// Detection Intel Archive

Bring Your Own Vulnerable Driver (BYOVD) attacks let ransomware affiliates kill EDR at kernel level. This guide covers detection logic, Sigma rules, and KQL queries to catch BYOVD before your defences are silenced.

PowerShell remains one of the most abused tools in the attacker's arsenal. This guide covers the full detection stack — script block logging, module logging, transcription, AMSI, and Sigma rules for hunting obfuscated and encoded commands.

A threat hunt playbook for detecting LOLBin abuse — adversaries using native Windows binaries to execute payloads, download files, and evade detection. Covers certutil, mshta, regsvr32, and wscript with Sigma rules and hunting queries.

A hands-on review of Velociraptor for endpoint threat hunting. Covers VQL query language basics, artifact collection, live response, and building custom hunt artifacts for large environments.

A deep dive into C2 beaconing detection using statistical analysis of connection timing and DNS query patterns. Learn how to identify beacon sleep intervals, jitter patterns, and DNS exfiltration using log-based analytics.

Learn to write detection rules in Sigma — the vendor-neutral rule format for SIEM detections. Covers logsource types, condition syntax, field mappings, and how to test and tune rules before deploying.

A structured threat hunt playbook for identifying lateral movement activity using SMB-based tooling. Covers PsExec, Impacket, WMI execution, and the network and host artifacts each leaves behind.

A practical detection guide for identifying Mimikatz, procdump, and other tools targeting LSASS memory. Covers Sysmon events, Windows Security logs, and Sigma rules you can deploy today.