This post explores some of the TTPs employed by a threat actor who was observed deploying ShadowPad during an incident response engagement.