## ShroudCloud Threat intelligence, detection engineering, and intrusion analysis — written from the operator's perspective. This site exists because most vendor blogs sanitize the interesting parts. The commands get paraphrased, the detections get deferred to a separate whitepaper, and the reader walks away with a MITRE heatmap and nothing actionable. Here, every intrusion walks through what the attacker actually typed. Every detection opportunity explains what to look for and why. Every threat profile includes the command lines, not just the technique names. --- ### What's here **Detections** — Open-source Sigma rules mapped to the threats profiled on this site. Built from real intrusion data, not vendor marketing. **Detection Engineering** — Intrusion write-ups with inline detection logic. Real telemetry, real operator commands, real detection gaps called out. **Threat Profiles** — Behavioral profiles of active RaaS operations, malware loaders, and affiliate toolkits. Infection chains walked step-by-step with detection opportunities at each phase. **Philosophy** — The detection principles that guide everything else. Behaviors over IOCs. Less is more. If a rule's upkeep outweighs its value, kill it. --- ### Perspective This is written by someone who runs a detection stack, investigates intrusions, and builds rules from what the telemetry actually shows — not from what the advisory says should be there. If you want to know what Akira affiliates type after they land, how Impacket WmiExec leaves fingerprints in your logs, or why your Rclone detection should key on PE metadata instead of the filename — you're in the right place.