DetectionHunter
// detection roadmap

Three phases of detection maturity

Each lab is a self-contained notebook covering the detection idea, telemetry, validation, and Wazuh rule concept. Build Phase 1 first — it returns the most defensive value per hour invested.

Phase 1

Immediate High-Value Detections

Simple, high-signal detections that catch common PowerShell abuse early.

6 / 6 labs
phase 1 · T1059.001

Detecting PowerShell EncodedCommand Abuse

Catch base64-encoded PowerShell payloads — a hallmark of loaders, droppers, and post-exploitation frameworks.

high signalEasy
#Windows#Sysmon#Wazuh#PowerShell#ATT&CK
phase 1 · T1059.001

Detecting Invoke-Expression (IEX) Misuse

Flag Invoke-Expression / IEX patterns that execute downloaded or in-memory strings.

high signalEasy
#Windows#PowerShell#ATT&CK
phase 1 · T1059.001

Detecting DownloadString / Invoke-WebRequest Staging

Surface PowerShell pulling remote payloads via WebClient or IWR.

high signalEasy
#Windows#PowerShell#Sysmon
phase 1 · T1059.001

Detecting Hidden-Window PowerShell

PowerShell launched with -WindowStyle Hidden is rarely benign on workstations.

medium signalEasy
#Windows#PowerShell
phase 1 · T1059.001

Detecting -ExecutionPolicy Bypass

Catch attempts to neutralize ExecutionPolicy from the command line.

medium signalEasy
#Windows#PowerShell
phase 1 · T1059.001

Detecting Office Applications Spawning PowerShell

Word/Excel/Outlook spawning powershell.exe is a textbook macro-payload pattern.

high signalEasy
#Windows#Sysmon#ATT&CK
Phase 2

Contextual Correlation

Combine PowerShell behavior with surrounding system and network context.

4 / 4 labs
phase 2 · T1059.001

PowerShell + Outbound Network Correlation

Correlate a PowerShell process with its first external network connection.

high signalModerate
#Sysmon#Wazuh#Correlation
phase 2 · T1059.001

PowerShell + Persistence Indicator Correlation

Tie PowerShell execution to Run-key writes, scheduled tasks, or service installs.

high signalModerate
#Wazuh#Correlation#ATT&CK
phase 2 · T1059.001

Suspicious Parent/Child Process Relationships

Detect anomalous lineage like services.exe → powershell.exe or w3wp.exe → powershell.exe.

medium signalModerate
#Sysmon#Behavioral
phase 2 · T1059.001

Office → Script Interpreter Execution Chains

Office → wscript/cscript/mshta → powershell is a textbook delivery chain.

high signalModerate
#Sysmon#Behavioral
Phase 3

Advanced Detection Engineering

Evasive and memory-based tradecraft: AMSI, reflection, entropy, chains.

6 / 6 labs
phase 3 · T1562.001

Detecting AMSI Bypass Attempts

Identify in-script AMSI tampering patterns.

high signalAdvanced
#PowerShell#Advanced#ATT&CK
phase 3 · T1620

Detecting .NET Reflection Loading in PowerShell

Catch [Reflection.Assembly]::Load and friends used to run in-memory .NET.

high signalAdvanced
#PowerShell#Advanced
phase 3 · T1059.001

Memory-Only PowerShell Execution

Detect VirtualAlloc/CreateThread patterns used for fileless shellcode.

high signalAdvanced
#PowerShell#Advanced
phase 3 · T1027

Obfuscation Scoring of PowerShell Script Blocks

Score script blocks for obfuscation heuristics (backticks, char arrays, splatting).

medium signalAdvanced
#PowerShell#Analytics
phase 3 · T1027

Entropy Analysis on Decoded PowerShell Payloads

Flag high-entropy decoded blobs likely to be packed shellcode.

medium signalAdvanced
#Analytics#Advanced
phase 3 · TA0002+TA0005+TA0003

End-to-End ATT&CK Chain Correlation

Stitch multiple weak signals into one high-confidence chain alert.

high signalAdvanced
#Wazuh#Correlation#ATT&CK