This started out as a bit of an end-of-the-year grab bag of posts, but I don’t like simply linking to things, dropping links with no explanation as to why; instead, I’d rather share the why behind what I found interesting about the post or article.
And don’t worry…I know after 2025, there are folks out there expecting a flaming bag full of dog poop dropped off on their doorstep, but rest assured…this isn’t that.
Anyway, as I was working on this post, it just sort of rolled into 2026, so I’ll start off my first post of the year with a grab bag of things I found interesting right there at the end of 2025.
What’s in your Registry?
CloudSEK recently shared this write-up on Silver Fox; what I found most interesting was from “Stage 4 – Valley RAT”, “Stage 2”. Apparently, Valley RAT maintains configuration information in the following Registry path:
HKCU\Console
In addition, downloaded plugins are stored in the following path:
HKCU\Console\0\d33f351a4aeea5e608853d1a56661059
All of this means that not only can you get a great deal of info, and develop a great deal of intel from the entries themselves, but they’re also tied to a specific user account. When creating a timeline, paths like those used by the Valley RAT should really stand out.
Speaking of Registry and persistence, DeceptIQ shared <
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Windows Incident Response
Read the original article: