Blog

2025

• Dameware Remote Everywhere Log Reference - 10-13-25

  An important part of an incident response investigation is reviewing logs, whether that be from disparate, disconnected systems, or in a central SIEM, log review is critical to understanding system and user activity as well as gauging risk and impact. In this post, we’re going to look at Dameware Remote Everywhere logs.

• It's Java All The Way Down​ - 10-06-25

  On October 5, 2025, Oracle posted about a freshly exploited CVE, Oracle E-Business Suite CVE-2025-61882. Link. Let’s take a peek in this quick and dirty blog post.

• Recipe For Adware​ - 06-06-25

  On June 2 2025, @xorist posted a screenshot of some javascript code from a ‘recipe app’ in the InvokeRE community discord. What followed was a rabbit hole of confusion, mysterious functionality, dashed dreams, more confusion, and ultimately culminated in Yahoo Search.

• Using Rubeus And Certify To Unpac The Hash​ - 03-26-25

  Trying something new, little bit of Rubeus, little bit of Certify, little bit of curiosity…Come check it out with me!

2024

• Oops, Supply Chain Compromise! - Part 1​ - 05-28-2024

  The year was 2022. Fresh into February and feeling good about the prospects for the days ahead . I had woken up around 7am, nothing unusual. Checking my email on my phone revealed news that was far more effective than any alarm clock. Much richer and full bodied than any cup of coffee. It was threat hunting notice. A legitimate executable. A suspicious, but otherwise clean, domain. Something darker was lurking beneath the surface…

• Microsoft Teams + DarkGate Malware = A Match Made In Heaven - Part 1​ - 04-19-2024

  It was quite a mundane Monday, I had just signed off for the day and was looking forward to dinner plans with my family, when a delightful email graced my inbox. It was an alert for some suspicious cscript activity on an endpoint that needed to be investigated. Not good.

• The Case Of The Missing Method​ - 02-01-2024

  Today is a quick and fun one, we are going to look at an unassuming .vbs file titled “Scanned-REF23CR1103BILLED.vbs”. Surely legitimate business, right?

2023

• Fake Software Abusing Real Software For Fun And Profit - Part 2!​ - 09-29-2023

  Picking up where we left off, from Part 1.

• Fake Software Abusing Real Software For Fun And Profit - Part 1!​ - 08-24-2023

  Today I want to look at an interesting infection that abuses legitimate software in an attempt to stay covert and perform malicious activity, unnoticed.

• Google Chrome Update? More Like Infected With Netsupport Rat!​ - 07-31-2023

  Today we received an alert about and endpoint running a suspicious commandline:

• Defeating Obfuscation With Dynamic Analysis And Powershell Logging​ - 06-13-2023

  It all started with ‘Creative Content Production.js’

• Multi-Language Script Execution Leads to Asyncrat​ - 03-17-2023

  Today I was reviewing High and Critical detections for the entire org.