Hatem Sayed — Insights

Hatem Sayed — Insights https://s3cg33k.com Cybersecurity • DFIR • Threat Hunting en <![CDATA[Velociraptor: Fleet-Wide Hunting and Remote Triage at Scale]]> https://s3cg33k.com/blog/2026-06-18-velociraptor-fleet-hunting https://s3cg33k.com/blog/2026-06-18-velociraptor-fleet-hunting Thu, 18 Jun 2026 00:00:00 GMT <![CDATA[Putting an LLM in the Triage Loop — Usefully, and Safely]]> https://s3cg33k.com/blog/2026-06-10-llms-in-dfir-triage https://s3cg33k.com/blog/2026-06-10-llms-in-dfir-triage Wed, 10 Jun 2026 00:00:00 GMT <![CDATA[Investigating Identity Attacks in Microsoft 365 and Azure]]> https://s3cg33k.com/blog/2026-05-20-m365-azure-identity-forensics https://s3cg33k.com/blog/2026-05-20-m365-azure-identity-forensics Wed, 20 May 2026 00:00:00 GMT <![CDATA[Deepfakes and AI-Assisted Fraud: What Changes for Defenders]]> https://s3cg33k.com/blog/2026-04-07-deepfake-bec-ai-fraud https://s3cg33k.com/blog/2026-04-07-deepfake-bec-ai-fraud Tue, 07 Apr 2026 00:00:00 GMT <![CDATA[Chainsaw + Sigma: High-Signal Hunts to Run Every Week]]> https://s3cg33k.com/blog/2026-03-10-chainsaw-sigma-detections https://s3cg33k.com/blog/2026-03-10-chainsaw-sigma-detections Tue, 10 Mar 2026 00:00:00 GMT <![CDATA[Detection-as-Code: Putting Sigma Under CI/CD]]> https://s3cg33k.com/blog/2026-02-16-detection-as-code-sigma https://s3cg33k.com/blog/2026-02-16-detection-as-code-sigma Mon, 16 Feb 2026 00:00:00 GMT <![CDATA[Reconstructing Execution with the $MFT and USN Journal]]> https://s3cg33k.com/blog/2026-01-28-mft-usn-execution-timeline https://s3cg33k.com/blog/2026-01-28-mft-usn-execution-timeline Wed, 28 Jan 2026 00:00:00 GMT <![CDATA[AiTM Phishing: Catching the Session Theft MFA Can't Stop]]> https://s3cg33k.com/blog/2025-12-09-aitm-session-theft-detection https://s3cg33k.com/blog/2025-12-09-aitm-session-theft-detection Tue, 09 Dec 2025 00:00:00 GMT <![CDATA[When There's Nothing to Decrypt: Responding to Encryption-less Extortion]]> https://s3cg33k.com/blog/2025-11-12-encryptionless-extortion-response https://s3cg33k.com/blog/2025-11-12-encryptionless-extortion-response Wed, 12 Nov 2025 00:00:00 GMT <![CDATA[PowerShell Incident Triage: From a 4104 to Root Cause]]> https://s3cg33k.com/blog/2025-09-15-powershell-triage-4104-to-rca https://s3cg33k.com/blog/2025-09-15-powershell-triage-4104-to-rca Mon, 15 Sep 2025 00:00:00 GMT <![CDATA[Lessons from the Frontlines: Hunting What the Alerts Miss]]> https://s3cg33k.com/blog/2025-09-15-threat-hunting https://s3cg33k.com/blog/2025-09-15-threat-hunting Mon, 15 Sep 2025 00:00:00 GMT <![CDATA[Memory Forensics 101: A Practical Volatility 3 Playbook]]> https://s3cg33k.com/blog/2025-09-15-volatility3-playbook https://s3cg33k.com/blog/2025-09-15-volatility3-playbook Mon, 15 Sep 2025 00:00:00 GMT <![CDATA[Build a DFIR Lab: Windows 11 + SIFT]]> https://s3cg33k.com/blog/2025-09-15-windows11-sift-lab https://s3cg33k.com/blog/2025-09-15-windows11-sift-lab Mon, 15 Sep 2025 00:00:00 GMT <![CDATA[From Alerts to Answers: Building Hunt Playbooks]]> https://s3cg33k.com/blog/2025-09-12-hunt-playbooks-from-alerts-to-answers https://s3cg33k.com/blog/2025-09-12-hunt-playbooks-from-alerts-to-answers Fri, 12 Sep 2025 00:00:00 GMT <![CDATA[Deobfuscating Malicious PowerShell at Scale]]> https://s3cg33k.com/blog/2025-09-10-deobfuscating-malicious-powershell https://s3cg33k.com/blog/2025-09-10-deobfuscating-malicious-powershell Wed, 10 Sep 2025 00:00:00 GMT <![CDATA[Building Intel-Driven Detections Mapped to ATT&CK]]> https://s3cg33k.com/blog/intel-driven-detections https://s3cg33k.com/blog/intel-driven-detections Fri, 22 Aug 2025 00:00:00 GMT