Part of a Sunday Funday answer – Microsoft Teams

I wanted to take a quick and dive into this week’s Sunday Funday challenge but didn’t have a whole lot of time, I basically set a timer for an hour or so at the end of the day and found as much as I could, and then compiled it all today. Gotta set a time limit or else the rabbit-hole never ends 🙂

Oleg has already shared his answer and done a decent amount of work to answering the questions. I’m not going to be reinventing the wheel a whole lot, just expanding on what has already been found.

(Note: I’m not going to be answering all of the questions)

Read More »

Applocker FTW

I was recently reviewing some event logs on a Windows server and noticed a few items that I hadn’t seen before. These events related to Applocker, which was released a long time ago, but I hadn’t really seen much in the forensic analysis space. This post will cover a brief intro to setting up Applocker, some resources for configuration, and some event logs that you should probably keep an eye out for.

Photo by Quenani Leal on

TLDR: Turn on applocker on servers you own (workstations too if your users wont kill you). Also look out for applocker events during your event log analysis!

Special thanks to Troy Larson for helping me out with this research

Read More »

Playing with the big chicken – (Velociraptor + AWS + Google Domains)

Did you know Velociraptors were about the size of a chicken and had feathers! Apparently the later was only discovered in 2007 according to this site, so we’ll give Jurassic Park a pass for now.

Screen Shot 2019-10-07 at 9.46.13 pm

Anyways, I wanted to have a play with Velociraptor and put together some instructions on how to spin it up in AWS and connect it to a Google Domain; so I grabbed the official documentation and worked through it.
Read More »