Microsoft SQL Server forensics and threat hunting guide covering registry paths, log locations, attack indicators, and configuration analysis for compromised SQL Server instances.
Investigation uncovered three distinct incidents where threat actors weaponized Velociraptor, a legitimate DFIR tool, for persistent command-and-control access. Attackers exploited SharePoint and WSUS vulnerabilities, installed Velociraptor as a Windows service communicating through Cloudflare tunnels, and deployed secondary tools including VS Code, OpenSSH, and TightVNC. One incident linked to Storm-2603 resulted in Warlock ransomware deployment.
Automate IP and domain investigations with NetTriage, a Python tool that performs reputation lookups, DNS resolution, WHOIS checks, and passive DNS analysis for rapid threat triage.
Essential techniques for IP and domain investigations including reputation checks, WHOIS lookups, DNS inspection, passive intelligence, and payload retrieval for threat hunting and incident response.
