{"id":192,"date":"2026-07-12T14:46:12","date_gmt":"2026-07-12T14:46:12","guid":{"rendered":"https:\/\/shaynepatelcybersecurityportfolio.online\/?p=192"},"modified":"2026-07-12T14:46:12","modified_gmt":"2026-07-12T14:46:12","slug":"click-to-compromise-dfir-foundations-write-up","status":"publish","type":"post","link":"https:\/\/shaynepatelcybersecurityportfolio.online\/?p=192","title":{"rendered":"Click to Compromise: DFIR Foundations Write-Up"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">As an SOC analyst, I see this attack pattern constantly: user downloads something they shouldn&#8217;t, PowerShell spawns, EDR fires, I triage, isolate, escalate, write it up. But there&#8217;s a layer underneath every one of those alerts that the SOC workflow rarely forces you to touch which are the raw packets, the memory image, the disk artifacts that the detection was built.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That gap is why I enrolled in Blue Cape Security&#8217;s <strong>DFIR Foundations and Techniques<\/strong> course, an 8-hour course taught by founder Markus Schober. It covers incident response and data collection techniques, applied forensic analysis, and the core tooling for a DFIR environment. I finished the course assessment with 92%, which gave me a clear map of where my triage instincts translated to forensics and where they didn&#8217;t.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Rather than let the concepts stay theoretical, I built out my own analysis utilizing a VM using tools:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Wireshark<\/strong> \u2014 PCAP analysis<\/li>\n\n\n\n<li><strong>Splunk<\/strong> \u2014 log analysis<\/li>\n\n\n\n<li><strong>CyberChef<\/strong> &#8211; data analysis\/manipulation<\/li>\n\n\n\n<li><strong>Velociraptor<\/strong> \u2014 endpoint collection<\/li>\n\n\n\n<li><strong>Volatility3<\/strong> \u2014 memory analysis<\/li>\n\n\n\n<li><strong>Eric Zimmerman&#8217;s tools<\/strong> \u2014 Windows artifact analysis<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Then I worked the course&#8217;s compromise scenario end-to-end. Below is the investigation, organized the way I&#8217;d actually brief it: three questions every IR needs to answer. <strong>How did they get in? How did they stay? What did they take?<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"200\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image.png\" alt=\"\" class=\"wp-image-194\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image.png 975w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-300x62.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-768x158.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Scope<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>In scope:<\/strong> CLIENT2 \u2014 <code>192.168.0.104<\/code>, user <code>alice<\/code><\/li>\n\n\n\n<li><strong>Timeframe:<\/strong> 2024-08-30 22:50:27 UTC onward<\/li>\n\n\n\n<li><strong>Environment:<\/strong> no AV or endpoint security enabled on the workstation by default<\/li>\n\n\n\n<li><strong>Reference hosts:<\/strong> <code>192.168.0.10<\/code> DC1 \u00b7 <code>192.168.0.1<\/code> Gateway + Splunk \u00b7 <code>192.168.0.104<\/code> CLIENT2<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Question 1: How did they get in?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">The lure<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">On August 30, 2024 at 22:56:20 UTC, the user Alice downloaded a file from:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http&#91;:]\/\/w1ndowsupdate.com:8000\/update.exe&#91;.]hta<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Two red flags before you even open a tool. First, the domain is <strong>typosquatted<\/strong> \u2014 &#8220;windows&#8221; spelled with a numeral 1. Second, the double extension(<code>.exe.hta<\/code>). An HTA (HTML Application) executes with full trust via <code>mshta.exe<\/code>, a classic living-off-the-land binary.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From the SOC side, I&#8217;d normally catch this as a DNS or proxy alert on a newly-registered\/lookalike domain or behavioral watchlist surrounding .mshta bevahior. But here I had no alert \u2014 just a PCAP. So the question becomes: can I reconstruct the delivery myself?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Confirming delivery in Wireshark<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">I started where you always should: <strong>Statistics \u2192 Conversations \/ Protocol Hierarchy<\/strong> to understand the shape of the traffic, then a <strong>DNS query<\/strong> for the download domain to resolve the attacker infrastructure.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip.addr == 3.140.33.120<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Filtering on that address surfaced the full HTTP conversation \u2014 CLIENT2&#8217;s GET to the domain, and the response delivering the file. Wireshark carves it straight out of the capture (<strong>File \u2192 Export Objects \u2192 HTTP<\/strong>), so I now had the actual <code>.hta<\/code> the victim executed, on my own analysis box.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"567\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-2.png\" alt=\"\" class=\"wp-image-196\" style=\"aspect-ratio:1.7196046444679014;width:795px;height:auto\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-2.png 975w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-2-300x174.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-2-768x447.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"844\" height=\"503\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-3.png\" alt=\"\" class=\"wp-image-197\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-3.png 844w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-3-300x179.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-3-768x458.png 768w\" sizes=\"auto, (max-width: 844px) 100vw, 844px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I also noticed traffic outside port 80 immediately \u2014 an early tell that this wasn&#8217;t going to end at the download. Flagged it, moved on to the payload.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 2: What did the payload do?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">First stage: the HTA stager<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"266\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-4.png\" alt=\"\" class=\"wp-image-198\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-4.png 975w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-4-300x82.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-4-768x210.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Opening the carved <code>.hta<\/code>, the structure identifies it as an <strong>initial stager<\/strong> \u2014 the first link in the kill chain. On execution it phones home, retrieves the real agent code, and runs it in memory via <code>IEX<\/code>. The encoded call decodes cleanly in CyberChef:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"826\" height=\"391\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-5.png\" alt=\"\" class=\"wp-image-199\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-5.png 826w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-5-300x142.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-5-768x364.png 768w\" sizes=\"auto, (max-width: 826px) 100vw, 826px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>Base64: aAB0AHQAcAA6AC8ALwAzAC4AMQA0ADAALgAzADMALgAxADIAMAA6ADkAMAAwADEA\n      \u2192 http:\/\/3.140.33.120:9001<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">So the stager reaches back to <strong>3.140.33.120:9001<\/strong> and pulls the next stage from <code>\/login\/process.php<\/code>. Nothing touches disk beyond the initial <code>.hta<\/code> \u2014 the agent lives in memory.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Fingerprinting the framework<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Pulling the HTTP indicators together gave a clean profile of the C2:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Indicator<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>C2 endpoint<\/td><td><code>3.140.33.120:9001<\/code> (AWS-hosted \u2014 verify against your own TI)<\/td><\/tr><tr><td>Full URL<\/td><td><code>http:\/\/3.140.33.120:9001\/login\/process.php<\/code><\/td><\/tr><tr><td>User-Agent<\/td><td><code>Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko<\/code><\/td><\/tr><tr><td>Cookie<\/td><td><code>MbQrWboBJij=v2\/3voIg4rUQ+JdKIqTSWsTshLk=<\/code><\/td><\/tr><tr><td>RC4 key<\/td><td><code>!hz%2x6mtC0AeYV,5Wju84\/[snLaXH_D<\/code><\/td><\/tr><tr><td>Framework<\/td><td><strong>PowerShell Empire<\/strong> \/ fork \u2014 RC4 staging, 4-byte IV-prepend protocol<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The RC4 staging key and the IV-prepend handshake are the signature. That User-Agent is Empire&#8217;s default. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 3: How did they stay \u2014 and escalate?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Network IOCs in hand, I pivoted to Splunk. Filtering to the malicious PowerShell <strong>Process GUID<\/strong> let me isolate that one process and follow it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Beaconing<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sysmon <strong>Event ID 3<\/strong> (network connection) off that process GUID showed the host hitting <code>3.140.33.120<\/code> on a <strong>one-second interval<\/strong> which textbook beaconing, confirmed with a <code>timechart count by DestinationPort<\/code> against the C2 destination. A fixed one-second cadence is loud; real operators add jitter, which is precisely why interval-based detections need tolerance windows rather than exact-match logic. (Straight into my detection-tuning notes.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Persistence #1 \u2014 registry Run key (22:59:43)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Filtering the <em>non<\/em>-network events off the same GUID surfaced the persistence chain. A Run key under <strong>HKU<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>TargetObject: HKU\\...\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater\nDetails: powershell.exe -c \"$x=$((gp HKCU:Software\\Microsoft\\Windows\\CurrentVersion Debug).Debug);\n         powershell -Win Hidden -enc $x\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Note the tradecraft: the run key doesn&#8217;t <em>contain<\/em> the payload \u2014 it reads the real encoded command out of a <strong><code>Debug<\/code> registry value<\/strong> and executes it hidden. The payload hides in the registry; the run key is just a pointer. That&#8217;s a detail an &#8220;autoruns&#8221; glance would miss.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The escalation \u2014 SilentCleanup UAC bypass (23:00:21)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This was the most instructive artifact in the whole lab. In sequence:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>23:00:21  whoami.exe \/groups\n23:00:21  schtasks.exe \/Run \/TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup \/I<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><code>SilentCleanup<\/code> is a built-in scheduled task that <strong>auto-elevates<\/strong> \u2014 it runs with high integrity <em>without<\/em> a UAC prompt. Because parts of its execution path are attacker-controllable, triggering it is a well-documented <strong>UAC bypass<\/strong>. This isn&#8217;t housekeeping; it&#8217;s a privilege escalation disguised as disk cleanup.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"296\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-6.png\" alt=\"\" class=\"wp-image-200\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-6.png 975w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-6-300x91.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-6-768x233.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"210\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-7.png\" alt=\"\" class=\"wp-image-201\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-7.png 975w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-7-300x65.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-7-768x165.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The proof is in the very next relevant event:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>23:09:14  systeminfo.exe   \u2192  IntegrityLevel: High<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Post-SilentCleanup, the attacker&#8217;s commands are running at <strong>High<\/strong> integrity. That&#8217;s the elevation moment, caught in the timeline.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Persistence #2 \u2014 the redundant SYSTEM task (23:01:14)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Not satisfied with one foothold, the attacker planted a second, stronger one:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>schtasks.exe \/Create \/F \/RU system \/SC ONLOGON \/TN Updater \/TR\n  \"powershell.exe -NonI -W hidden -c \\\"IEX (&#91;Text.Encoding]::UNICODE.GetString(\n   &#91;Convert]::FromBase64String((gp HKLM:\\Software\\Microsoft\\Network debug).debug)))\\\"\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Same read-from-registry trick as the run key, but escalated on every axis: runs as <strong>SYSTEM<\/strong>, triggers <strong>ONLOGON<\/strong>, and pulls its payload from <strong>HKLM<\/strong> (machine-wide) instead of HKU (per-user). Two independent persistence mechanisms reading from two different registry hives \u2014 if a responder kills one, the other survives.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Question 4: What did they take?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The collection and exfil sequence, all at High integrity:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>23:10:04  powershell -command compress-archive C:\\users\\alice\\documents\n          -destinationpath c:\\temp\\1.zip\n23:13:51  powershell -command remove-item -path C:\\Temp\\1.zip<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Archive Alice&#8217;s Documents to <code>C:\\Temp\\1.zip<\/code>, then delete the staging archive to cover the collection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The exfil itself showed up back in the packet capture \u2014 and here&#8217;s the detail worth pausing on. The stager beacons on <strong>9001<\/strong>, but the data movement was a separate TCP stream on <strong>port 9003<\/strong>. I built a <strong>Wireshark I\/O graph<\/strong> on destination port 9003 to visualize the transfer, then read the TCP conversation statistics: <strong>~4 MB<\/strong> moved to the external host.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"387\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-8-1024x387.png\" alt=\"\" class=\"wp-image-202\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-8-1024x387.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-8-300x113.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-8-768x290.png 768w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-8.png 1033w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In an enterprise incident you&#8217;d expect GB or TB, not megabytes but that&#8217;s exactly the teaching point. The analyst&#8217;s job is spotting the <em>outlier<\/em>, not a threshold. A steady 9003 stream that doesn&#8217;t match the 9001 beacon pattern is the anomaly, regardless of absolute size.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pivoting with Velociraptor<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">With CLIENT2 confirmed, I used <strong>Velociraptor<\/strong> the way you would to scope an incident across a fleet:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hunted for <code>.hta<\/code> files<\/strong> dropped in user directories, confirming CLIENT2 (<code>C:\\Users\\alice\\Downloads\\update.exe.hta<\/code>) was the <strong>only<\/strong> host with the file, then pulling it directly for inspection.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"176\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-9.png\" alt=\"\" class=\"wp-image-203\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-9.png 975w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-9-300x54.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-9-768x139.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hunted scheduled tasks<\/strong> in the Tasks folder \u2014 surfacing the malicious <code>Updater<\/code> task.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"165\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-10.png\" alt=\"\" class=\"wp-image-204\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-10.png 975w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-10-300x51.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-10-768x130.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hunted Startup folders and Run keys<\/strong> \u2014 confirming the registry persistence at scale.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"307\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-11.png\" alt=\"\" class=\"wp-image-205\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-11.png 975w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-11-300x94.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2026\/07\/image-11-768x242.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This is the closing move of a real triage: network IOCs from the wire \u2192 SIEM to find <code>mshta<\/code> spawning <code>powershell.exe<\/code> across the environment \u2192 EDR\/Velociraptor to confirm scope and collect. Same muscle memory as production, just with me driving every tool instead of reading a detection summary.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Full timeline<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Time (UTC)<\/th><th>Event<\/th><\/tr><\/thead><tbody><tr><td>22:56:20<\/td><td><code>alice<\/code> downloads <code>update.exe.hta<\/code> from typosquatted <code>w1ndowsupdate.com:8000<\/code><\/td><\/tr><tr><td>\u2014<\/td><td>HTA stager executes, beacons to <code>3.140.33.120:9001<\/code>, pulls agent via <code>IEX<\/code><\/td><\/tr><tr><td>22:59:43<\/td><td>Persistence #1 \u2014 HKU <code>Run\\Updater<\/code> key (payload hidden in <code>Debug<\/code> value)<\/td><\/tr><tr><td>23:00:21<\/td><td><code>whoami \/groups<\/code>, then SilentCleanup <strong>UAC bypass<\/strong> triggered<\/td><\/tr><tr><td>23:01:14<\/td><td>Persistence #2 \u2014 SYSTEM \/ ONLOGON <code>Updater<\/code> task (payload in HKLM)<\/td><\/tr><tr><td>23:09:14<\/td><td><code>systeminfo<\/code> confirms <strong>High<\/strong> integrity \u2014 escalation successful<\/td><\/tr><tr><td>23:10:04<\/td><td>Alice&#8217;s Documents archived to <code>C:\\Temp\\1.zip<\/code><\/td><\/tr><tr><td>23:13:51<\/td><td>Staging archive deleted<\/td><\/tr><tr><td>\u2014<\/td><td>~4 MB exfiltrated over separate TCP stream on <strong>port 9003<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK Mapping<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Tactic<\/th><th>Technique<\/th><\/tr><\/thead><tbody><tr><td>Resource Development<\/td><td>T1583.001 \u2014 Acquire Infrastructure: Domains<\/td><\/tr><tr><td>Initial Access<\/td><td>T1566 \u2014 Phishing<\/td><\/tr><tr><td>Execution<\/td><td>T1204.002 \u2014 User Execution: Malicious File; T1059.001 \u2014 PowerShell; T1218.005 \u2014 Mshta<\/td><\/tr><tr><td>Persistence<\/td><td>T1547.001 \u2014 Registry Run Keys; T1053.005 \u2014 Scheduled Task<\/td><\/tr><tr><td>Privilege Escalation<\/td><td>T1548.002 \u2014 Bypass UAC (SilentCleanup)<\/td><\/tr><tr><td>Defense Evasion<\/td><td>T1027 \u2014 Obfuscated Files or Information; T1140 \u2014 Deobfuscate\/Decode; T1112 \u2014 Modify Registry; T1070.004 \u2014 Indicator Removal: File Deletion<\/td><\/tr><tr><td>Discovery<\/td><td>T1033 \u2014 System Owner\/User Discovery; T1082 \u2014 System Information Discovery<\/td><\/tr><tr><td>Command &amp; Control<\/td><td>T1071.001 \u2014 Application Layer Protocol: Web; T1573 \u2014 Encrypted Channel (RC4)<\/td><\/tr><tr><td>Collection<\/td><td>T1560.001 \u2014 Archive Collected Data<\/td><\/tr><tr><td>Exfiltration<\/td><td>T1041 \u2014 Exfiltration Over C2 Channel<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>What this changes about how I work<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Visibility is the investigation.<\/strong> Every pivot above depended on evidence existing before the incident: PCAPs, Sysmon, process GUIDs to thread events together. On a box with no AV enabled, the logging was the only reason there was a story to tell at all. As a quick proof of that principle, I also ran <code>strings<\/code> against the memory capture and pulled every domain the host had visited straight from RAM. One command, no forensic suite. If the evidence exists, even trivial tooling talks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Detections have anatomy.<\/strong> I now know exactly what &#8220;beaconing detected&#8221; is built on, and therefore how it breaks: jitter, longer intervals, a second channel on a different port. Knowing that the exfil rode 9003 while the beacon sat on 9001 is the difference between triaging an alert and writing a better one.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Legitimate features are attack surface.<\/strong> The single sharpest lesson here was SilentCleanup. The attacker did not bring an exploit to escalate or a wiper to clean up. They used a built-in Windows maintenance task to bypass UAC, and read their real payloads out of the registry so persistence looked like a pointer, not a program. The adversary&#8217;s escalation path and staging were your own OS. That is what I will be looking for differently on Monday.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As an SOC analyst, I see this attack pattern constantly: user downloads something they shouldn&#8217;t, PowerShell spawns, EDR fires, I triage, isolate, escalate, write it up. But there&#8217;s a layer underneath every one of those alerts that the SOC workflow rarely forces you to touch which are the raw packets, the memory image, the disk [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=192"}],"version-history":[{"count":1,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":206,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/192\/revisions\/206"}],"wp:attachment":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}