This case study captures a classic example of attacker persistence using a built-in operating system feature: the Windows service framework. Through the lens of Event ID 7045, the attacker installed a background service named WinUpdateHelper, masked to resemble a legitimate update utility.
The case illustrates the power of structured host-based triage — beginning with logs and EDR, and moving through file inspection, RAM capture, and finally, network artifact confirmation.
This case study documents a stealthy credential-harvesting technique in which the attacker used a lightweight binary (browserdump.exe) to extract stored credentials from browser cache files—specifically Chrome and Edge—without elevating privileges or triggering persistence indicators.
Add a description, image, and links to the edr-analysis topic page so that developers can more easily learn about it.
To associate your repository with the edr-analysis topic, visit your repo's landing page and select "manage topics."