/en/tags/incident-response/Recent content in Incident-Response on Suspicious BytesHugoen-USThu, 21 May 2026 00:00:00 +0000/en/posts/anatomy-of-a-phishing-incident/Thu, 21 May 2026 00:00:00 +0000/en/posts/anatomy-of-a-phishing-incident/<p>Most intrusions still start with someone clicking a link. This is a sanitised walk-through of a credential-phishing case and the timeline that mattered.</p> <h2 id="the-timeline">The timeline</h2> <p>Incident response lives and dies by an accurate timeline. Reconstruct it before you theorise:</p> <ol> <li><strong>08:42</strong> — user reports a &ldquo;mailbox full&rdquo; email</li> <li><strong>08:55</strong> — same template seen by twelve other recipients</li> <li><strong>09:10</strong> — one set of credentials submitted to the fake portal</li> <li><strong>09:13</strong> — successful logon from a foreign ASN</li> </ol> <blockquote> <p>The goal of triage is not to find everything. It is to answer one question fast: did anything actually succeed?</p>/en/posts/triaging-suspicious-powershell/Tue, 12 May 2026 00:00:00 +0000/en/posts/triaging-suspicious-powershell/<p>An encoded PowerShell command in your process logs is not automatically malicious, but it always deserves a closer look. Here is how to triage one calmly.</p> <h2 id="what-raises-the-flag">What raises the flag</h2> <p>Certain flag combinations are unusual for a legitimate script and common for tradecraft:</p> <ul> <li><code>-EncodedCommand</code> (base64 payloads)</li> <li><code>-WindowStyle Hidden</code> and <code>-NonInteractive</code></li> <li><code>-ExecutionPolicy Bypass</code></li> </ul> <blockquote> <p>Decoding a payload is reading, not running. Decode in an isolated environment and never paste an unknown command back into a live shell.</p>