Memory Analysis for #Linux has always been a bit hit-or-miss. Trail of Bits has released a tool called #mquire that doesn't require debug symbols for the originating Kernel.
It also uses SQL-based queries to perform analysis, similar to #OSquery.
https://blog.trailofbits.com/2026/02/25/mquire-linux-memory-forensics-without-external-dependencies/
Microsoft is moving to disable NTLM by default, with some exceptions.
If implemented, this will have a significant impact on threat actors abusing credentials within a network.
The move to IAKerb and local KDC for local and cached authentication will be....interesting.
Falling back to NTLM for authentication using IP addresses instead of FQDNs, I suspect, will keep NTLM in most environments, but overall this is a hopeful step in the right direction.
Got some time at the end of the year? Weβve just published the SANS Institute Detection and Response Survey results.
This year Iβve pulled together a comparison from last year's data and tried to break down some of the results by organisation size.
Free Download (requires login only)
π https://go.sans.org/detection-response-whitepaper
#DnR #ThreatDetection #IncidentResponse #CSIRT #SOC #CERT #Cybersecurity
I'm not sure how accurate this is, but The Verge is reporting that #SysMon will be integrated into Windows 11 early next year.
This will be a massive win for #DFIR and #SecOps people everywhere if it's correct.
https://www.theverge.com/news/821948/microsoft-windows-11-ai-agents-taskbar-integration
Wow, Microsoft is removing #WMIC from Windows!
But they aren't removing the underlying WMI framework, so threat actors will have to use PowerShell to access WMI.
I'm not sure this will have a significant impact on what Threat Actors do with WMI, however, it'll at least force a Threat Actor to use PowerShell where there is better built-in visibility (if it's enabled), compared to WMIC.
#IncidentResponse #ThreatDetection #ThreatIntel #CSIRT #CERT
That's a bit nasty - a threat actor uses #Velociraptor (open source IR tool) as their primary C2 implant on the victim's system.
You think they might also let the victim use it for responding to the compromise as well? π
https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
π΅πΌββοΈ Calling all Detection & Response People! π¨
Don't forget to contribute to the SANS Institute Detection & Response Survey!
π https://survey.sans.org/jfe/form/SV_afaP0wOMXHGLhDE
ποΈ It closes at the end of this week!
It would be great to get as much feedback from the community as possible. I'll be publishing the report towards the end of this year so everyone can benefit from the findings.
#ThreatDetection #IncidentResponse #CSIRT #CERT #SOC #CyberSecurity #SANSSurvey
"Iβ―SPy" Entraβ―ID Global Admin Escalation Technique
Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.
π¨ Alert on new credentials added to SPs.
π₯ Monitor changes to federated domains (federationConfiguration).
π΅πΌββοΈ Hunt unusual Graph API calls to /domains, /credentials, and /federationConfiguration.
π https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/
#DFIR #ThreatHunting #EntraID #CloudForensics #M365 #ThreatDetection
π¨ Calling all Detection & Response Experts! π¨
We need your insights! Take part in the SANS Institute Detection and Response Survey to share your current trends, practices, and challenges.
π΅οΈββοΈ Your insights are crucial for shaping the future of our field.
π Your contributions will fuel a comprehensive analysis, publicly available for all.
π https://survey.sans.org/jfe/form/SV_afaP0wOMXHGLhDE
ποΈ The survey closes August 15
#DFIR #IncidentResponse #ThreatDetectiom #CyberSecurity #SANSsurvey SANS Digital Forensics and Incident Response
This is an interesting write up on a slightly different #Docker #container #malware attack from the Cado Security and Darktrace teams.
π΅πΌββοΈ This malicious #container uses TENEO heartbeats to effectively earn credits. TENEO's ledger isn't exactly public so tracking the tokens isn't simple, there also doesn't appear to be a way to cash out...yet.
π‘ On a side note, this is a great write up on #container #DFIR analysis if you're interested.
π https://www.darktrace.com/blog/obfuscation-overdrive-next-gen-cryptojacking-with-layers
