fatcousin
// case comparison

tech support scam vs phishing

help desk gets 'user clicked something' reports. tech support scam ends in RDP/RMM install and gift-card payout on one victim; phishing campaign is org-wide lure with shared IOC infrastructure. one needs endpoint remote-access forensics; the other needs campaign IOC pivoting.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

tech support scam

pop-up → call center → remote-access install → gift-card / wire payout. evidence is RDP / RMM tooling and the call recording / payment.

  1. 01remote desktop log clearing and gap detectordrop rdp evtx csvs · detect rdp session log gaps · identify rdp channel clearing · surface rdp session reconstruction with cleared log indicators · runs locally
  2. 02rdp cache parserdrop .bmc/.bin cache files · RDP8 magic or legacy BGRA tiles · thumbnail grid · hide uniform tiles · export zip · runs locally
  3. 03live response tool execution artifact detectordrop prefetch shimcache amcache or 4688 evtx csv · detect live response and triage collection tool execution · identify when and how live response was performed · surface kape triage collector and incident response tool artifacts · runs locally
  4. 04LOLBin execution burst detectordrop 4688 or sysmon evtx csv · detect living off the land binary execution · identify lolbin abuse patterns · surface unusual lolbin invocations and burst usage · runs locally
  5. 05browser history extractordrop a Chrome or Firefox SQLite history DB · extract URLs · visit counts · timestamps · typed URLs · export CSV · runs locally
  6. 06browser extension analyzerdrop Chrome or Firefox extension folder or .crx · parse manifest · permissions · background scripts · content scripts · flag dangerous permissions · export report · runs locally
  7. 07chrome extension analyzerdrop crx or manifest.json · permissions audit · content scripts · risk score · script patterns · runs locally
  8. 08powershell deobfuscatorpaste obfuscated powershell · base64 utf-16 · deflate gzip · concat replace · char arrays · multi-pass · iocs · runs locally
case b

phishing campaign investigation

scope a campaign across a victim org — IOC extraction, kit fingerprinting, infrastructure pivoting.

  1. 01phishing email header analyzerpaste email headers · trace delivery hop chain · flag SPF · DKIM · DMARC mismatches · extract sender IPs · detect header injection · identify spoofing · runs locally
  2. 02phishing URL extractor from email bodydrop eml files or paste email body html · extract all urls from email body and headers · decode obfuscated and redirected urls · surface phishing indicators and malicious link patterns · runs locally
  3. 03email attachment scannerdrop .eml or .msg · extract every attachment · check MIME type vs actual content · flag macro-enabled docs · executables disguised as other formats · export inventory · runs locally
  4. 04url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
  5. 05domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
  6. 06ioc extractordrop any file or paste text · extract indicators of compromise · ips · domains · urls · hashes · emails · cves · export stix · csv · runs locally
  7. 07ioc deduplicator and normalizerdrop multiple ioc lists from any format · deduplicate · normalize · classify by type · validate format · enrich with context · export in stix csv and plain text formats · runs locally
  8. 08javascript deobfuscatorpaste obfuscated javascript · packed js · fromcharcode · atob · hex unicode · beautify · html script extract · iocs · runs locally

editorial overlap

2 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
fatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward tech support scam if you see…

  • RDP cache artifacts or live-response tool execution on a single victim endpoint
  • browser pop-up history leading to call-center remote install — not org-wide lure URL pattern
  • remote-desktop-log-clearing-detector artifacts or gift-card payout demand tied to one device session

lean toward phishing if you see…

  • multiple users hitting the same lure URL or redirect chain in a short window
  • phishing kit fingerprint or shared IOC infrastructure across messages in the org
  • campaign IOC extraction from email exports — not isolated RDP/RMM install on one endpoint
ready