Category: Incident Response

Detecting CrackMapExec (CME) with Bro, Sysmon, and Powershell logs

CrackMapExec is a popular tool that is used by attackers to move laterally throughout an environment. I use it personally on my penetration tests, as I’ve found that it does a really good job at moving from system to system without detection.  My goal with this blog post is to give defenders some techniques on…


Removing Backdoors – Powershell Empire Edition

                  I’m a big fan of Powershell Empire for penetration testing.   If you haven’t heard of it, it is a post-exploitation framework which uses powershell agents to run post-exploitation scripts on a target system.  This blog post is meant to address a small subset of the…