spynull.dev

A Tier 1 walkthrough of device code phishing: what the flow is, how attackers abuse it in three steps, what it looks like in your Sentinel queue, and what to do when you see it.

When I first started getting into Windows forensics, the number of artifacts I was supposed to know felt ridiculous. Prefetch, MFT, Shimcache, Amcache, Registry hives, event logs — the list never seemed to end. And nobody was really telling me which ones actually mattered in practice versus which ones were just good to know about theoretically. So this post is what I wish someone had handed me early on. These are the five artifacts I keep coming back to on real investigations. Not because they’re the most obscure or impressive, but because they’re reliable, well-supported by tooling, and between them they answer most of the questions you’re going to have on a Windows case. ...