Using Velociraptor for Live Response on Windows
Velociraptor is free, fast, and genuinely useful for rapid triage. A
walkthrough of setting it up and collecting artefacts from a simulated compromised host.
research blog
Threat hunting.
The most sophisticated actors.
Technical research across DFIR, malware analysis, threat hunting, and CTF write-ups. No product pitches, no fluff.
→
Hunting Cobalt Strike Beacons in Network Traffic
Cobalt Strike is everywhere in incident reports. Understanding
the default beacon traffic patterns makes hunting it more approachable than most people expect.
→
Seized | HTB Forensics (Medium)
A disk image challenge involving a Windows host used to exfiltrate data. The
interesting part was figuring out which file was the payload and which was a decoy.
→
Event ID 4688 and Why Process Auditing Matters More Than You Think
If you are not logging process creation with command line
arguments enabled, you are missing a significant chunk of attacker activity.
→
Writing Your First Yara Rule: From Sample to Signature
Yara rules feel mysterious until you write one from
scratch against a real malware sample.
→
Malicious PowerShell: What to Look For and Where to Find It
PowerShell is used in almost every modern intrusion
at some point. Covering the logging setup you need and how to cut through the noise.
→
Webshells in the Wild: How They Get Installed and How to Find Them
Webshells are among the most persistent post-exploitation tools in web-facing attacks. This covers how they get installed, the most common variants, and the filesystem, process, and network indicators that give them away.
→
Why Proactive Threat Hunting Matters: A Primer
Waiting for alerts to fire means the attacker is already inside. This primer covers what proactive threat hunting actually means, how to form testable hypotheses, and the data sources you need before you can hunt anything.
→
Upgrading My Home Lab: Adding a SIEM Stack on a Budget
After running a basic VM setup for a year, how I stood up
Elastic SIEM without spending money on hardware I did not need.
→
Rogue | HTB Forensics (Easy)
A pcap analysis challenge where credentials get stolen over an unencrypted protocol.
→