Threat hunts
Investigations and labs from GitHub: standalone repos and projects under Threat Hunting Projects. Each entry opens either a dedicated page on this site or the full write-up rendered from the repository README.
Threat Hunt: Unauthorized TOR Usage
KQL-driven investigation across DeviceFileEvents, DeviceProcessEvents, and DeviceNetworkEvents to detect TOR installation and C2-style network activity.
Microsoft Sentinel Workbooks
KQL workbooks for logon failures, malicious traffic, and map-based views with threat intelligence enrichment.
Azuki Import/Export Compromise
Incident report: RDP initial access, discovery, Defender tampering, persistence, Mimikatz, C2, Discord exfiltration, and MITRE mapping with KQL appendices.
CorpHealth: Traceback
Full traceback investigation from the Portfolio threat-hunting collection (see GitHub for the complete write-up).
Virus Detection & Device Isolation (MDE)
Lab: antivirus detections via KQL, device isolation, investigation package, network verification, and release — with evidence screenshots.