Detections XYZ

I recently ran a Kali VM against a Windows test host and instrumented the target with Procmon and WMI/Windows logs to see how a new WMI-native post-exploitation tool — Wmiexec-Pro — behaves. … Read More

Hello all! 👋 It’s been a while since my last post. I wasn’t finding anything exciting to write about — until this story caught my attention. Recently, I came across an article … Read More

Detection engineering isn’t just about finding bad behavior. It’s about understanding how attackers appear normal — on accident or by design.Some of the most successful evasion techniques don’t involve zero-days or encryption … Read More

Ok, so before we start, I personally think this is a bit of an “offside” topic. While the tech exists, personally I am not familiar with orgs who actually implement … Read More

“Until you make the unconscious conscious, it will direct your life — and you will call it fate.” — Carl Jung Before I begin this very odd post, let me … Read More

If a log falls in the SIEM, does it generate an alert? 2025 has been an interesting year for me so far. Not too long ago, I joined a startup … Read More

Building on my previous article, in this article we will adopt the “Immutable Artifacts” methodology to detect such artifacts for enabling/disabling RDP connections on a Windows machine. The registry architecture for RDP … Read More

Lately I’ve been reading a LOT of materials on how to write better detection rules. The main reason this whole thing started is that I’ve had a very interesting thought. … Read More

What is “evil-winrm”/WinRM? Evil-WinRM is a post-exploitation tool that provides a streamlined and efficient way to interact with Windows systems via Windows Remote Management (WinRM). It’s widely used in penetration … Read More

What is Impacket / PSExec? Impacket PsExec is a Python-based implementation of the PsExec functionality, created by the open-source library Impacket. Impacket is a collection of tools and Python classes for working with network … Read More