research blog

Threat hunting.
The most sophisticated actors.

Technical research across DFIR, malware analysis, threat hunting, and CTF write-ups. No product pitches, no fluff.

filter: all dfir hackthebox malware analysis threat hunting
HackTheBox 26 Aug 2025
Reminiscent | HTB Forensics (Easy)
A complete walkthrough of the Reminiscent Easy forensics challenge on HackTheBox. A memory dump from a machine infected via a malicious email attachment. Process tree analysis, base64 command decoding, and document recovery.
DFIR 19 Aug 2025
Top 10 Windows Process Injection Techniques: Detection and Analysis
A technical breakdown of all ten major Windows process injection techniques. Each one includes the API call sequence, the specific Sysmon and ETW telemetry it generates, working detection code, and a Sigma rule.
DFIR 12 Aug 2025
Finding Malicious Code Hidden in Windows Memory
Fileless malware and process injection leave no file on disk for AV to find. This covers memory forensics with Volatility 3 from first principles: acquiring an image, finding injected code with malfind, recovering credentials, and tracing network connections.
DFIR 5 Aug 2025
Windows Event Tracing with Logman: A Threat Hunter’s Guide
ETW sits underneath all modern EDR telemetry. This covers how event tracing works, how to capture sessions with Logman, which providers matter for security monitoring, and how attackers try to tamper with ETW to blind your tools.
DFIR 29 Jul 2025
ScareCrow: How This EDR Bypass Framework Works and How to Detect It
ScareCrow generates EDR-bypassing payloads using direct syscalls, certificate cloning, and careful loader construction. This breaks down each evasion layer, what telemetry it produces, and how to detect it at the kernel level.