Incident Response
DFIR
Decoding OWA Ids in On-Prem Exchange
How to decode OWA Id parameters from IIS logs to extract the PR_ENTRYID and identify specifically which emails were accessed in an on-prem Exchange environment.
DFIR
A Tale of an MSBuild In-Line Task
This post covers an incident response analysis of a malicious MSBuild in-line task file containing an embedded Cobalt Strike beacon DLL, including the method used to extract and statically analyze the payload.