Matt's DFIR Blog

1. WMI Event Consumers: what are you missing? » 12 Jan 2022
2. Cobalt Strike Payload Discovery And Data Manipulation In VQL » 09 Nov 2021
3. Windows IPSEC for endpoint quarantine » 23 Jul 2020
4. Local Live Response with Velociraptor ++ » 08 Dec 2019
5. Live response automation with Velociraptor » 10 Nov 2019
6. O365: Hidden InboxRules » 09 Jun 2019
7. Binary Rename 2 » 29 May 2019
8. Blue Team Hacks - Binary Rename » 12 May 2019
9. Live Response Script Builder » 07 Apr 2019
10. Powershell Download Cradles » 02 Apr 2018
11. Sharing my BITS » 18 Feb 2018
12. Invoke-LiveResponse » 14 Jan 2018
13. Blue Team Hacks - WMI Eventing » 03 Apr 2017
14. PowerShell Remoting and Incident Response » 12 Jan 2017