Manish Rawat

SOC Analyst | Detection Engineer | Threat Hunter

India

himalayas

Summary

Hands-on detection engineer and threat hunter who builds and tunes detection logic from a lab-first perspective, focusing on practical SIEM/Splunk queries, Sigma rules, and reducing false positives through context. osintteam+1

Operates and documents open-source SOC labs and automation pipelines (ELK, Suricata, Wazuh, N8N, Velociraptor), validating detections with real lab tests and sharing reproducible setups. youtube+1

Publishes clear, instructional technical writing aimed at practitioners and learners—covering incident analysis, tooling pitfalls, and detection engineering—positioning himself as a community-oriented, self-taught practitioner. medium+1

Focuses on analyzing detection blind spots (e.g., DLL hijacking, WMI persistence) and improving observable coverage by correlating telemetry and surfacing gaps in common logging assumptions. contra+1

Work

Projects

Writing

PowerShell Encoded Commands: Building Detection Rules That Actually Work (Part 2)

February 1, 2026

Lab-driven analysis of Splunk queries to detect encoded PowerShell variants (including -eNcO), explanation of indexing/tokenization pitfalls, regex-based detections, and practical query examples.

osintteam.blog

WMI Event Consumer Persistence: How APT29 Achieves Fileless Persistence (Part 1)

February 1, 2026

Explains WMI persistence components (Event Filter, Event Consumer, Binding), why adversaries use WMI for stealthy persistence, and questions about detection/attribution in logs.

osintteam.blog

How I Built a Sigma Detection Rule to Catch APT29’s Encoded PowerShell Attacks

July 1, 2025

Deep dive into threat-hunting methodology and a layered Sigma detection rule targeting encoded PowerShell (T1059.001), including parameter detection, process ancestry, network correlation, and deployment/tuning guidance.

systemweakness.com

Logs, Sweat, and Suricata: My Journey to a Real-Time Threat Hunting Powerhouse

May 1, 2025

Practical walkthrough of integrating Suricata IDS with the ELK Stack, setup steps, common errors and fixes, and lessons on tuning and building a real-time network detection pipeline.

systemweakness.com

How I Analyzed My First Security Incident in a SOC

March 1, 2025

A first-hand incident analysis describing triage of suspicious login attempts using SIEM, correlation, threat intelligence, escalation, and remediation steps with practical lessons for beginners.

systemweakness.com

Manish Rawat

Summary

Work

Projects

Writing

PowerShell Encoded Commands: Building Detection Rules That Actually Work (Part 2)

WMI Event Consumer Persistence: How APT29 Achieves Fileless Persistence (Part 1)

How I Built a Sigma Detection Rule to Catch APT29’s Encoded PowerShell Attacks

Logs, Sweat, and Suricata: My Journey to a Real-Time Threat Hunting Powerhouse

How I Analyzed My First Security Incident in a SOC

Hobbies

Writes and publishes technical posts about cybersecurity, detection engineering, and SOC labs. medium+1

Manish Rawat

Summary

Work

Security Analyst & Detection EngineerSelf-directed / Self-Employed2024–Present

Security Analyst & Detection EngineerIndependent SOC Research Lab2024–Present

ResearcherFreelancer2023–2024

Projects

Sigma Detection Rule Development for Encoded PowerShell2025–Present

SOC Automation Lab (Wazuh → N8N → VirusTotal → Velociraptor)2026–Present

Writing

PowerShell Encoded Commands: Building Detection Rules That Actually Work (Part 2)

WMI Event Consumer Persistence: How APT29 Achieves Fileless Persistence (Part 1)

How I Built a Sigma Detection Rule to Catch APT29’s Encoded PowerShell Attacks

Logs, Sweat, and Suricata: My Journey to a Real-Time Threat Hunting Powerhouse

How I Analyzed My First Security Incident in a SOC

Hobbies

Writes and publishes technical posts about cybersecurity, detection engineering, and SOC labs. medium+1