Pass-the-Hash detection with Sysmon — comprehensive monitoring and response guide

Pass-the-Hash Detection with Sysmon: Event Guide (2026)

Pass-the-Hash attacks represent the most critical lateral movement vector in Windows environments, turning a single compromised endpoint into domain-wide catastrophe within hours. An attacker dumps NTLM hashes from memory using tools like Mimikatz, then authenticates to remote systems without cracking passwords — bypassing detection mechanisms focused on failed login attempts. Sysmon Event ID 10 provides the definitive detection capability for credential dumping by monitoring process memory access against the Local Security Authority Subsystem Service (LSASS). This guide delivers comprehensive Pass-the-Hash detection with Sysmon: configuration for memory access monitoring, analysis patterns for LSASS interactions, SIEM integration strategies, and incident response workflows that stop lateral movement before attackers achieve domain persistence. ...

June 8, 2026 · 14 min · 2833 words · CyberSecurity Elite Team
BtSCTF 2026 FCP writeup — CTF challenge breakdown

BtSCTF 2026 FCP: Recover In-Memory RSA Key, Decrypt Resumed TLS

Platform BreakTheSyntax CTF 2026 Difficulty Hard OS Linux Tags TLS, RSA, Go memory forensics, EMS PRF, session resumption FCP was a multi-step reverse-engineering and network-forensics challenge. You get a Go MCP (“Model Context Protocol”) server binary plus a PCAP of someone using it earlier. Buried in the capture is a get_flag call — but the live server’s get_flag endpoint has been rewritten to just return "no", so re-running it is useless. The challenge is to decrypt the historical traffic. Two specific design choices make this both possible and nontrivial. ...

May 16, 2026 · 8 min · 1498 words · CyberSecurity Elite Team
Volatility 3 memory forensics tutorial

Memory Forensics with Volatility 3: A Hands-On Tutorial

Memory forensics catches what disk forensics misses — running malware, in-RAM credentials, injected processes, and rootkit hooks. Volatility 3 modernized the framework with Python 3, symbol-driven analysis, and a cleaner plugin model. Here’s how to actually use it. Acquiring Memory Windows: WinPmem, FTK Imager, or DumpIt. Linux: LiME or AVML. Always: ...

April 8, 2026 · 3 min · 508 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap