DFIR

A walkthrough of setting up a home lab capable of supporting realistic DFIR and threat hunting practice. Covers hardware selection, network topology with VLANs, Sysmon configuration, and getting a full SIEM stack running on a budget.

A technical breakdown of all ten major Windows process injection techniques. Each one includes the API call sequence, the specific Sysmon and ETW telemetry it generates, working detection code, and a Sigma rule.

Fileless malware and process injection leave no file on disk for AV to find. This covers memory forensics with Volatility 3 from first principles: acquiring an image, finding injected code with malfind, recovering credentials, and tracing network connections.

ETW sits underneath all modern EDR telemetry. This covers how event tracing works, how to capture sessions with Logman, which providers matter for security monitoring, and how attackers try to tamper with ETW to blind your tools.

ScareCrow generates EDR-bypassing payloads using direct syscalls, certificate cloning, and careful loader construction. This breaks down each evasion layer, what telemetry it produces, and how to detect it at the kernel level.