“We’ve been breached, and we have no idea how the attackers got in. We use an Ivanti VPN gateway, a Fortinet firewall, an IronPort mail gateway, and Citrix Netscaler ADCs for secure remote access. How could this possibly happen?”

I think the strong tendency toward imposter syndrome in cyber security stems from how many of us learned: through trial and error, self-study, and curiosity. Unlike structured learning from professors, we often taught ourselves with books, tools and weekends of experimentation.

Multi-OLE isc.sans.edu/diary/31580

Introducing DFIR Labs: A 24-challenge series by internationally acclaimed CTF authors, tailored for professionals, researchers and students. Master DFIR, Malware Analysis and Threat Hunting through challenges designed to push your expertise to new heights github.com/Azr43lKn1ght/D…

Google Ads 🙄 apparently allows ads to display fake URLs that mimic legitimate sites while actually redirecting to malicious ones

The recent fake Google Ads Homebrew malware shenanigans in video form -- we track down the payload from Wayback Machine (and/or VirusTotal), crack it open it with Binary Ninja and uncover the AppleScript syntax to see the full AmosStealer payload 🙂 youtu.be/Nlnuk8W2A0Y

#ESETresearch discovered and named 🇨🇳 China-aligned #APT group #PlushDaemon. It carried out a supply-chain compromise of a 🇰🇷South Korean #VPN provider, trojanizing its legitimate software installer with a Windows backdoor we named #SlowStepper. facundo Mz welivesecurity.com/en/eset-resear… 1/6

Saw a guy hunting for threat actors in the network today. No SIEM. No IDS. No EDR. He just sat there. Watching traffic in wireshark. Like a psychopath.

netstat -anob is one of the commands I use to quickly identify odd connections the moment someone mentions that their Windows PC is acting strange. Try it out yourself and see if there are any SYN_SENT or ESTABLISHED connections towards external IPs & odd ports. 👀👀

Ayer me alegraron el mes: a dos de mis compañeros del equipo de #DFIR de S2GRUPO (Buenaventura Salcedo y Alejandro Chirivella ) !!! les han aceptado su charla en la #RootedCON2025 !!! -> Wiiiiiiiiiiiiiiiiiiiiiiiiiiii 🥳🥳🥳🥳🥳🥳🥳 (1/2)

Hey #DFIR community. Last month, we decided to open our Cyber 5W C5W-100 Intro to Digital Forensics course & make it FREE; yes completely FREE! Since then more than 1K of new learners joined & we hope more will too. Please share with anyone who wants to learn. #Cybersecurity

(Scene: A shadowy room somewhere in North Korea. Reflective propaganda music playing in the background.) Operative 1: Comrade, how do we get the imperialist dogs to execute our code on their systems? (pauses, thinking deeply) Operative 2: What if… we simply give them a

¡La espera ha terminado! 🎉 Presentamos la agenda oficial de #RootedCON2025, nuestro 15º aniversario, cargada de contenido imperdible para todos los apasionados de la ciberseguridad. Del 6 al 8 de marzo, en Kinépolis Madrid Ciudad de la Imagen, te esperan tres días intensos de

🟠 Track ROOTEDCON: "Adquisiciones DFIR complejas: el diablo está en los detalles" con  Buenaventura Salcedo Santos-Olmo & Alejandro Chirivella Ciruelos de 14:00 a 15:00 en la Sala 17.  #RootedCON2025

#RootedCON2025 Buenaventura Salcedo y Alejandro Chirivella dando soluciones a tus problemas d adquirir cacharros para #DFIR 🔥💪🎉

Sobre los acontecimientos recientes en España: Desde RootedCON, como principal comunidad de ciberseguridad en España, creemos fundamental ser prudentes y responsables en momentos como este. Queremos recordar que ante cualquier incidente tecnológico: 🔹 La calma es la primera

Aún queda alguna plaza suelta en la formación de #DFIR que voy a dar en la #rootedconVLC. Si tienes RAM suficiente para meterte un .tar.gz con conocimientos de respuesta ante incidentes ... !vente!

Dwell time like this is definitely more interesting than talking about time to ransom. "In many cases, the average dwell time of 393 days exceeded log" re BRICKSTORM

More sysadmins need to know this… User logon restrictions are free. Create a GPO and call it “DC Logon Restrictions - Domain Admins Only” Configure User Rights Assignment for DA accounts to log on locally on domain controllers and deny log on locally on end-user workstations.

I was reading an older report from CrowdStrike the other day: "CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script’s execution was logged automatically due to the use of specific keywords." [1] Which reminded me of