// Detection Intel Archive

PowerShell remains one of the most abused tools in the attacker's arsenal. This guide covers the full detection stack — script block logging, module logging, transcription, AMSI, and Sigma rules for hunting obfuscated and encoded commands.

A threat hunt playbook for detecting LOLBin abuse — adversaries using native Windows binaries to execute payloads, download files, and evade detection. Covers certutil, mshta, regsvr32, and wscript with Sigma rules and hunting queries.

A hands-on review of Velociraptor for endpoint threat hunting. Covers VQL query language basics, artifact collection, live response, and building custom hunt artifacts for large environments.

A deep dive into C2 beaconing detection using statistical analysis of connection timing and DNS query patterns. Learn how to identify beacon sleep intervals, jitter patterns, and DNS exfiltration using log-based analytics.

Learn to write detection rules in Sigma — the vendor-neutral rule format for SIEM detections. Covers logsource types, condition syntax, field mappings, and how to test and tune rules before deploying.

A structured threat hunt playbook for identifying lateral movement activity using SMB-based tooling. Covers PsExec, Impacket, WMI execution, and the network and host artifacts each leaves behind.

A practical detection guide for identifying Mimikatz, procdump, and other tools targeting LSASS memory. Covers Sysmon events, Windows Security logs, and Sigma rules you can deploy today.