Threat Hunting

DCSync replicates every credential in Active Directory without logging on to a domain controller. DCShadow goes further -- it creates a rogue DC and injects objects into AD. Both techniques have specific detection signatures that most environments are not watching for.

Classic Kerberoasting detection looks for RC4 TGS requests. Attackers switched to AES years ago. Targeted Kerberoasting, roasting with machine accounts, and AS-REP roasting all have different signatures. This covers all variants and how to hunt each one.

Bring Your Own Vulnerable Driver is now standard ransomware tradecraft. The attacker loads a legitimate but vulnerable signed driver, uses it to gain kernel execution, and kills your EDR before you know they are there. This is how to hunt for it.

Zeek is one of those tools that looks overwhelming at first. After a few weeks of using it in a lab environment, here is how I actually got it to a useful state.

A week of trialling Sigma rules against a real lab environment. A lot of public rules are too noisy to be useful without tuning.

Cobalt Strike is everywhere in incident reports. Understanding the default beacon traffic patterns makes hunting it more approachable than most people expect.

Yara rules feel mysterious until you write one from scratch against a real malware sample.

PowerShell is used in almost every modern intrusion at some point. Covering the logging setup you need and how to cut through the noise.

Waiting for alerts to fire means the attacker is already inside. This primer covers what proactive threat hunting actually means, how to form testable hypotheses, and the data sources you need before you can hunt anything.

Most Splunk tutorials show dashboards with clean data. Real log data is messy. The searches that actually work.