Michael Haag

Hunt harder, hunt smarter.

I build cybersecurity tools and automation for defenders. Open source modules for threat hunting, detection engineering, and security operations.

Explore Arsenal Read Field Notes GitHub
Defense Console
ACTIVE MODULES 21
LATEST SHIP 2024-12-31
FOCUS DEFENSE TOOLING
SIGNAL STRONG
STATUS ONLINE
$ hunt --harder --smarter

Featured Modules

Production-ready tools for security operations

Active Featured Module

ClickGrab

Finding ClickFix and FakeCAPTCHA like it's 1999. Detection and hunting tools for clipboard hijacking attacks.

clickfix fakecaptcha detection hunting phishing
Quickstart
Visit https://mhaggis.github.io/ClickGrab/ or git clone https://github.com/MHaggis/ClickGrab.git
Read More → GitHub
Active Featured Module

NEBULA

Interactive PowerShell framework for testing WMI, COM, LOLBAS, and persistence techniques. Built for red team testing and defense validation.

powershell red-team wmi lolbas persistence testing
Quickstart
git clone https://github.com/MHaggis/NEBULA.git && Import-Module .\NEBULA.psm1 && Invoke-NEBULA
Read More → GitHub
Active Featured Module

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education community
Quickstart
Subscribe at youtube.com/@atomicsonafriday
Read More → GitHub
Active Featured Module

LOLDrivers

Living Off The Land Drivers - A curated list of Windows drivers used by adversaries to bypass security controls. The definitive resource for vulnerable driver detection.

drivers byovd detection windows defense lolbins
Quickstart
curl -s https://www.loldrivers.io/api/drivers.json | jq
Read More → GitHub Docs
Active Featured Module

PowerShell-Hunter

PowerShell tools to help defenders hunt smarter, hunt harder. A collection of scripts, queries, and techniques for threat hunting using PowerShell.

powershell hunting defense triage forensics detection
Quickstart
git clone https://github.com/MHaggis/PowerShell-Hunter.git && cd PowerShell-Hunter && Import-Module .\PSHunter.psm1
Read More → GitHub
Active Featured Module

Sysmon-DFIR

Sources, configuration and how to detect evil things utilizing Microsoft Sysmon. A comprehensive collection of Sysmon configurations, documentation, and detection resources.

sysmon detection dfir windows logging monitoring
Quickstart
git clone https://github.com/MHaggis/sysmon-dfir.git && sysmon64.exe -accepteula -i sysmon-dfir\sysmonconfig.xml
Read More → GitHub

Capabilities

What I build and ship

🎯

Detection & Triage

Tools for threat hunting, detection engineering, and rapid incident triage.

Automation & Hardening

Scripts and utilities to automate security tasks and harden environments.

🔬

Research & Prototypes

Experimental tools and proof-of-concepts for emerging threats.

Watch & Learn

Security research videos and live demonstrations

Michael Haag

Security research, tool demos & deep-dives

Subscribe

Atomics on a Friday

Weekly atomic testing & detection engineering

Subscribe

Latest Field Notes

Insights from the frontlines of defense

The Lost Payload: MSIX Resurrection

How adversaries weaponize MSIX packages for initial access, and how to detect it. Plus introducing MSIXBuilder for safe testing of detection coverage.

msix malware detection