Posts tagged "{tag}": #threat-hunting

Detecting lateral movement in Security.evtx

How real adversary tools move host-to-host in Windows estates, and the precise event ID combinations in Security.evtx that catch PsExec, Impacket, and WMIExec.

5/27/2026

evtxlateral-movementdfirincident-response

PowerShell logging: what you get with module and script block logging on

The practical difference between PowerShell module logging, script block logging, transcripts, and AMSI buffers — and the GPO settings that actually turn the useful ones on.

5/27/2026

evtxpowershelldfirlogging

Sysmon configuration that catches real adversaries

An opinionated take on Sysmon: which event IDs actually matter in IR, why olafhartong/sysmon-modular is the right baseline, and the configuration mistakes that blind you to real attacks.

5/27/2026

sysmonevtxdetection-engineeringdfir