Threat hunting.
The most sophisticated actors.

PowerShell is used in almost every modern intrusion at some point. Covering the logging setup you need and how to cut through the noise.

Introduction Webshells, a deceptively simple yet powerful tool in the hands of cyber adversaries, pose a critical threat to web servers and the data they hold. These malicious scripts infiltrate vulnerable web applications, providing unauthorised remote access to attackers. In this technical blog, we will explore the inner workings of common webshells such as PHP-based […]

Introduction In the vast landscape of cybersecurity, one adversary looms above all others, the colossal and enigmatic world’s largest security threat. As we embark on this perilous journey, we must shed the allure of hyperbole and delve into the substance of this monolith. In this blog, we shall dissect the intricate layers of this formidable […]

After running a basic VM setup for a year, how I stood up Elastic SIEM without spending money on hardware I did not need.

A pcap analysis challenge where credentials get stolen over an unencrypted protocol.

Two Windows artefacts that consistently come up in investigations because attackers rarely think to clear them.

Most Splunk tutorials show dashboards with clean data. Real log data is messy. The searches that actually work.

DLL side-loading keeps appearing in threat reports. Breaking down a sample that used a legitimate signed binary as a loader.

Three days. A heavily obfuscated PowerShell dropper, a second-stage payload living entirely in memory, and a flag hidden in a registry key that should not exist.

Prefetch files can tell you what ran, when it ran, and sometimes from where - even after the original executable has been deleted.