research blog

Threat hunting.
The most sophisticated actors.

Technical research across DFIR, malware analysis, threat hunting, and CTF write-ups. No product pitches, no fluff.

filter: all dfir hackthebox malware analysis threat hunting
Threat Hunting 31 Mar 2026
WMI Persistence: Subscriptions That Survive Reboots and Evade Almost Every Checklist
WMI event subscriptions provide persistent code execution triggered by system events. They survive reboots, are stored in the WMI repository rather than the filesystem, and are invisible to most persistence checklists. This covers the technique, multiple variants, and detection.
Threat Hunting 24 Mar 2026
Cross-Domain Identity Attacks: MFA Bypass, Help Desk Social Engineering, and Adversary-in-the-Middle
Vishing attacks increased 442% in the second half of 2024. SCATTERED SPIDER built an entire operation around calling help desks and impersonating employees to reset MFA. AiTM phishing steals session tokens after MFA completes. This covers how each technique works and how to detect them.
Threat Hunting 17 Mar 2026
Living Off the Land at Scale: Hunting Attackers Who Blend Into Your Own Tools
81% of interactive intrusions in 2025 involved no malware. Attackers use your own administrative tools against you. Detecting this requires knowing what normal looks like well enough to spot the subtle differences. This is how to build that detection.
Threat Hunting 10 Mar 2026
DCSync and DCShadow: Owning Active Directory Without Touching a DC
DCSync replicates every credential in Active Directory without logging on to a domain controller. DCShadow goes further -- it creates a rogue DC and injects objects into AD. Both techniques have specific detection signatures that most environments are not watching for.
Threat Hunting 3 Mar 2026
Kerberoasting and Its Modern Variants: Why Classic Detection Still Misses Half the Attacks
Classic Kerberoasting detection looks for RC4 TGS requests. Attackers switched to AES years ago. Targeted Kerberoasting, roasting with machine accounts, and AS-REP roasting all have different signatures. This covers all variants and how to hunt each one.
Threat Hunting 24 Feb 2026
BYOVD: Bring Your Own Vulnerable Driver — Killing EDR at the Kernel Level
Bring Your Own Vulnerable Driver is now standard ransomware tradecraft. The attacker loads a legitimate but vulnerable signed driver, uses it to gain kernel execution, and kills your EDR before you know they are there. This is how to hunt for it.
DFIR 17 Feb 2026
Credential Dumping from LSASS: What the Logs Actually Show
Most guides on LSASS credential dumping focus on the attacker side. This one focuses on what you actually see in the event logs when it happens in your environment.
Threat Hunting 10 Feb 2026
Getting Started with Zeek for Network Threat Hunting
Zeek is one of those tools that looks overwhelming at first. After a few weeks of using it in a lab environment, here is how I actually got it to a useful state.
HackTheBox 3 Feb 2026
Lockpick 3.0 | HTB Forensics (Hard)
A ransomware decryption challenge where the encryption scheme looks custom at first but turns out to be a misused AES implementation.
Threat Hunting 27 Jan 2026
Writing Sigma Rules That Actually Work
A week of trialling Sigma rules against a real lab environment. A lot of public rules are too noisy to be useful without tuning.