A collection of the reports I have developed while preparing to take the CDSA exam from HTB.
Campfire
Analysis of memory dump (recollection.bin) from compromised Windows 7 SP1 machine (USER-PC) revealed evidence of multi-stage attack including clipboard hijacking, credential exfiltration, malware execution, and data theft via network shares. Timeline indicates attacker gained initial access and executed obfuscated PowerShell commands to establish persistence and exfiltrate sensitive files.
Recollection
Analysis of memory dump (recollection.bin) from compromised Windows 7 SP1 machine (USER-PC) revealed evidence of multi-stage attack including clipboard hijacking, credential exfiltration, malware execution, and data theft via network shares. Timeline indicates attacker gained initial access and executed obfuscated PowerShell commands to establish persistence and exfiltrate sensitive files.
Tracer
Detection of unauthorized PsExec lateral movement activity originating from workstation FORELAWKSTN001. Investigation confirmed 9 separate PsExec execution instances indicating sustained adversary activity and systematic lateral movement across the network. Adversary utilized legitimate Microsoft Sysinternals PsExec tool (Living Off The Land technique) to execute remote commands with SYSTEM privileges.
Trojan
Windows 10 workstation (DESKTOP-38NVPD0) compromised through user execution of malicioussoftware masquerading as legitimate data recovery tool. Malware downloaded from compromisedwebsite, established C2 communications, and downloaded secondary payload. Investigationconducted using memory forensics (Volatility 3), disk forensics (FTK Imager), and prefetch analysis(PECmd.exe).
Networking-Dojo 