Tag: Windows-Forensics | Yw4rf

2025-01-26

Noxious - LLMNR Poisoning and NTLMv2 Hash Cracking

Network forensics writeup detailing the analysis of an LLMNR poisoning attack. The process covers identifying the rogue device via LLMNR and DHCP traffic, locating the victim's credential leak (NTLMv2 hash) within SMB Session Setup packets, extracting NTLM Challenge/Response components, and performing hash cracking with Hashcat to recover the plaintext password, providing full context on the credential theft incident.

HackTheBox Sherlocks Threat-Hunting SOC Wireshark LLMNR-Poisoning Responder NTLMv2 Hashcat Windows-Forensics
2024-12-05

Volatility3 Analysis of a Credential Stealer Trojan

Detailed forensic analysis of a Windows memory dump compromised by the Amadey Trojan. This investigation utilizes Volatility3 to identify the main malicious process (lssass.exe), determine its location on the filesystem (Temp folder), confirm its nature via VirusTotal, track its C2C network connections (41.75.84.12), and discover persistence mechanisms (Scheduled Tasks and DLL payload execution via rundll32.exe).

CyberDefenders DFIR Digital-Forensics Endpoint-Forensics Memory-Analysis Volatility3 Amadey-Trojan C2C-Traffic Persistence-Mechanism Windows-Forensics