Sometimes you can meet a case when a cyber-attacker uses VPN to establish a reliable channel between C2 server and infected IT-infrastructure. And, as Threat Intelligence experts say, attackers often use native Windows VPN connection tools and Windows .pbk (phonebook) files. Lets find out how we can detect it using a memory dump.
What is .pbk file and how does it look inside? It's just a text file with a lot of different parameters using when VPN connection is establishing.
