This case study analyzed a stealthy host-based compromise in which the attacker exploited the trusted Windows binary mshta.exe to execute a remotely hosted, obfuscated JavaScript payload. The attacker’s strategy was notable not for brute force or privilege escalation, but for quiet persistence and clever abuse of native system behavior.

This IOC captures a foundational stage in the cyber kill chain: reconnaissance — where the attacker has not yet breached the system, but is actively probing to discover what might be open, unguarded, or improperly exposed.

This project focuses on analyzing a phishing email

In this second case study of the structured IOC triage series, we examined a subtle but dangerous host-based compromise involving the abuse of the Windows utility `rundll32.exe` to execute a malicious DLL payload.

An attacker deploys an "evil twin" Wi-Fi access point with the same SSID (network name) as a legitimate network. Devices auto-connect based on familiar SSID memory. The attacker silently captures the WPA2/WPA3 four-way handshake as the client connects.

This case study demonstrates how a seemingly benign protocol — DNS — can be subverted into a covert exfiltration channel when outbound traffic is tightly restricted.

This repository documents real-world forensic triage cases involving the abuse of legitimate Windows binaries—also known as LOLBins—for malicious purposes.

This case study analyzed a low-complexity but real-world-relevant example of attacker persistence using the built-in Windows utility schtasks.exe.

This case study documents an advanced persistence technique involving a scheduled task launching base64-encoded PowerShell, used to execute malicious commands without dropping traditional malware to disk.

This case study on ARP spoofing via Wi-Fi breach illustrates a classic but frequently underestimated threat vector in network security.