filter: 56 entries
Detection Guide T1134 2026-07-10
Detecting Windows Access Token Impersonation: T1134 Sigma Rules and KQL
Access token manipulation (T1134) lets attackers run processes as SYSTEM, other users, or privileged service accounts without knowing passwords. This guide covers the key sub-techniques, detection telemetry, and production-ready Sigma and KQL rules for catching token theft and impersonation.
Hunt Playbook T1566.002 2026-07-09
Hunt Playbook: Detecting Interlock Ransomware from ClickFix to Encryption
Interlock ransomware uses ClickFix social engineering to deliver initial access, then moves through credential theft, lateral movement, and data exfiltration before deploying its encryptor. This playbook covers the full kill chain with Sigma rules and KQL queries at each stage.
Detection Guide 2026-07-08
Detecting BlueHammer (CVE-2026-33825): Microsoft Defender LPE in Ransomware Campaigns
CVE-2026-33825 'BlueHammer' is a Microsoft Defender race condition that grants SYSTEM from an unprivileged user. CISA confirmed it is now actively exploited in ransomware pre-deployment. This guide covers detection logic, Sigma rules, and KQL for Sentinel and Defender XDR.
Detection Guide 2026-07-07
Detecting RDP Lateral Movement: T1021.001 Detection with Sigma and KQL
Remote Desktop Protocol is one of the most-abused lateral movement vectors in enterprise networks. This guide covers RDP-based lateral movement mechanics, the event telemetry defenders need, and practical Sigma and KQL detection rules for hunting RDP pivots.
Detection Guide T1486 2026-07-06
Detecting VMware ESXi Ransomware: Hypervisor Attack Patterns and Detection Coverage
Ransomware groups targeting VMware ESXi directly bypass endpoint agents and encrypt all hosted VMs simultaneously. This guide covers the attack chain used by REDBIKE (Akira) and AGENDA (Qilin), ESXi-specific detection opportunities in syslog and vCenter logs, and Sigma rules for identifying hypervisor-level ransomware staging.
Detection Guide T1202 2026-07-05
Detecting Qilin's WSL Evasion, BYOVD, and Chrome Credential Harvesting
Qilin has become the most active ransomware group of mid-2026, claiming 500+ victims using a layered evasion stack: WSL-based Linux execution to bypass EDR hooks, BYOVD driver abuse to disable defences, and Chrome credential harvesting via PowerShell GPO. This guide covers detection logic for all three techniques.
Hunt Playbook 2026-07-04
Hunting AI Coding Agent Compromise: Detecting Autonomous Attack Patterns in Enterprise Logs
Following Anthropic's disclosure of the first AI-orchestrated espionage campaign, this playbook covers how to hunt for evidence of AI coding agent abuse in enterprise environments — covering API telemetry, network patterns, and endpoint behavioural indicators.
Detection Guide 2026-07-03
Detecting DPRK Dead-Drop C2: GitHub Repos and pCloud as Command Infrastructure
North Korean threat actors are routing C2 traffic through GitHub repositories and pCloud to evade enterprise proxy controls. Here's how to build detection logic that catches this living-off-the-cloud technique before exfiltration begins.
Detection Guide 2026-07-02
Detecting SOCKS5 Proxy Tunneling: Chisel, Ligolo-NG, and C2 Traffic Concealment
Threat actors increasingly use SOCKS5 proxy tunnels over HTTP/HTTPS to blend C2 traffic with legitimate web traffic and bypass perimeter controls. This guide covers detection logic for Chisel and Ligolo-NG, the two most observed tunneling tools, with Sigma rules and KQL queries for each technique.
Detection Guide T1219 2026-07-01
Detecting Compromised RMM Sessions and Infostealer Deployment
When attackers exploit vulnerabilities in RMM server software rather than deploying unauthorised RMM clients, the detection problem changes completely. This guide covers how to detect the attack chain from CVE-2026-48558-style RMM server compromise through TaskWeaver stager delivery to Djinn Stealer credential theft — with Sigma rules and KQL queries for each stage.
Detection Guide 2026-06-30
Detecting ClickFix: Clipboard-Based Malware Installation and LOLBin Execution Chains
ClickFix instructs victims to paste attacker-controlled commands from their clipboard into Run or PowerShell, bypassing endpoint controls and security awareness training. This guide covers the execution artifacts, Sigma rules, and KQL queries for detecting ClickFix campaigns across initial access and execution phases.
Detection Guide 2026-06-29
Detecting Cloudflare Tunnel Abuse for C2: A Detection Engineering Guide
Attackers are abusing Cloudflare Tunnel (cloudflared) to route command-and-control traffic through legitimate Cloudflare infrastructure, bypassing egress controls and reputation-based firewalls. This guide covers detection logic for endpoint, network, and SIEM layers.
Detection Guide 2026-06-28
Detecting Brute Ratel C4: Badger Implant Artifacts, EDR Evasion, and Detection Logic
Brute Ratel C4 (BRC4) is a commercial adversarial simulation framework adopted by APT29, ALPHV affiliates, and other threat actors specifically for its EDR evasion capabilities. This guide covers the Badger implant's named pipe patterns, syscall evasion, network beaconing, and Sigma rules and KQL for detection.
Detection Guide 2026-06-27
Detecting Havoc C2: Demon Agent Beaconing, Process Injection, and Named Pipe Artifacts
Havoc is an open-source C2 framework increasingly adopted by ransomware affiliates and nation-state actors. This detection guide covers the Demon agent's named pipe patterns, HTTPS beaconing signatures, process injection behaviour, and Sigma rules plus KQL for Microsoft Sentinel.
Detection Guide 2026-06-26
Detecting SSH Tunneling and Dynamic Port Forwarding (T1572)
Adversaries abuse SSH's built-in tunneling capabilities to create covert channels through firewall controls. This guide covers detection of local, remote, and dynamic port forwarding using Sigma rules, Linux auditd, and network telemetry.
Detection Guide 2026-06-25
Detecting Malicious RMM Tool Abuse: ScreenConnect, AnyDesk, and TeamViewer
Threat actors increasingly deploy legitimate remote management tools as backdoors to bypass EDR detection. This guide covers Sigma rules and KQL queries for detecting unauthorised ScreenConnect, AnyDesk, and TeamViewer deployments — covering installation indicators, unusual parent processes, suspicious network destinations, and post-compromise activity patterns.
Detection Guide 2026-06-24
Detecting Process Injection (T1055): Sigma Rules and KQL for Classic and Modern Techniques
Process injection is the most common technique for executing malicious code within the address space of a legitimate process. This guide covers detection logic for CreateRemoteThread, VirtualAllocEx, QueueUserAPC, reflective DLL injection, and shellcode injection, with Sigma rules and KQL for each.
Detection Guide T1505.001 2026-06-23
Detecting MSSQL Abuse for Lateral Movement and Command Execution
Attackers routinely weaponize SQL Server's xp_cmdshell stored procedure, linked server pivots, and SQL Agent jobs for lateral movement and persistence. This guide provides Sigma rules and KQL queries to detect all three abuse paths.
Detection Guide 2026-06-22
Detecting Teams TURN Relay C2: Sigma and KQL for Backdoor.Turn's Evasion Technique
DragonForce's Backdoor.Turn routes command-and-control through legitimate Microsoft Teams TURN relay infrastructure using QUIC over UDP 443, defeating network monitoring tools that can't distinguish malicious traffic from Teams collaboration. Here's where the detection opportunities actually are, with deployable Sigma rules and KQL.
Detection Guide 2026-06-21
Detecting SocGholish (FakeUpdates): Fake Browser Update Initial Access
SocGholish — also known as FakeUpdates — is one of the most prevalent initial access frameworks in enterprise intrusions, delivering Cobalt Strike, RansomHub, and other payloads via fake software update prompts on compromised legitimate websites. This guide covers detection at the browser, endpoint, proxy, and network layers with Sigma rules and KQL.
Detection Guide T1621 2026-06-20
Detecting MFA Fatigue and Push Bombing Attacks (T1621)
MFA fatigue attacks flood victims with authentication push notifications until they approve one by mistake or exhaustion. This guide covers the attack mechanics, Sigma rules for Entra ID and Okta, and KQL queries to surface anomalous MFA behaviour in your environment.
Detection Guide 2026-06-19
Detecting Webshell Deployment and Execution: IIS, Apache, and PHP
Webshells are the most common persistence mechanism following successful server exploitation. This guide covers detection across multiple surfaces: file creation events, process ancestry anomalies, IIS/Apache log analysis, and memory-resident shellcode patterns — with Sigma rules and KQL for each.
Detection Guide 2026-06-18
Detecting Cobalt Strike: Staging Artifacts, Named Pipes, and Beacon Patterns
Cobalt Strike remains the most widely observed adversary simulation framework in real-world intrusions. This guide covers the principal detection opportunities: default and custom malleable C2 network signatures, named pipe artifacts, process injection indicators, and memory-resident beacon detection, with Sigma rules and KQL for each.
Detection Guide T1574.001 2026-06-17
Detecting DLL Side-Loading and Hijacking — T1574.001 / T1574.002
DLL side-loading and hijacking are among the most abused techniques for persistence, privilege escalation, and defence evasion. This guide covers the difference between the two variants, how attackers use them, and the detection logic to catch both.
Detection Guide T1087.002 2026-06-16
Detecting BloodHound and SharpHound Active Directory Enumeration
BloodHound's graph-based AD attack path analysis is a staple of red teams and real attackers alike. This guide covers Sigma rules and KQL queries to detect SharpHound collection, LDAP enumeration bursts, and trust discovery activity across Windows and Entra ID.
Detection Guide T1528 2026-06-15
Detecting Entra ID Primary Refresh Token (PRT) Theft: KQL Detections and Investigation Guide
Primary Refresh Tokens are the skeleton key to Microsoft Entra ID. This guide covers how PRT theft works, the known attack tools, KQL detections in Microsoft Sentinel and Defender XDR, and what to look for in sign-in logs when MFA has been bypassed.
Detection Guide 2026-06-14
Detecting Pass-the-Hash and Pass-the-Ticket: T1550.002/T1550.003 Sigma and KQL Rules
Pass-the-Hash and Pass-the-Ticket are foundational lateral movement techniques used by nearly every ransomware affiliate and APT group operating in Windows environments. This guide covers how both attacks work, the telemetry sources that catch them, and production-ready Sigma and KQL detection rules.
Detection Guide 2026-06-12
Detecting DCOM Lateral Movement: T1021.003 Detection with Sigma and KQL
Distributed COM (DCOM) is a legitimate Windows remoting protocol increasingly abused for lateral movement by APT groups and ransomware operators. This guide covers DCOM execution mechanics, detection telemetry, and Sigma/KQL rules for hunting DCOM-based pivots.
Detection Guide 2026-06-12
Detecting WinRM Lateral Movement: T1021.006 Detection with Sigma and KQL
Windows Remote Management is a legitimate administrative protocol increasingly abused for lateral movement by ransomware affiliates and APT groups. This guide covers the key detection opportunities: event log telemetry, network signatures, and Sigma rules for SIEM and EDR platforms.
Detection Guide 2026-06-11
Detecting Ransomware Data Exfiltration: Hunting rclone, MEGAsync, and WinSCP in Your Environment
Modern ransomware groups exfiltrate data before encrypting — using tools like rclone, MEGAsync, and WinSCP to stage and send stolen files. This detection guide covers behavioural Sigma rules, KQL queries, and hunting strategies to catch exfiltration in progress.
Hunt Playbook 2026-06-10
Detecting Shadow Credentials: Hunting msDS-KeyCredentialLink Abuse and Whisker Attacks
Shadow credentials attacks abuse the msDS-KeyCredentialLink Active Directory attribute to add attacker-controlled certificates to a user or computer object, enabling persistent authentication without touching the password. Here's how to detect and hunt them.
Detection Guide 2026-06-09
Detecting Sliver C2: Named Pipes, Beaconing Patterns, and Process Injection Artifacts
Sliver is an open-source C2 framework written in Go, increasingly adopted by ransomware affiliates and APT groups. This detection guide covers named pipe signatures, HTTPS/DNS beacon detection, and memory-side indicators with Sigma rules and KQL.
Detection Guide 2026-06-08
Detecting HTML Smuggling Initial Access: Sigma Rules and Endpoint Telemetry for T1027.006
HTML smuggling (T1027.006) assembles malicious payloads in the browser using JavaScript or HTML5 attributes, bypassing network-layer inspection. Recent campaigns by Gamaredon, Lazarus Group, and commodity phishing kits use XHTML and Blob URL delivery to drop archives or executables without triggering gateway controls. Here's the detection logic.
Detection Guide 2026-06-07
Detecting DPAPI Credential Theft: Hunting T1555.004 Without Touching LSASS
Windows Data Protection API (DPAPI) is used by browsers, credential managers, and enterprise apps to encrypt stored secrets. Attackers use SharpDPAPI, Mimikatz, and DonPAPI to harvest those secrets without LSASS interaction — bypassing many EDR configurations focused on process injection. This guide covers DPAPI attack paths, the event artefacts they leave behind, and Sigma/KQL detections to surface them.
Detection Guide T1539 2026-06-06
Detecting AiTM Phishing and Session Token Theft: Sigma Rules for Evilginx and Token Replay
Adversary-in-the-Middle phishing proxies like Evilginx2 and Modlishka bypass MFA by relaying credentials and capturing session cookies in real time. This guide covers the attack mechanics, Entra ID sign-in log indicators, and Sigma/KQL detections for impossible travel, new device token replay, and suspicious authentication patterns.
Detection Guide T1210 2026-06-05
Detecting CVE-2026-41089 Netlogon RCE Exploitation Attempts
Detection guidance for CVE-2026-41089, the pre-authentication Netlogon stack buffer overflow actively exploited against domain controllers. Covers network-layer Suricata rules, Windows event log indicators, and a full Sigma detection for anomalous NRPC traffic and post-exploitation behaviour.
Detection Guide 2026-06-04
Detecting Malicious Scheduled Tasks for Persistence (T1053.005)
A detection engineering guide to hunting Windows Scheduled Task abuse (T1053.005) with Sigma rules, KQL queries, and event log forensics — covering attacker creation patterns, LOLBin chaining, and persistence mechanisms.
Detection Guide 2026-06-03
Detecting Microsoft Graph API Abuse for Command-and-Control
Nation-state actors including APT28, APT29, and Harvester now route C2 traffic through Microsoft Graph API and Outlook — blending malicious activity with legitimate cloud traffic. This guide covers KQL detection rules for Microsoft Sentinel, Sigma rules for endpoint telemetry, and behavioural indicators to hunt for living-off-trusted-services C2.
Detection Guide 2026-06-02
Detecting DCSync Attacks: Monitoring Domain Controller Replication Abuse (T1003.006)
DCSync abuses Active Directory's legitimate replication mechanism to extract password hashes without touching LSASS. This guide covers the technique, detection logic, and Sigma/KQL rules to catch it in your environment.
Detection Guide 2026-06-01
Detecting Active Directory Certificate Services Abuse: ESC1 Through ESC8
Active Directory Certificate Services misconfigurations (ESC1–ESC8) are among the most reliable privilege escalation paths in enterprise environments. This guide covers detection with Windows Event IDs, Sigma rules, and KQL hunting queries.
Detection Guide 2026-05-31
Detecting AiTM Phishing and Session Token Theft (T1557.002): Beyond MFA
Adversary-in-the-Middle phishing using reverse proxy kits captures valid post-MFA session tokens — bypassing MFA entirely without breaking it. This guide covers the attack mechanics, Sigma detection rules, and KQL hunting queries for session token replay activity.
Detection Guide 2026-05-30
Detecting OAuth Device Code Phishing (T1078/T1566): When Legitimate Auth Flows Become Attack Vectors
OAuth device code flow phishing lets attackers harvest valid MFA-bypassed tokens with no malicious link required. This guide covers the attack mechanics, Sigma rules, KQL queries, and hunting strategies for SOC teams.
Detection Guide T1187 2026-05-29
Detecting NTLM Coercion and Relay Attacks: PetitPotam, DFSCoerce, and AD Takeover
NTLM coercion techniques like PetitPotam and DFSCoerce are a reliable Active Directory attack path -- forcing machine accounts to authenticate and then relaying those credentials to take over domain infrastructure. Here's how to detect them.
Detection Guide T1552.001 2026-05-28
Detecting GitHub Actions OIDC Token Theft and CI/CD Credential Exfiltration
Detection guidance and Sigma rules for identifying GitHub Actions OIDC token extraction, cache poisoning via pull_request_target, and post-compromise cloud credential use -- the attack chain behind the Mini Shai-Hulud campaign.
Detection Guide T1546.003 2026-05-27
Detecting WMI Event Subscription Persistence -- T1546.003
WMI event subscriptions are one of the most overlooked persistence mechanisms in Windows environments. This guide covers the three-component model, how attackers abuse it, and the Sysmon and PowerShell detection logic to catch it.
Detection Guide 2026-05-26
Detecting BITS Jobs Abuse for Persistence and Lateral Movement
A detection engineer's guide to hunting BITS job misuse (T1197) with Sigma rules, KQL queries, and endpoint telemetry -- covering persistence, download cradles, and C2 staging.
Technique Analysis T1574.014 2026-05-25
Detecting AppDomain Hijacking: When .NET Config Files Become Execution Vectors
AppDomain Hijacking (T1574.014) abuses the .NET CLR's config-file loading behaviour to execute arbitrary code within trusted processes. This guide covers the mechanics, detection artifacts, and Sigma rules -- recently weaponised by Iranian APT Nimbus Manticore.
Detection Guide T1562.001 2026-05-23
Detecting BYOVD: How to Hunt Ransomware EDR Killers Before They Blind Your Stack
Bring Your Own Vulnerable Driver (BYOVD) attacks let ransomware affiliates kill EDR at kernel level. This guide covers detection logic, Sigma rules, and KQL queries to catch BYOVD before your defences are silenced.
Detection Guide T1558.003 2026-05-23
Detecting Kerberoasting and AS-REP Roasting Before Credentials Leave the Wire
Kerberoasting and AS-REP Roasting remain the most reliable paths to privileged AD credentials. This guide covers detection logic with Sigma rules, KQL queries, and hunting approaches for both techniques across Windows Security Event logs.
Detection Guide T1059.001 2026-05-22
Detecting Malicious PowerShell Execution -- From Script Block Logging to AMSI
PowerShell remains one of the most abused tools in the attacker's arsenal. This guide covers the full detection stack -- script block logging, module logging, transcription, AMSI, and Sigma rules for hunting obfuscated and encoded commands.
Hunt Playbook T1218 2025-11-28
Hunting Living-Off-the-Land Binaries: certutil, mshta, regsvr32, and wscript
A threat hunt playbook for detecting LOLBin abuse -- adversaries using native Windows binaries to execute payloads, download files, and evade detection. Covers certutil, mshta, regsvr32, and wscript with Sigma rules and hunting queries.
Tool Review 2025-11-18
Velociraptor for Endpoint Threat Hunting: A Practical Guide
A hands-on review of Velociraptor for endpoint threat hunting. Covers VQL query language basics, artifact collection, live response, and building custom hunt artifacts for large environments.
Detection Guide 2025-11-10
Detecting C2 Beaconing and DNS Tunneling with Frequency Analysis
A deep dive into C2 beaconing detection using statistical analysis of connection timing and DNS query patterns. Learn how to identify beacon sleep intervals, jitter patterns, and DNS exfiltration using log-based analytics.
Detection Guide 2025-11-01
Writing Sigma Rules from Scratch: A Practical Guide
Learn to write detection rules in Sigma -- the vendor-neutral rule format for SIEM detections. Covers logsource types, condition syntax, field mappings, and how to test and tune rules before deploying.
Hunt Playbook 2025-10-22
Threat Hunting Lateral Movement via SMB, PsExec, and WMI
A structured threat hunt playbook for identifying lateral movement activity using SMB-based tooling. Covers PsExec, Impacket, WMI execution, and the network and host artifacts each leaves behind.
Detection Guide T1003.001 2025-10-15
Detecting LSASS Credential Dumping on Windows
A practical detection guide for identifying Mimikatz, procdump, and other tools targeting LSASS memory. Covers Sysmon events, Windows Security logs, and Sigma rules you can deploy today.