Detection engineering insights, threat hunting guides, and MITRE ATT&CK tutorials.
Production KQL (Microsoft Sentinel) and SPL (Splunk) detections for MITRE ATT&CK T1558 — Kerberoasting, AS-REP Roasting, Golden and Silver Tickets — with Event 4769/4768 logic and tuning guidance for SOC teams.
How threat actors weaponize legitimate remote access software like AnyDesk, ScreenConnect, and Atera — and the production KQL and SPL detection rules SOC teams need to catch T1219 abuse before ransomware lands.
Production KQL and SPL detection rules for MITRE ATT&CK T1055 process injection — DLL injection, process hollowing, thread hijacking, PE injection, and Early Bird APC — with tuning guidance for SOC teams.
Production-grade KQL and SPL detection queries for five critical vulnerabilities in the CISA Known Exploited Vulnerabilities catalog. Map KEV to MITRE ATT&CK, prioritise alerts, and close the gap between patch lag and detection coverage.
Every ransomware deployment starts with killing the AV. KQL queries for Microsoft Sentinel and SPL for Splunk to catch Defender disablement, service stops, taskkill abuse, and unauthorized exclusion additions before encryption begins.
Real KQL and SPL detection rules for catching LOLBin abuse — mshta, regsvr32, rundll32, WMI, and BITS Jobs — using MITRE ATT&CK T1218, T1047, and T1197 mapped queries from the df00tech library.
A practical guide to building your first SOC detection library: required logs, MITRE ATT&CK prioritisation, starter KQL and SPL queries, and a development loop that works.
A practical C2 detection rule guide for SOCs: beaconing analysis, DNS tunneling, Cobalt Strike, Sliver, and protocol tunneling with KQL and SPL queries.
Credential dumping detection for T1003.001 LSASS, SAM, and NTDS extraction. KQL and SPL queries to catch Mimikatz, ProcDump, comsvcs.dll, and DCSync in your environment.
Production-tested lateral movement detection KQL queries for Microsoft Sentinel and Defender for Endpoint covering T1021 — RDP, SMB admin shares, and WinRM.
A practical phishing detection rule guide for T1566 covering spearphishing attachments, links, and service-based phishing with KQL queries for Microsoft Defender and Sentinel.
Build a PowerShell detection rule for T1059.001 with production KQL for Microsoft Sentinel and SPL for Splunk. Covers encoded commands, AMSI bypass, and tuning.
A ransomware detection rule playbook for 2026: TTPs, KQL queries, and LockBit, BlackCat, Akira tells — catch mass file encryption and shadow copy deletion pre-detonation.
Scheduled task detection for T1053.005 with production KQL and SPL queries for Microsoft Sentinel and Splunk — covering schtasks.exe, at.exe, cron, 4698/4700/4702 events, and hidden task persistence.
SPL vs KQL for detection engineering — side-by-side Splunk and Microsoft Sentinel syntax with real queries for PowerShell, LSASS, and scheduled task detections.
The most important MITRE ATT&CK techniques every SOC analyst must detect, prioritized by real-world frequency with KQL detection coverage for each.
df00tech provides 704 production-ready KQL and SPL detection rules mapped to the MITRE ATT&CK framework. Learn how comprehensive detection coverage protects your environment.
A practical guide for SOC teams on using the MITRE ATT&CK framework to identify detection gaps, prioritise rule development, and measure coverage improvements over time.
Hands-on KQL threat hunting queries for Microsoft Sentinel, covering credential dumping, UAC bypass, log tampering, ingress tool transfer, and password spraying detection.