Field Notes

Case notes and artifacts

Short, indexable notes from investigations: telemetry, odd artifacts, tradecraft observations, and quick pivots that do not need a full blog post.

  1. Endpoint investigation Process, network, and file telemetry

    Nezha RMM and a suspicious vmtools.exe SOCKS5 proxy

    A short investigation note on a host where Nezha Chinese RMM led to a mislabeled Node runtime, SOCKS5 proxy payload, and PowerShell collection script.

    • Observed
    • Nezha RMM
    • Fake Windows Spooler service
    • Mislabeled vmtools.exe Node runtime
    • SOCKS5 proxy payload

    #nezha#rmm#socks5#dfir#c2