/en/tags/windows/Recent content in Windows on Suspicious BytesHugoen-USSat, 30 May 2026 00:00:00 +0000/en/posts/detecting-lateral-movement/Sat, 30 May 2026 00:00:00 +0000/en/posts/detecting-lateral-movement/<p>Once an attacker has a foothold, the interesting part begins: moving from the first host toward whatever they actually came for. That east-west movement leaves traces if you know which events to join.</p> <h2 id="signals-worth-joining">Signals worth joining</h2> <p>Lateral movement rarely shows up as a single smoking-gun event. It emerges from correlation:</p> <ol> <li>Network logon events (<code>4624</code> type 3) from unusual sources</li> <li>Service or scheduled-task creation on the destination</li> <li>Remote process creation shortly after</li> </ol> <blockquote> <p>Correlate across hosts, not just within one. A single <code>4624</code> is noise; a chain of them following an account around the estate is a story.</p>/en/posts/triaging-suspicious-powershell/Tue, 12 May 2026 00:00:00 +0000/en/posts/triaging-suspicious-powershell/<p>An encoded PowerShell command in your process logs is not automatically malicious, but it always deserves a closer look. Here is how to triage one calmly.</p> <h2 id="what-raises-the-flag">What raises the flag</h2> <p>Certain flag combinations are unusual for a legitimate script and common for tradecraft:</p> <ul> <li><code>-EncodedCommand</code> (base64 payloads)</li> <li><code>-WindowStyle Hidden</code> and <code>-NonInteractive</code></li> <li><code>-ExecutionPolicy Bypass</code></li> </ul> <blockquote> <p>Decoding a payload is reading, not running. Decode in an isolated environment and never paste an unknown command back into a live shell.</p>