So this is fun. I rarely check the DEFAULT registry give but in a recent investigation I saw evidence of a Sysinternals tool in here which gave me more confidence of program execution.
Usually this is in an NTUSER but attacker was executing through the apppool user. #DFIR
11 months ago
