fatcousin
// case type

account takeover (ATO)

credential stuffing → SIM swap → password reset chain → exfil. evidence lives in identity-provider logs, mailbox rules, and session artifacts.

tools
16
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. okta log analyzerokta system log json · timeline · suspicious · mfa fatigue · tor/proxy · users · ips · policy · csv export · runs locally
  2. o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  3. office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  4. microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  5. mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally
  6. password spray & brute force detectordrop security evtx csv · analyze authentication failure patterns · detect low-and-slow password spray · high-speed brute force · credential stuffing patterns · flag attacker ips · runs locally
  7. credential artifact scannerdrop a memory dump · scan for plaintext credentials · NTLM hashes · OAuth tokens · API keys · session cookies · Base64 secrets · export CSV · runs locally
  8. sim swap artifact forensic detectordetect evidence of SIM swapping across devices, carriers, or subscriber records · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. passive os fingerprinter from pcapdrop a pcap file · reconstruct the operating system of every host from tcp/ip stack behavior · ttl values · window sizes · tcp options ordering · ip flag patterns · no active probing · identify os from existing captured traffic · runs locally
  2. tls ja3 fingerprinterdrop a pcap file · extract tls client hellos · compute ja3 fingerprints · identify known clients and malware · database of known fingerprints · runs locally
  3. user agent analyzerpaste user agent strings · parse browser · OS · device · version · detect bots · spoofed agents · crawlers · headless browsers · inconsistencies · runs locally
  4. github audit log analyzerdrop github enterprise audit log json or csv export · parse repository and organization events · surface suspicious access patterns force pushes secret scanning alerts and member changes · reconstruct git activity timeline · runs locally
  5. github audit log parserjson or jsonl audit export · action actor org repo · repo org hook oauth protected branch secret scanning · suspicious flags · export csv · runs locally
  6. aws cloudtrail forensic deep analyzerdrop cloudtrail json logs · detect privilege escalation paths · credential theft · data exfiltration · lateral movement between services · unusual api patterns · flag attacker ips · runs locally
  7. aws cloudtrail log forensic analyzerdrop aws cloudtrail json log files or csv export · parse api call records across all aws services · surface credential abuse privilege escalation data exfiltration and infrastructure manipulation · reconstruct attacker activity timeline · runs locally
  8. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • ATO — attacker fingerprint kit

    7 steps

    drop M365 / Okta / cloudtrail log exports → extract IPs + UAs + ASNs → dedupe → triage → timeline → report

    1. 01evidence-manifest-generatorhash raw audit-log exports — most identity providers don't re-issue them
    2. 02ioc-extractorpull source IPs, user-agent fragments, originating ASNs from the log text
    3. 03ioc-deduplicator-normalizerdrop RFC1918 noise — what remains is the attacker's external infrastructure
    4. 04breach-ioc-normalizermerge with any pre-existing IOC list from the IdP's threat-intel feed (if provided as input)
    5. 05ioc-bulk-validator-and-triagescore the remaining IPs — high-severity hits are the attacker's persistent infra
    6. 06forensic-timeline-builderrebuild the login sequence so you can pinpoint patient-zero session
    7. 07case-report-generatordraft a report identifying the persistence window + recommended revocations

  • ATO — JWT HS256 secret assessment

    5 steps

    drop captured JWT + wordlist export → HS256 bruteforce → extract session IOCs → timeline → report

    1. 01evidence-manifest-generatorhash the JWT artifact + wordlist before testing — investigative authorization required
    2. 02jwt-bruteforcerbatch HS256 verify against the provided wordlist — only tokens you are authorized to test
    3. 03ioc-extractorpull IPs, user-agents, and session identifiers from accompanying audit logs
    4. 04forensic-timeline-builderrebuild the login sequence around the compromised session window
    5. 05case-report-generatordraft a report documenting the token weakness + recommended revocations
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

+ 6 more in this pattern match. browse the full forensics catalog via the forensics category.

ready