research blog

Threat hunting.
The most sophisticated actors.

Technical research across DFIR, malware analysis, threat hunting, and CTF write-ups. No product pitches, no fluff.

filter: all dfir hackthebox malware analysis threat hunting
DFIR 4 Nov 2025
Amcache and Shimcache: The Artefacts Attackers Forget to Clean Up
Two Windows artefacts that consistently come up in investigations because attackers rarely think to clear them.
Threat Hunting 28 Oct 2025
Building Useful Splunk Dashboards for a Home SOC
Most Splunk tutorials show dashboards with clean data. Real log data is messy. The searches that actually work.
Malware Analysis 21 Oct 2025
DLL Side-Loading in Practice: A Walkthrough of a Real Sample
DLL side-loading keeps appearing in threat reports. Breaking down a sample that used a legitimate signed binary as a loader.
HackTheBox 14 Oct 2025
Intentions | HTB Forensics (Hard)
Three days. A heavily obfuscated PowerShell dropper, a second-stage payload living entirely in memory, and a flag hidden in a registry key that should not exist.
DFIR 7 Oct 2025
Windows Prefetch Files in Incident Response
Prefetch files can tell you what ran, when it ran, and sometimes from where - even after the original executable has been deleted.
Threat Hunting 30 Sep 2025
Detecting Mimikatz Without Signature-Based Rules
Mimikatz has hundreds of variants and most AV signatures fall behind. Behavioural detection approaches that catch it regardless of version.
DFIR 23 Sep 2025
My Windows DFIR Checklist for Initial Triage
After working through enough incidents and CTF challenges, a checklist that covers the things that matter most in the first 30 minutes.
DFIR 16 Sep 2025
Building a Home Lab for Threat Hunting and DFIR Practice
A walkthrough of setting up a home lab capable of supporting realistic DFIR and threat hunting practice. Covers hardware selection, network topology with VLANs, Sysmon configuration, and getting a full SIEM stack running on a budget.
HackTheBox 9 Sep 2025
PersistenceIsFutile | HTB Forensics (Moderate)
A walkthrough of PersistenceIsFutile on HackTheBox. Eight backdoors on a compromised Linux server with no documentation left behind. Systematic enumeration of persistence mechanisms from obvious to kernel-level.
HackTheBox 2 Sep 2025
Obscure | HTB Forensics (Easy)
A walkthrough of the Obscure Easy forensics challenge on HackTheBox. An obfuscated PHP webshell uploaded to a compromised Apache server. Deobfuscation, traffic analysis, and flag recovery through Wireshark.