logo
Defence blues
Evasion detection and hunting
  • Red tradecraft
  • Privacy greenhouse
  • Purple crossroads
  • Indigo observatory
  • Contact
Initializing search
    • Blue team @Home
    • Servers without a security team
    • Honeytech for humans
    • Blue team for dev
    • OT and ICS security
    • Counter moves
      • Closing the doors just walked through
      • The machine at the point of impact
      • Traffic patterns as evidence
      • The surface designed to be accessible
      • The application layer as a target
      • Infrastructure you defend but do not own
      • Where the container meets the host
      • Systems that were never meant to be networked
      • The domain as an attack graph
      • The gap between access and authority
      • Harvesting stored secrets
      • Surviving the reboot
      • From target to target
      • Plausibility as cover
        • Evasion trends: defensive perspective
        • Behavioural detection
        • Deception technology
        • Network-level detection of evasion
        • C2 framework signatures
        • Hardening against evasion
        • Serverless and cloud-native evasion
        • Containers and Kubernetes evasion
        • Long-window detection
        • Evasion technique coverage matrix
        • Evasion detection and hunting
          • Detecting LoLbin abuse
          • Detecting fileless and in-memory execution
          • Detecting BYOVD attacks
          • C2 framework activity hunt
          • Threat hunting for evasion techniques
        • Evasion detection and hunting
          • Detecting LoLbin abuse
          • Detecting fileless and in-memory execution
          • Detecting BYOVD attacks
          • C2 framework activity hunt
          • Threat hunting for evasion techniques
      • Memory corruption and its limits
      • Watching data being gathered
      • Watching the exits
      • Limiting the blast radius
      • Operational cost of security controls
    • Golem Trust Computing Ltd.
    • Department of Silent Stability
    • The Home for Bewildered Beasts of Legend
    • Archive

    Evasion detection and huntingΒΆ

    Runbooks for detecting evasion in practice: LOLbin abuse, fileless execution, bring-your-own-vulnerable-driver attacks, C2 channel identification, and threat hunting workflows for low-and-slow activity that bypasses alert-based detection.

    Detection and investigation runbooks:

    • Detecting LoLbin abuse
    • Detecting fileless and in-memory execution
    • Detecting BYOVD attacks
    • C2 framework activity hunt
    • Threat hunting for evasion techniques
    2026-05-27 11:27
    © Copyright 2026, TyMyrddin.
    Created using Sphinx 7.2.6. and Sphinx-Immaterial

    Made with love in the Unseen University, 2026, with a forest garden fostered by /ut7