https://broomstick.tymyrddin.dev/tags/dfir/Recent content in DFIR on The Broomstick BriefHugo -- 0.147.3enSun, 05 Apr 2026 00:00:00 +0000https://broomstick.tymyrddin.dev/posts/ghost-detection/Sun, 05 Apr 2026 00:00:00 +0000https://broomstick.tymyrddin.dev/posts/ghost-detection/A detection rule is a bet. It says that if an attacker does something in a given environment, the rule will fire. That bet rests on an understanding of attacker behaviour at the time the rule was written. That understanding was incomplete then and has been drifting ever since.