Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
This article will analyze the behavior of tools that need to be read from the memory of the Lsass.exe process in order to steal valuable accounting information. The author will investigate the behavior of Mimikatz while working as a stand-alone executable file and while working from memory (without a file script).
In the end, develop discovery artifacts (IOC, correlation rules, other signatures, etc.) that will allow us to capture most of the tricks used by the wizards of powershellmafia.
You can see in this article with the results of the work done. The next article will continue to explore other artifacts left after Mimikatz has been executed in memory, as well as what types of events are generated by tools like Invoke-Credential Injection.
More.
Please enter the result of the calculation above.
Save my name, email, and website in this browser for the next time I comment.
Δ
Speak to a Specialist Now
Get Help Now