Here we go again… F5 disclosed a serious intrusion by a sophisticated nation-state threat actor who gained long-term access and stole files from their development and knowledge systems. Likely potential source code and undisclosed ready to exploit. 1/

𝗣𝗮𝗱𝘃𝗶𝘀𝗵 𝗘𝗗𝗥 𝗯𝗲𝗰𝗼𝗺𝗲𝘀 𝘁𝗵𝗲 21𝘀𝘁 𝗮𝗱𝗱𝗶𝘁𝗶𝗼𝗻 𝘁𝗼 𝘁𝗵𝗲 𝗘𝗗𝗥 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 🔥 Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters. 𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 like this helps move the whole industry forward. Results: www.edr-telemetry.com/windows

𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗦𝘁𝗿𝗲𝗮𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: Two highly requested features just went live 🚀 1. 𝗗𝗲𝗲𝗽 𝗟𝗶𝗻𝗸𝘀: share specific rules via hashtag#rule_id or full YAML 2. 𝗗𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝗥𝘂𝗹𝗲𝘀: export all rules matching your filters (gzip) 3. 𝗔𝗱𝗱𝗲𝗱 "𝘊𝘳𝘦𝘢𝘵𝘦 𝘳𝘶𝘭𝘦𝘴 𝘸𝘪𝘵𝘩 𝘈𝘐" functionality for both 𝗬𝗮𝗿𝗮 and 𝗡𝗼𝘃𝗮 frameworks ... continue👇

I built this tool for myself. Shared a preview here a few days ago… and wow. Didn’t expect such a strong response. Thanks everyone who reached out 🙏 Because of that energy, I pushed harder and: ➡️ Polished the Sigma experience, now with Nova integrated ➡️ Built two playgrounds for hands-on learning

I've built this platform for myself to quickly search and create detection rules. Considering that we(the DE community) have amazing platforms like Sigconverter (sigconverter.io ) and (detection fyi) detection.fyi, would anyone find value in having FREE access to this all-in-one platform?

The EDR Telemetry Project revealed what EDRs can see. ➛ Now, we show how they compare. Coming soon!

There is still time to register: dfirlabs.thedfirreport.com/dfirchallenge

📢 Excited to share that 𝐁𝐢𝐭𝐝𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐄𝐃𝐑 (GravityZone Business Security Enterprise) is now part of the 𝐄𝐃𝐑 𝐓𝐞𝐥𝐞𝐦𝐞𝐭𝐫𝐲 𝐏𝐫𝐨𝐣𝐞𝐜𝐭 𝐟𝐚𝐦𝐢𝐥𝐲. Bitdefender has introduced improvements to its telemetry control, no longer requiring a data retention license to change what telemetry is being sent.... 👇

🆕 𝐄𝐃𝐑-𝐭𝐞𝐥𝐞𝐦𝐞𝐭𝐫𝐲 𝐏𝐫𝐨𝐣𝐞𝐜𝐭 𝐔𝐩𝐝𝐚𝐭𝐞 - 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 The Windows table just got an update with 3 new sub-categories: ➡️ VSS Deletion ➡️ Win32 API Telemetry ➡️ JA3/JA3s Coverage isn’t uniform, and some are pending response from the vendors. That’s fine. I’d rather show the uncertainty than pretend otherwise.

Turns out this npm compromise was a bit of a nothing burger. But imagine if the threat actors had been careful and methodical. Imagine they stayed quiet and blended in... With the access they had, they could’ve done far worse. This time we got lucky. Next time, maybe not. Or maybe... 👇

𝗡𝗲𝘃𝗲𝗿 𝘁𝗵𝗼𝘂𝗴𝗵𝘁 𝘁𝗵𝗶𝘀 𝗽𝗿𝗼𝗷𝗲𝗰𝘁 𝘄𝗼𝘂𝗹𝗱 𝗿𝗲𝗮𝗰𝗵 𝘁𝗵𝗶𝘀 𝗸𝗶𝗻𝗱 𝗼𝗳 𝘀𝗰𝗮𝗹𝗲. Especially not as an independent, non-corporate platform focused purely on technical content. Started as a small side effort to compare EDR telemetry and support hunting workflows. Now it’s here.... 👇 1/x

Every pixel of this graphic is a lie. It insults the people actually fighting threats daily and rewards the companies that can’t even catch a cold. Absolute cancer for the industry… Pay up or get shoved in the ‘loser’ box. Embarrassing trash.

🚨 New lab just went live: Specter’s Domain Heist Pulled straight from a recent intrusion we worked on. 20 challenges in total. Difficulty is hard, but we’ve added hints along the way so you’re never stuck. Each question pushes you deeper through the intrusion lifecycle. Hope you’ll like it! Links👇

Creating Images for our next DFIR Labs has never been easier thanks to Google Gemini 😂 New Lab is dropping 🔜

“EDR bypassed! Victory!” …not really. You just lit yourself up. Telemetry stacks, correlations build, and now every move screams suspicious. EDR isn’t blind. You just can’t see the flags

Trump is giving a press conference every day, he seems to love talking to reporters. Where does he find the time to get anything done? 😂

Here is a cool Linux technique: www.trellix.com/blogs/resear... Execution isn’t coming from a binary or a script. It’s coming from the filename itself. 𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀: ➡️ Attacker crafts a malicious filename with embedded logic. ➡️ Normal system enumeration commands (ls, cat, find) interact

𝗘𝗗𝗥 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗶𝘀 𝗴𝗿𝗼𝘄𝗶𝗻𝗴 𝗮𝗴𝗮𝗶𝗻 🚀 We’ve been holding back on telemetry additions as we didn’t want early adopters to get an unfair scoring boost.To solve that, instead of delaying additions, new fields will now show up as “𝙣𝙚𝙬” and won’t affect scores until at least 75% 𝗼𝗳 𝘃𝗲𝗻𝗱𝗼𝗿𝘀 𝘀𝘂𝗽𝗽𝗼𝗿𝘁 𝘁𝗵𝗲𝗺. 1/x

Week 34 - 2025 #DFIR thisweekin4n6.com/2025/08/24/w...

Imagine burning billions in AI, Copilot this and Copilot that... But somehow, indexing Group Policy settings and adding a damn search box has been out of scope since Windows 2000...pfff

𝐄𝐃𝐑 𝐯𝐢𝐬𝐢𝐛𝐢𝐥𝐢𝐭𝐲 𝐨𝐧 𝐋𝐢𝐧𝐮𝐱 𝐢𝐬 𝐰𝐞𝐚𝐤𝐞𝐫 𝐭𝐡𝐚𝐧 𝐦𝐨𝐬𝐭 𝐩𝐞𝐨𝐩𝐥𝐞 𝐭𝐡𝐢𝐧𝐤... After reading this excellent write-up on RingReaper Malware (www.picussecurity.com/resource/blo...), I double-checked against our own EDR Telemetry project and the gap in collecting eBPF telemetry is obvious, even more for...👇

what a load of nonsense! Public wifi is reasonably safe! Airports are even more because they have more CCTV than you can imagine and armed police. people get pwn3d via phishing and malware/infostealers.... #WIFI #Insanity

Another day, another loader becoming a full-on ransomware dropper 🙃 📢 First public attribution of Bumblebee ➡️ Akira ransomware ➡️ 𝐁𝐮𝐦𝐛𝐥𝐞𝐛𝐞𝐞 → 𝐀𝐝𝐚𝐩𝐭𝐗 𝐂2 → 𝐀𝐤𝐢𝐫𝐚 𝐫𝐚𝐧𝐬𝐨𝐦𝐰𝐚𝐫𝐞 - Starts with Bing malvertising ↪️ Moves through custom loader (AdaptX) ↪️ Ends in Akira Ransomware 1/2

1/2 This is a small way to fix a big issue! I compiled these best practices after repeatedly spotting the same JS flaws in client apps, all of which were AI-generated. If you're coding with AI-powered IDEs like Cursor, Windsurf, Claude Code, etc., add this into your global rules file.

𝗔𝗜 𝗵𝗲𝗹𝗽𝘀. 𝗕𝘂𝘁 𝘆𝗼𝘂 𝗵𝗮𝘃𝗲 𝘁𝗼 𝗲𝗮𝗿𝗻 𝘁𝗵𝗲 𝗿𝗶𝗴𝗵𝘁 𝘁𝗼 𝗮𝘂𝘁𝗼𝗺𝗮𝘁𝗲!! I’ve spent years doing threat intel the hard way. Pivoting through VirusTotal, Censys, Shodan, pulling open tabs until I ran out of memory. You chase one IP, it leads to a domain, that domain to a TLS Cert, and back again. 1/X

📢 We’ve been cooking this for a while! The new Pro Tier is here 🎉 Built these features with real investigations in mind. I’ve been using the Timeliner myself. Just drop in unstructured logs (even loosely formatted ones with a date) and it does the heavy lifting. Absolute time-saver. Take a look 👇

What I learnt today: When NetScan is executed with the ‘Check for write access’ option enabled, a ‘delete[.]me’ file is created then deleted on discovered shares.[1] Thanks, TheDFIRReport - this is exactly what we are seeing in a recent case. I owe you one 🍻 [1] thedfirreport.com/2025/02/24/c...

🔹𝗧𝗵𝗲 𝘀𝗽𝗲𝗲𝗱 𝗮𝘁 𝘄𝗵𝗶𝗰𝗵 𝗙𝗶𝗹𝗲𝗙𝗶𝘅 𝘄𝗲𝗻𝘁 𝗳𝗿𝗼𝗺 "𝗺𝗮𝘆𝗯𝗲 𝘃𝗶𝗮𝗯𝗹𝗲" 𝘁𝗼 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗶𝘀 𝘄𝗶𝗹𝗱! In our latest case, we saw FileFix used to deploy an obfuscated PHP RAT variant of Interlock with 𝗛𝗮𝗻𝗱𝘀-𝗢𝗻-𝗞𝗲𝘆𝗯𝗼𝗮𝗿𝗱 activity shortly after in victim environments. 1/2

🎉 𝐀𝐧𝐨𝐭𝐡𝐞𝐫 𝐬𝐮𝐜𝐜𝐞𝐬𝐬 𝐬𝐭𝐨𝐫𝐲 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐃𝐅𝐈𝐑 𝐑𝐞𝐩𝐨𝐫𝐭 𝐋𝐚𝐛𝐬 One of our users just crushed the HTB CDSA exam after using DFIR Labs as final prep. They’d already gone through Sherlocks, BTLO, and CyberDefenders, but called our lab the closest to the exam environment.... 👇

Catching up on the Elastic vs Shellter drama. Here’s the gist: 🧵

AI isn’t a mind reader! If you want it to build something useful, you need to know what you're asking for. You don't have to be a software engineer, but basic understanding of AI is very important for explaining goals and interpreting responses.

A New DFIR Lab is out: The Hive Ransomware Fail 🐝 A domain is under siege, can you trace the threat actor's steps? Sharpen your triage and lateral movement skills in this hands-on investigation. ➡️Difficulty: Easy 1/2

𝗔𝗜 𝘀𝗹𝗼𝗽, 𝗺𝗲𝗲𝘁 𝘁𝗵𝗲 𝘄𝗼𝗿𝗹𝗱 - 𝗪𝗼𝗿𝗹𝗱, 𝗺𝗲𝗲𝘁 𝘁𝗵𝗲 𝗔𝗜 𝘀𝗹𝗼𝗽! Auto-generated doesn’t have to mean auto-garbage folks, PLEASE don't use rules like this PLEASE 🫠

🫠

Street legal. Leash optional. Both looking handsome AF 😅

I felt that 😂😂

DFIR Labs Subscriptions are live 🎉 At $𝟏𝟒.𝟗𝟗/𝐦𝐨𝐧𝐭𝐡, we’re offering something we’re truly proud of, not just great training, but a model that’s sustainable and community-focused. /1

I frequently talk with folks who feel overwhelmed during IR, regardless of how prepared they think they are. The reality is: 🗣️"𝘚𝘪𝘮 𝘭𝘢𝘣𝘴 𝘥𝘰𝘯’𝘵 𝘱𝘳𝘦𝘱 𝘺𝘰𝘶 𝘧𝘰𝘳 𝘵𝘩𝘦 𝘯𝘰𝘪𝘴𝘦 𝘰𝘧 𝘳𝘦𝘢𝘭-𝘸𝘰𝘳𝘭𝘥 𝘪𝘯𝘤𝘪𝘥𝘦𝘯𝘵𝘴" You’re not alone if you're feeling overwhelmed.... 1/2

WMI can be abused for stealthy persistence. 🔍 Check registry: HKLM\SOFTWARE\Microsoft\Wbem\CIMOM Investigate: __EventFilter __EventConsumer __FilterToConsumerBinding #DFIR #LearningDFIR #ThreatHunting

🎙️ New episode just dropped! Had the pleasure of hosting another "DFIR Discussions" episode and chatting with these amazing folks! Honestly, one of the best convos we’ve had, not just on the report, but on a ton of things we don’t always get to say out loud.

/1 Someone in our Discord server asked a question that we get a lot 👇 “𝙃𝙤𝙬 𝙙𝙤 𝙮𝙤𝙪 𝙖𝙘𝙩𝙪𝙖𝙡𝙡𝙮 𝙥𝙧𝙖𝙘𝙩𝙞𝙘𝙚 𝙛𝙤𝙧 𝙨𝙤𝙢𝙚𝙩𝙝𝙞𝙣𝙜 𝙡𝙞𝙠𝙚 𝙩𝙝𝙞𝙨?” They’d just wrapped their first CTF, landed towards the bottom of the scoreboard, not where they wanted to be. But that curiosity? That’s exactly where growth starts.

/1 🔧 𝐁𝐞𝐡𝐢𝐧𝐝 𝐭𝐡𝐞 𝐓𝐞𝐥𝐞𝐦𝐞𝐭𝐫𝐲: 𝐖𝐡𝐲 𝐓𝐡𝐞𝐬𝐞 𝐂𝐚𝐭𝐞𝐠𝐨𝐫𝐢𝐞𝐬? Over the past year, I’ve received a lot of questions about how we decide which telemetry categories and subcategories are included in the EDR Telemetry Project.

This is why we’re here for, it’s finally happening 😂 We’ve been waiting this since January. The girls are fighting!!!

1/ 🎙️ Had an awesome convo with Amy Tom on the Let’s SOC About It podcast! We dove into telemetry (of course), talked through some of the messy realities folks deal with in the field, and how better visibility can really change the game for defenders.

/1 🚨 𝐂𝐓𝐅 𝐤𝐢𝐜𝐤𝐬 𝐨𝐟𝐟 𝐢𝐧 𝐥𝐞𝐬𝐬 𝐭𝐡𝐚𝐧 48𝐡 - 𝐚𝐧𝐝 𝐭𝐡𝐢𝐬 𝐨𝐧𝐞’𝐬 𝐛𝐢𝐠. One of the most involved cases we’ve ever made available to the public. You’ll be diving into an intrusion that hit 18 hosts, including: ➡️ Domain Controllers ➡️ Backup Servers ➡️ Hypervisors ➡️ RDP Servers (Guess the initial access gonna be? 😏)

A small tip for anyone that doesn't know about dogs: If you often go for a jog in the neighbourhood and you see a dog, don't run and lock eyes with the dog while approaching. Keep running while ignoring the dog. If you……

/1 I don’t know how many folks will show up Sunday, but we’re gonna have a blast. We’ll kick things off with a short presentation covering the basics of intrusion analysis and the investigative mindset. Then it’s straight into DFIR Labs where you’ll walk through a real intrusion step by step.

1/ 🚨 New report alert, Another Confluence Bites the Dust This is 𝗼𝗻𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗹𝗮𝗿𝗴𝗲𝘀𝘁 𝗮𝗻𝗱 𝗺𝗼𝘀𝘁 𝗱𝗲𝘁𝗮𝗶𝗹𝗲𝗱 𝗿𝗲𝗽𝗼𝗿𝘁𝘀 𝘄𝗲’𝘃𝗲 𝗽𝘂𝗯𝗹𝗶𝘀𝗵𝗲𝗱 𝘁𝗵𝗶𝘀 𝘆𝗲𝗮𝗿, and it's packed with practical insights and tradecraft you can actually hunt for.

That’s a great post. I’m also a big supporter of the below sentiments that many folks in security are struggling to grasp: “𝘠𝘰𝘶 𝘦𝘹𝘪𝘴𝘵 𝘵𝘰 𝘦𝘯𝘢𝘣𝘭𝘦 𝘣𝘶𝘴𝘪𝘯𝘦𝘴𝘴” & “𝘚𝘺𝘴𝘵𝘦𝘮𝘴 𝘮𝘶𝘴𝘵 𝘸𝘢𝘭𝘬 𝘢 𝘭𝘪𝘯𝘦 𝘣𝘦𝘵𝘸𝘦𝘦𝘯 𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘢𝘯𝘥 𝘶𝘴𝘢𝘣𝘪𝘭𝘪𝘵𝘺”