>_PJ

Research

Research areas

Work organized by category rather than by where it was published — each area pulls from publications, talks, open-source contributions, and blog posts alike.

Threat Hunting

Proactive investigation into attacker behavior across endpoints, identity, and cloud telemetry — hunting for what signature-based tools miss.

ProfileMicrosoft Security Blog

Microsoft Security Blog — Author Profile

My author profile and full archive of security research articles on the official Microsoft Security Blog.

Threat HuntingDetection Engineering
PublicationMicrosoft Security Blog· 2026

Photo ZIP Campaign Targeting the Hospitality Industry Delivers a Node.js Implant for Persistent Access

Analysis of an active multi-stage intrusion campaign targeting the hospitality industry across Europe and Asia — photo-themed ZIP lures, obfuscated PowerShell, a Node.js implant, dual registry persistence, and C2 over non-standard ports, including "authentication laundering" through trusted services.

Threat HuntingThreat Intelligence
PublicationMicrosoft Community Hub

When Trust Becomes the Attack Vector: Analysis of the EmEditor Supply Chain Compromise

A technical breakdown of a supply chain compromise affecting the EmEditor update mechanism, covering the attack path, detection opportunities, and defensive recommendations.

Supply Chain SecurityThreat HuntingDetection Engineering
TalkCyberLab Con· 2026

CyberLab Con 2026

Conference session — see the event schedule for the confirmed talk title, abstract, and time slot.

Threat HuntingDetection Engineering
Open SourceGitHub

LOLAI Project — Pull Request #5

Contribution to the LOLAI project, an open-source effort cataloguing living-off-the-land techniques relevant to AI systems and tooling.

AI SecurityThreat Hunting
Open SourceGitHub

LOLAI Project — Pull Request #6

Follow-up contribution to the LOLAI project, extending the project's catalogue of AI-relevant living-off-the-land entries.

AI SecurityThreat Hunting
Open SourceGitHub

Detection-Rules

A personal, curated collection of detection rules for threat hunting and detection engineering, written for common detection surfaces and query languages.

Detection EngineeringThreat Hunting
Open SourceGitHub

LOLBAS (Fork)

Fork of the Living Off The Land Binaries and Scripts (LOLBAS) project, used to track and contribute to community research on abusable native binaries.

Threat HuntingDetection Engineering
BlogMedium· 2023-09-20

Leveraging Honeypots for Enhanced Cybersecurity: A Quick Overview

How deception technology and honeypots can surface attacker activity early, generate high-signal detections, and enrich threat intelligence.

Threat HuntingThreat Intelligence
BlogMedium· 2023-08-12

How to Use Cloud Audit Logging for Threat Hunting in GCP

A practical walkthrough of using Google Cloud audit logs to hunt for suspicious activity and build cloud-native detections in GCP environments.

Cloud SecurityThreat Hunting
BlogMedium· 2023-08-07

DGA Domain Detection with Shannon Entropy Analysis

Using Shannon entropy to flag algorithmically generated (DGA) domains and turn the technique into a repeatable detection for C2 infrastructure.

Detection EngineeringThreat Hunting
BlogMedium· 2023-06-23

The Power of Correlation: Strengthening Security with DLP and Threat Hunting in Splunk

Correlating DLP signals with threat-hunting queries in Splunk to catch data exfiltration that either source would miss on its own.

Threat HuntingDetection EngineeringThreat Intelligence
BlogMedium· 2023-06-11

Unleashing the Power of Threat Hunting and Threat Intelligence

A foundational guide to threat hunting and threat intelligence — how they reinforce each other and a path for getting started in the field.

Threat HuntingThreat Intelligence
Open SourceGitHub · SigmaHQ· 2026-04-27

Sigma Rule: Potential Vcruntime140 DLL Sideloading

Reported a detection gap to the SigmaHQ project (issue #5825) that led to a merged Sigma rule detecting vcruntime140.dll side-loading — shipped in the Sigma April 2026 release.

Detection EngineeringThreat Hunting
PublicationMicrosoft Community Hub

Microsoft Defender Experts Disrupt Jasper Sleet's Insider Access Campaign

Co-authored Microsoft Security Experts analysis of how Defender Experts detected and disrupted Jasper Sleet — a North Korea-nexus actor operating as a remote IT worker inside a live enterprise tenant — through proactive behavioral threat hunting.

Threat HuntingThreat Intelligence
PublicationBlack Hills Information Security

The Future of Threat Hunting: The Hunter is Dead, Long Live the Engineer

Published author in the Black Hills Information Security (BHIS) InfoSec Survival Guide (Teal Book) on threat hunting — distributed in hard copy at the Antisyphon Threat Hunting Summit.

Threat HuntingDetection Engineering
TalkSECCON 14 · Tokyo· 2026

Shadow Payroll, Digital Ghosts: Detecting Remote Doppelgangers in Enterprise Tenants

International conference talk on insider-threat research into DPRK (Jasper Sleet) remote IT workers — using behavioral threat hunting to detect fraudulent remote employees embedded inside enterprise tenants.

Threat HuntingThreat Intelligence
PublicationMicrosoft Defender Experts· 2025

Active Exploitation Hunt — CVE-2025-30406

Microsoft Defender Experts (DEX) threat hunt into in-the-wild exploitation of CVE-2025-30406 (CVSS 9.8), an unauthenticated RCE in Gladinet CentreStack and Triofox driven by a hardcoded cryptographic key. Tracked hands-on-keyboard intrusion, backdoor persistence, and post-exploitation activity following the vendor patch (Apr 3, 2025) and CISA KEV listing (Apr 8, 2025) — turning findings into deployable detections. Internal customer hunt report; not publicly published.

Threat HuntingThreat Intelligence

Detection Engineering

Turning one-off findings into durable, high-fidelity detections — KQL, Sigma, and YARA logic built to survive contact with production noise.

AI Security

How adversaries abuse AI systems and tooling, and how living-off-the-land thinking extends into AI-adjacent attack surfaces.

Cloud Security

Detection and defense across Azure and AWS — identity abuse, misconfiguration, and cloud-native attack paths.

Want everything in one list instead? See Public Work →