/en/Recent content on Suspicious BytesHugoen-USMon, 08 Jun 2026 00:00:00 +0000/en/posts/writing-your-first-sigma-rule/Mon, 08 Jun 2026 00:00:00 +0000/en/posts/writing-your-first-sigma-rule/<p>Sigma is to log detections what YARA is to files: a generic, vendor-neutral way to describe <em>what</em> you want to detect, which you then convert into the query language your SIEM actually speaks.</p> <h2 id="why-a-portable-format">Why a portable format?</h2> <p>Detections written directly in one query language are stuck there forever. Sigma lets you write once and compile to many backends:</p> <ul> <li>One rule, many targets (Splunk, Elastic, Sentinel, …)</li> <li>Reviewable in pull requests like any other code</li> <li>Shareable with the community without leaking your stack</li> </ul> <blockquote> <p>A detection you cannot test, version, and review is a liability, not an asset.</p>/en/posts/detecting-lateral-movement/Sat, 30 May 2026 00:00:00 +0000/en/posts/detecting-lateral-movement/<p>Once an attacker has a foothold, the interesting part begins: moving from the first host toward whatever they actually came for. That east-west movement leaves traces if you know which events to join.</p> <h2 id="signals-worth-joining">Signals worth joining</h2> <p>Lateral movement rarely shows up as a single smoking-gun event. It emerges from correlation:</p> <ol> <li>Network logon events (<code>4624</code> type 3) from unusual sources</li> <li>Service or scheduled-task creation on the destination</li> <li>Remote process creation shortly after</li> </ol> <blockquote> <p>Correlate across hosts, not just within one. A single <code>4624</code> is noise; a chain of them following an account around the estate is a story.</p>/en/posts/anatomy-of-a-phishing-incident/Thu, 21 May 2026 00:00:00 +0000/en/posts/anatomy-of-a-phishing-incident/<p>Most intrusions still start with someone clicking a link. This is a sanitised walk-through of a credential-phishing case and the timeline that mattered.</p> <h2 id="the-timeline">The timeline</h2> <p>Incident response lives and dies by an accurate timeline. Reconstruct it before you theorise:</p> <ol> <li><strong>08:42</strong> — user reports a &ldquo;mailbox full&rdquo; email</li> <li><strong>08:55</strong> — same template seen by twelve other recipients</li> <li><strong>09:10</strong> — one set of credentials submitted to the fake portal</li> <li><strong>09:13</strong> — successful logon from a foreign ASN</li> </ol> <blockquote> <p>The goal of triage is not to find everything. It is to answer one question fast: did anything actually succeed?</p>/en/posts/triaging-suspicious-powershell/Tue, 12 May 2026 00:00:00 +0000/en/posts/triaging-suspicious-powershell/<p>An encoded PowerShell command in your process logs is not automatically malicious, but it always deserves a closer look. Here is how to triage one calmly.</p> <h2 id="what-raises-the-flag">What raises the flag</h2> <p>Certain flag combinations are unusual for a legitimate script and common for tradecraft:</p> <ul> <li><code>-EncodedCommand</code> (base64 payloads)</li> <li><code>-WindowStyle Hidden</code> and <code>-NonInteractive</code></li> <li><code>-ExecutionPolicy Bypass</code></li> </ul> <blockquote> <p>Decoding a payload is reading, not running. Decode in an isolated environment and never paste an unknown command back into a live shell.</p>/en/posts/osint-for-beginners/Sun, 03 May 2026 00:00:00 +0000/en/posts/osint-for-beginners/<p>Open-source intelligence is the practice of collecting information from publicly available sources — and a surprising amount of an organisation&rsquo;s footprint is sitting in plain sight.</p> <h2 id="where-to-start">Where to start</h2> <p>Begin with the passive sources that never touch the target directly:</p> <ul> <li>Public DNS and WHOIS records</li> <li>Certificate transparency logs</li> <li>Cached pages and archives</li> </ul> <blockquote> <p>The goal of OSINT is not to break in. It is to understand a footprint using only what someone has already published.</p>/en/posts/building-a-threat-actor-profile/Fri, 24 Apr 2026 00:00:00 +0000/en/posts/building-a-threat-actor-profile/<p>Cyber threat intelligence is only useful when it changes a decision. A good actor profile turns scattered observations into something a defender can act on this week, not just read.</p> <h2 id="structure-beats-prose">Structure beats prose</h2> <p>A profile that reads like a story is hard to operationalise. Capture it as structured fields instead:</p> <ul> <li>Aliases and overlapping clusters</li> <li>Targeted sectors and regions</li> <li>Observed techniques (mapped to ATT&amp;CK)</li> <li>Known infrastructure patterns</li> </ul> <blockquote> <p>Intelligence without a confidence level is just a rumour with good formatting. State what you know, how well you know it, and how you&rsquo;d be proven wrong.</p>/en/posts/starting-with-threathunting/Sat, 27 Sep 2025 00:00:00 +0000/en/posts/starting-with-threathunting/<h2 id="start-hunting-today">Start Hunting Today!</h2> <p>Threat hunting doesn&rsquo;t require enterprise tools. You can simply start with what you already have.</p> <h3 id="minimum-requirements">Minimum Requirements</h3> <p>Start with things you probably already have. Work from there, and then think about improving and growing.</p> <ul> <li><strong>Centralized logging</strong> (Sysmon, firewall, proxy logs)</li> <li><strong>Query capability</strong> (ELK, Splunk, or even grep)</li> <li><strong>Baseline knowledge</strong> of your network</li> <li><strong>2-4 hours per week</strong> of dedicated hunting time</li> </ul> <p>Baselining is the hardest part for beginners, so start small. Pick one thing you can describe as &ldquo;normal&rdquo; (which hosts talk to the internet, which accounts run as admin, what runs at startup) and write it down. That single baseline becomes the yardstick for your first hunts.</p>