https://hexpysya.github.io/tags/event-viewer/Recent content in Event Viewer on bubka hacks stuffHugo -- gohugo.ioen-usWed, 25 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-liberty/Wed, 25 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-liberty/Password spraying led to domain account compromise, followed by NetNTLM hash theft via a malicious .url file, RDP access, data exfiltration to a C2 server, and PSWA backdoor installation for persistence.https://hexpysya.github.io/investigations/htb-workfromhome/Mon, 16 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-workfromhome/A victim clicked a phishing link impersonating a corporate login page, leading to credential theft. The attacker used stolen credentials to gain RDP access, then escalated privileges via SeManageVolumeExploit, deployed malicious DLLs using certutil, and established persistence through a hidden VBS script in the Startup folder.https://hexpysya.github.io/investigations/htb-easymoney/Thu, 05 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-easymoney/Administrator executed a malicious shortcut that triggered a hidden PowerShell command, downloading and executing payload and gaining a shell access. The attacker enumerated installed software, identified a vulnerable Yandex Browser (CVE-2024-6473), and exploited DLL hijacking by planting a malicious library that acts as a dropper. This dropper deployed a Sliver C2 implant establishing persistence via a scheduled task and maintaining communicationhttps://hexpysya.github.io/investigations/htb-ghosttrace/Sat, 31 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-ghosttrace/Analyzed Windows Event Logs revealing a complete AD compromise chain: phishing email with macro-enabled document → credential dumping with Mimikatz → lateral movement via PsExec → DCSync attack → domain admin compromise → persistence via scheduled task, service, and registry run key.