/Wed, 25 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-liberty/Password spraying led to domain account compromise, followed by NetNTLM hash theft via a malicious .url file, RDP access, data exfiltration to a C2 server, and PSWA backdoor installation for persistence.https://hexpysya.github.io/blue_team/thm-phishing-unfolding/Mon, 16 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/thm-phishing-unfolding/https://hexpysya.github.io/investigations/htb-workfromhome/Mon, 16 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-workfromhome/A victim clicked a phishing link impersonating a corporate login page, leading to credential theft. The attacker used stolen credentials to gain RDP access, then escalated privileges via SeManageVolumeExploit, deployed malicious DLLs using certutil, and established persistence through a hidden VBS script in the Startup folder.https://hexpysya.github.io/investigations/htb-easymoney/Thu, 05 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-easymoney/Administrator executed a malicious shortcut that triggered a hidden PowerShell command, downloading and executing payload and gaining a shell access. The attacker enumerated installed software, identified a vulnerable Yandex Browser (CVE-2024-6473), and exploited DLL hijacking by planting a malicious library that acts as a dropper. This dropper deployed a Sliver C2 implant establishing persistence via a scheduled task and maintaining communicationhttps://hexpysya.github.io/investigations/htb-luckyshot/Mon, 02 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-luckyshot/https://hexpysya.github.io/investigations/htb-mongobleed/Fri, 30 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-mongobleed/