Qasim Qlf

Detection Engineer • Threat Hunter • Developer — Kasur, Pakistan

DETECTION • HUNTING • AUTOMATION

I'm Qasim — I build detections that find hidden attackers and tools that help SOCs scale.

Detection Engineer with 5+ years building detection logic, Sigma rules, and threat-hunting playbooks. I publish guides, open-source Sigma rules, and practical lab exercises that help blue teams detect real-world C2 frameworks and evasive techniques.

Read My Blog
C2 Detection Sigma Rules Threat Hunting MITRE ATT&CK
Quick Links

About Me

I build detection logic and automations that empower SOC analysts to find adversaries faster. My work focuses on identifying command-and-control (C2) frameworks, developing Sigma rules, and creating repeatable threat-hunting playbooks that map to the MITRE ATT&CK matrix. I believe great detection is a combination of telemetry, behaviour analysis, and constant validation.

What I do

  • Create reliable Sigma rules for enterprise SIEMs
  • Design hunting queries for ELK, Splunk and Sentinel
  • Build lab exercises to validate detections (DetectionLab)
  • Automate triage and enrich alerts using Python
  • Deliver training sessions and mentoring for junior hunters

Why it matters

Adversaries evolve quickly. Detections that are not validated become noise. I focus on building detections that reduce analyst fatigue, prioritize high-fidelity alerts, and close coverage gaps in real enterprise environments.

Recent Wins

  • Implemented JA3/JA3S based TLS fingerprint detection for custom C2 payloads
  • Created Sigma rule library for local red-team use — reduced false positives by 45%
  • Automated triage integration with Slack for SOC playbooks

Availability

Open to: Consulting, Training, Contract Detection Work

Work with me

Featured Projects

Sigma Rules Library

A curated set of Sigma rules for Windows, Linux and Network detections — including Cobalt Strike beacon indicators, suspicious PowerShell, and DNS tunneling detection logic.

Repo: github.com/qasimqlf/sigma-rules

Sigma Detection C2

DetectionLab Playbooks

Reusable lab playbooks and scripts to simulate attacker techniques and validate detection coverage using DetectionLab and Atomic Red Team.

Demo: github.com/qasimqlf/detectionlab-playbooks

Labs Red Team

Hunting Queries (ELK & Splunk)

Practical hunting queries ready to paste into ELK, Splunk, and Azure Sentinel. Focus areas: beaconing, JA3 anomalies, and DNS exfiltration patterns.

Repo: github.com/qasimqlf/hunting-queries

Hunting Sigma

Open Source — Detections & Tools

My open-source work focuses on practical detection content for defenders. Everything is licensed permissively so teams can use, adapt, and contribute back.

Sigma Rules DetectionLab Playbooks Hunting Queries Learning Roadmap

Why open source detections?

Sharing detection content helps teams reduce duplicated effort and accelerates collective defense. I welcome issues, PRs, and suggestions — detection engineering improves when we collaborate.

How to contribute

  1. Fork the repo
  2. Add or update a Sigma rule in the appropriate folder
  3. File a PR with tests and description

GitHub Stats

GitHub stats

Latest Blog Posts

Detecting C2 frameworks

Understanding C2 Frameworks: How Detection Teams Find & Stop Command-and-Control

A practical guide covering beaconing detection, JA3 fingerprinting, DNS tunneling, Sigma rules and MITRE ATT&CK mapping.

Read more →
Sigma rules

Getting Started with Sigma Rules

Why Sigma rules matter and how to write rules that reduce false positives.

Read more →
MITRE ATT&CK

Mapping Detections to MITRE ATT&CK

A step-by-step approach to ensure your detections cover essential attacker techniques.

Read more →

What people say

“Qasim's Sigma rules helped our SOC cut false positives and find a persistent C2 channel during a purple team exercise.”

— Senior SOC Lead, Financial Services

“Practical, clear, and accurate. The detection lab playbooks were exactly what our team needed to validate coverage.”

— Blue Team Manager, Telecom

“Excellent training, Qasim explained complex topics in an easy-to-follow way and provided hands-on guides.”

— Course Participant

Quick Resources & Snippets

Sigma Example — Cobalt Strike Beacon (example)

title: Suspicious Cobalt Strike Beaconing
id: 0001-cobalt-beacon
status: experimental
description: Detects potential Cobalt Strike beaconing using periodic external connections and JA3 fingerprints
logsource:
  product: network
detection:
  selection:
    EventID: 3
  condition: selection | count() by src_ip | where count > 50
falsepositives:
  - lab traffic
  - known monitoring services
level: high
View Sigma Repo Visit Blog

Work With Me — Contact

I take on consulting, detection development, SOC automation and training. Use the form to share a short message and I'll respond within 48 hours.

Or email me at hello@qasimqlf.com

FAQ

How can I use your Sigma rules?
Clone the repo, read the README for rule categorization, and import them into your SIEM. Each rule contains detection logic and false-positive notes.
Do you provide tailored detection work?
Yes — I accept contract work to build custom detections aligned with your telemetry and environment.
Can you run a training session for my team?
Yes — workshops cover Sigma, hunting queries, detection validation, and lab exercises using DetectionLab.