Detection Engineering Intelligence for SOC Teamshttps://soc-analyst-hub.pages.dev/en-ushttps://soc-analyst-hub.pages.dev/articles/detecting-malicious-powershell-execution/https://soc-analyst-hub.pages.dev/articles/detecting-malicious-powershell-execution/PowerShell remains one of the most abused tools in the attacker's arsenal. This guide covers the full detection stack — script block logging, module logging, transcription, AMSI, and Sigma rules for hunting obfuscated and encoded commands.Fri, 22 May 2026 00:00:00 GMTdetection-guidepowershellscript-block-loggingamsisigmawindowsT1059.001obfuscationliving-off-the-landhttps://soc-analyst-hub.pages.dev/articles/hunting-living-off-the-land-binaries-lolbins/https://soc-analyst-hub.pages.dev/articles/hunting-living-off-the-land-binaries-lolbins/A threat hunt playbook for detecting LOLBin abuse — adversaries using native Windows binaries to execute payloads, download files, and evade detection. Covers certutil, mshta, regsvr32, and wscript with Sigma rules and hunting queries.Fri, 28 Nov 2025 00:00:00 GMThunt-playbooklolbinsdefense-evasionexecutionsigmacertutilmshtahttps://soc-analyst-hub.pages.dev/articles/velociraptor-threat-hunting-endpoints/https://soc-analyst-hub.pages.dev/articles/velociraptor-threat-hunting-endpoints/A hands-on review of Velociraptor for endpoint threat hunting. Covers VQL query language basics, artifact collection, live response, and building custom hunt artifacts for large environments.Tue, 18 Nov 2025 00:00:00 GMTtool-reviewvelociraptordfirendpointvqlthreat-huntingdfir-toolshttps://soc-analyst-hub.pages.dev/articles/detecting-c2-beaconing-dns-tunneling/https://soc-analyst-hub.pages.dev/articles/detecting-c2-beaconing-dns-tunneling/A deep dive into C2 beaconing detection using statistical analysis of connection timing and DNS query patterns. Learn how to identify beacon sleep intervals, jitter patterns, and DNS exfiltration using log-based analytics.Mon, 10 Nov 2025 00:00:00 GMTdetection-guidec2dns-tunnelingbeaconingnetwork-detectionthreat-huntinghttps://soc-analyst-hub.pages.dev/articles/sigma-rule-writing-guide-beginners/https://soc-analyst-hub.pages.dev/articles/sigma-rule-writing-guide-beginners/Learn to write detection rules in Sigma — the vendor-neutral rule format for SIEM detections. Covers logsource types, condition syntax, field mappings, and how to test and tune rules before deploying.Sat, 01 Nov 2025 00:00:00 GMTdetection-guidesigmadetection-engineeringsiemrule-writinghttps://soc-analyst-hub.pages.dev/articles/threat-hunting-lateral-movement-smb/https://soc-analyst-hub.pages.dev/articles/threat-hunting-lateral-movement-smb/A structured threat hunt playbook for identifying lateral movement activity using SMB-based tooling. Covers PsExec, Impacket, WMI execution, and the network and host artifacts each leaves behind.Wed, 22 Oct 2025 00:00:00 GMThunt-playbooklateral-movementpsexecwmismbimpackethttps://soc-analyst-hub.pages.dev/articles/detecting-lsass-credential-dumping-windows/https://soc-analyst-hub.pages.dev/articles/detecting-lsass-credential-dumping-windows/A practical detection guide for identifying Mimikatz, procdump, and other tools targeting LSASS memory. Covers Sysmon events, Windows Security logs, and Sigma rules you can deploy today.Wed, 15 Oct 2025 00:00:00 GMTdetection-guidecredential-accessmimikatzlsasssysmonsigma