digital investigations – WindowsTechs.com

Hunting injected processes by the modules they keep

Posted on August 5, 2020 by davehull

A relatively recent post showed how Metasploit’s Meterpreter module made some noise on endpoints when the migrate command was used to move the agent code into a legitimate process, spoolsv.exe in our example.

One of the things we saw in that post was … Continue reading Hunting injected processes by the modules they keep→

Analyzing an Instance of Meterpreter’s Shellcode

Posted on July 26, 2020 by davehull

In my previous post on detecting and investigating Meterpreter’s Migrate functionality, I went down a rabbit hole on the initial PowerShell attack spawned by and Excel macro. In that payload was a bit of shellcode and I mentioned that I’d like to retur… Continue reading Analyzing an Instance of Meterpreter’s Shellcode→