Detection Engineering Intelligence for SOC Teamshttps://blueteambrief.com/en-ushttps://blueteambrief.com/articles/detecting-byovd-edr-killer-attacks/https://blueteambrief.com/articles/detecting-byovd-edr-killer-attacks/Bring Your Own Vulnerable Driver (BYOVD) attacks let ransomware affiliates kill EDR at kernel level. This guide covers detection logic, Sigma rules, and KQL queries to catch BYOVD before your defences are silenced.Sat, 23 May 2026 00:00:00 GMTdetection-guideBYOVDEDR killerransomwarekernel driverDragonForceAkiraT1562.001SigmaKQLendpoint detectionhttps://blueteambrief.com/articles/detecting-malicious-powershell-execution/https://blueteambrief.com/articles/detecting-malicious-powershell-execution/PowerShell remains one of the most abused tools in the attacker's arsenal. This guide covers the full detection stack — script block logging, module logging, transcription, AMSI, and Sigma rules for hunting obfuscated and encoded commands.Fri, 22 May 2026 00:00:00 GMTdetection-guidepowershellscript-block-loggingamsisigmawindowsT1059.001obfuscationliving-off-the-landhttps://blueteambrief.com/articles/hunting-living-off-the-land-binaries-lolbins/https://blueteambrief.com/articles/hunting-living-off-the-land-binaries-lolbins/A threat hunt playbook for detecting LOLBin abuse — adversaries using native Windows binaries to execute payloads, download files, and evade detection. Covers certutil, mshta, regsvr32, and wscript with Sigma rules and hunting queries.Fri, 28 Nov 2025 00:00:00 GMThunt-playbooklolbinsdefense-evasionexecutionsigmacertutilmshtahttps://blueteambrief.com/articles/velociraptor-threat-hunting-endpoints/https://blueteambrief.com/articles/velociraptor-threat-hunting-endpoints/A hands-on review of Velociraptor for endpoint threat hunting. Covers VQL query language basics, artifact collection, live response, and building custom hunt artifacts for large environments.Tue, 18 Nov 2025 00:00:00 GMTtool-reviewvelociraptordfirendpointvqlthreat-huntingdfir-toolshttps://blueteambrief.com/articles/detecting-c2-beaconing-dns-tunneling/https://blueteambrief.com/articles/detecting-c2-beaconing-dns-tunneling/A deep dive into C2 beaconing detection using statistical analysis of connection timing and DNS query patterns. Learn how to identify beacon sleep intervals, jitter patterns, and DNS exfiltration using log-based analytics.Mon, 10 Nov 2025 00:00:00 GMTdetection-guidec2dns-tunnelingbeaconingnetwork-detectionthreat-huntinghttps://blueteambrief.com/articles/sigma-rule-writing-guide-beginners/https://blueteambrief.com/articles/sigma-rule-writing-guide-beginners/Learn to write detection rules in Sigma — the vendor-neutral rule format for SIEM detections. Covers logsource types, condition syntax, field mappings, and how to test and tune rules before deploying.Sat, 01 Nov 2025 00:00:00 GMTdetection-guidesigmadetection-engineeringsiemrule-writinghttps://blueteambrief.com/articles/threat-hunting-lateral-movement-smb/https://blueteambrief.com/articles/threat-hunting-lateral-movement-smb/A structured threat hunt playbook for identifying lateral movement activity using SMB-based tooling. Covers PsExec, Impacket, WMI execution, and the network and host artifacts each leaves behind.Wed, 22 Oct 2025 00:00:00 GMThunt-playbooklateral-movementpsexecwmismbimpackethttps://blueteambrief.com/articles/detecting-lsass-credential-dumping-windows/https://blueteambrief.com/articles/detecting-lsass-credential-dumping-windows/A practical detection guide for identifying Mimikatz, procdump, and other tools targeting LSASS memory. Covers Sysmon events, Windows Security logs, and Sigma rules you can deploy today.Wed, 15 Oct 2025 00:00:00 GMTdetection-guidecredential-accessmimikatzlsasssysmonsigma