DetectionHunter.io
Master detection before hackers master your environment.
A hands-on detection engineering platform for building, validating, analyzing, and improving security detections using real telemetry, attacker behavior, and SIEM-driven validation.
Detection Pulse Live
Watch raw behavior become validated detection signal.
Build. Validate. Analyze. Improve.
Every detection ships with telemetry, a safe validation, an expected log signature, and an analyst-ready triage note.
Turning telemetry into defensive confidence.
Score every detection from 0–100 across coverage, accuracy, context, validation proof, and operational readiness.
Where detection engineering becomes measurable cyber resilience.
Continuous improvement — the loop closes only when the logs prove what happened, and the analyst knows what to do.
PowerShell Detection Engineering Lab — T1059.001
A hands-on lab for detecting PowerShell abuse using Windows Event Logs, PowerShell Script Block Logging, Sysmon, and Wazuh. 16 validated detections across three maturity phases — each with safe validation, log evidence, and analyst notes.
Detecting PowerShell EncodedCommand Abuse
Catch base64-encoded PowerShell payloads — a hallmark of loaders, droppers, and post-exploitation frameworks.
Detecting Invoke-Expression (IEX) Misuse
Flag Invoke-Expression / IEX patterns that execute downloaded or in-memory strings.
Detecting DownloadString / Invoke-WebRequest Staging
Surface PowerShell pulling remote payloads via WebClient or IWR.
Detecting Hidden-Window PowerShell
PowerShell launched with -WindowStyle Hidden is rarely benign on workstations.
Detecting -ExecutionPolicy Bypass
Catch attempts to neutralize ExecutionPolicy from the command line.
Detecting Office Applications Spawning PowerShell
Word/Excel/Outlook spawning powershell.exe is a textbook macro-payload pattern.