research blog

Threat hunting.
The most sophisticated actors.

Technical research across DFIR, malware analysis, threat hunting, and CTF write-ups. No product pitches, no fluff.

Velociraptor Process Injection Hunting: Full Investigation Enrichment
Enriching Velociraptor injection findings by cross-referencing memory images, Windows event logs, filesystem artefacts, Zeek network telemetry, and lateral movement indicators into a complete investigation narrative.
Velociraptor Process Injection Hunting: Finding Executables Not Backed by Disk
A complete walkthrough of using Velociraptor VQL to detect process injection by finding anonymous executable memory regions, PE headers loaded without disk backing, and active threads executing injected code. Includes a full reusable hunt artefact.
Kernel-Level EDR Tampering: How Attackers Remove Your Visibility at the Source
Beyond BYOVD, attackers have multiple methods to tamper with EDR at the kernel level: callback removal, minifilter bypass, ETW provider patching, and kernel object manipulation. Each requires different detection approaches. This covers all of them.
Supply Chain Attacks and Trusted Binary Abuse: When Your Own Software is the Threat
Supply chain attacks compromise software before it reaches you. Trusted binary abuse exploits legitimately signed executables to deliver malicious payloads. Both are among the hardest techniques to detect because the initial indicator is valid software doing what it is supposed to do.
Golden Tickets, Silver Tickets, and Diamond Tickets: Forged Kerberos and How to Detect Them
A Golden Ticket forged with the krbtgt hash grants unlimited access to every service in the domain for 10 years. Silver Tickets are service-specific but require no DC contact at all. Diamond Tickets are a newer variant designed to evade Golden Ticket detection. This covers detection for all three.
Memory-Only Malware: Hunting Threats That Never Touch Disk
Fileless malware executes entirely in memory, leaving no binary for file-based scanning to find. PowerShell cradles, .NET reflection loading, shellcode injection, and process hollowing are all fileless techniques. This is how to detect execution that never touches disk.
WMI Persistence: Subscriptions That Survive Reboots and Evade Almost Every Checklist
WMI event subscriptions provide persistent code execution triggered by system events. They survive reboots, are stored in the WMI repository rather than the filesystem, and are invisible to most persistence checklists. This covers the technique, multiple variants, and detection.
Cross-Domain Identity Attacks: MFA Bypass, Help Desk Social Engineering, and Adversary-in-the-Middle
Vishing attacks increased 442% in the second half of 2024. SCATTERED SPIDER built an entire operation around calling help desks and impersonating employees to reset MFA. AiTM phishing steals session tokens after MFA completes. This covers how each technique works and how to detect them.
Living Off the Land at Scale: Hunting Attackers Who Blend Into Your Own Tools
81% of interactive intrusions in 2025 involved no malware. Attackers use your own administrative tools against you. Detecting this requires knowing what normal looks like well enough to spot the subtle differences. This is how to build that detection.
DCSync and DCShadow: Owning Active Directory Without Touching a DC
DCSync replicates every credential in Active Directory without logging on to a domain controller. DCShadow goes further -- it creates a rogue DC and injects objects into AD. Both techniques have specific detection signatures that most environments are not watching for.