justruss.tech
All Posts
DFIR (16)
HackTheBox (7)
Malware Analysis (2)
Threat Hunting (22)
category
Threat Hunting
filter:
all
dfir
hackthebox
malware analysis
threat hunting
Threat Hunting
21 Jun 2026
Hunting Sleeping Giants: Detecting Encrypted Beacon Sleep Obfuscation
How Gargoyle, FOLIAGE and Ekko implement sleep obfuscation — and the detection layers that catch them. Primary source: Kyle Avery DEF CON 30.
→
DFIR
24 May 2026
Automating Memory Analysis with Volatility: One Script, Complete Results
A complete guide to automating single memory image analysis with Volatility 2 and 3. Covers when to use each version, parallel plugin collection, anomaly detection logic, IOC extraction, Yara scanning, and a full pipeline that produces an HTML report and structured JSON from a single command. Supports both Windows and Linux images.
→
Threat Hunting
14 May 2026
Running a Local LLM for Threat Hunting: Setup, Models, and Real Workflows
A complete guide to setting up a local large language model for security work across three hardware tiers: Apple Silicon, consumer GPU, and CPU-only. Covers Ollama, Open WebUI, model selection, and practical threat hunting workflows including log analysis, Sigma rule generation, and VQL assistance.
→
Threat Hunting
7 May 2026
Thinking Like an Adversary: Using ATT&CK to Build a Threat Hunt Scope
Effective threat hunting starts before you open the SIEM. This covers how to think through attacker decision-making, map realistic technique selections to your specific environment, build a coverage gap analysis against MITRE ATT&CK, and convert the gaps into a prioritised, testable hunt plan.
→
Threat Hunting
28 Apr 2026
Kernel-Level EDR Tampering: How Attackers Remove Your Visibility at the Source
Beyond BYOVD, attackers have multiple methods to tamper with EDR at the kernel level: callback removal, minifilter bypass, ETW provider patching, and kernel object manipulation. Each requires different detection approaches. This covers all of them.
→
Threat Hunting
21 Apr 2026
Supply Chain Attacks and Trusted Binary Abuse: When Your Own Software is the Threat
Supply chain attacks compromise software before it reaches you. Trusted binary abuse exploits legitimately signed executables to deliver malicious payloads. Both are among the hardest techniques to detect because the initial indicator is valid software doing what it is supposed to do.
→
Threat Hunting
14 Apr 2026
Golden Tickets, Silver Tickets, and Diamond Tickets: Forged Kerberos and How to Detect Them
A Golden Ticket forged with the krbtgt hash grants unlimited access to every service in the domain for 10 years. Silver Tickets are service-specific but require no DC contact at all. Diamond Tickets are a newer variant designed to evade Golden Ticket detection. This covers detection for all three.
→
Threat Hunting
7 Apr 2026
Memory-Only Malware: Hunting Threats That Never Touch Disk
Fileless malware executes entirely in memory, leaving no binary for file-based scanning to find. PowerShell cradles, .NET reflection loading, shellcode injection, and process hollowing are all fileless techniques. This is how to detect execution that never touches disk.
→
Threat Hunting
31 Mar 2026
WMI Persistence: Subscriptions That Survive Reboots and Evade Almost Every Checklist
WMI event subscriptions provide persistent code execution triggered by system events. They survive reboots, are stored in the WMI repository rather than the filesystem, and are invisible to most persistence checklists. This covers the technique, multiple variants, and detection.
→
Threat Hunting
24 Mar 2026
Cross-Domain Identity Attacks: MFA Bypass, Help Desk Social Engineering, and Adversary-in-the-Middle
Vishing attacks increased 442% in the second half of 2024. SCATTERED SPIDER built an entire operation around calling help desks and impersonating employees to reset MFA. AiTM phishing steals session tokens after MFA completes. This covers how each technique works and how to detect them.
→
1
2
3
next →