This service installation just exposed a hidden backdoor. Detection Rule Friday | DFIR Media #DFIR #CyberSecurity #InfoSec

This process is hiding in plain sight — and most analysts miss it. Artifact of the Day | DFIR Media #DFIR #CyberSecurity #InfoSec

This scheduled task just gave attackers permanent access to your network. Detection Rule Friday | DFIR Media #DFIR #CyberSecurity #InfoSec

Attackers think encrypted traffic hides their tracks — but Zeek sees everything. Artifact of the Day | DFIR Media #DFIR #CyberSecurity #InfoSec

Chainsaw cuts through Windows event logs faster than you can say "lateral movement." When you're triaging a Windows compromise and drowning in EVTX files, Chainsaw by WithSecure is the tool that gets you answers in seconds, not hours. It's built for speed — rip through gigabytes of event logs, hunt for known-bad patterns, and surface the signals that matter. Three reasons it lives in every IR toolkit: 1. Native Sigma support — drop in community detection rules and run them at scale across entire log sets. No conversion, no friction. 2. Hunting mode — search for specific event IDs, usernames, process names, or IP addresses across thousands of EVTX files in one pass. Perfect for pivoting on IOCs during active investigations. 3. Flexible output — table view for quick triage, CSV/JSON for feeding into your SIEM or timeline tools. Chainsaw plays well with the rest of your stack. Real-world use case: You've got a suspected domain admin compromise. Chainsaw lets you hunt for 4624 logons with that account across every domain controller in minutes, then export matches as JSON and correlate with process execution logs from Sysmon. Pair it with Hayabusa for deeper hunting and you've got a complete Windows log analysis pipeline. Grab it from the WithSecure Labs GitHub. If you're doing Windows IR without Chainsaw, you're working too hard. #DFIRTools #IncidentResponse

This one process access just exposed a credential theft attempt. Detection Rule Friday | DFIR Media #DFIR #CyberSecurity #InfoSec

You just found malware. Now prove what it stole. Artifact of the Day | DFIR Media #DFIR #CyberSecurity #InfoSec

🦅 Tool Tuesday: Hayabusa — Fast Windows Event Log Analysis for Threat Hunters When you're knee-deep in a Windows compromise and staring at gigabytes of EVTX files, speed matters. Hayabusa is a Rust-based event log analyzer that rips through Windows event logs at scale, applying Sigma-compatible detection rules to surface threats fast. Built by Yamato Security, it ships with 4000 built-in detection rules covering everything from credential dumping to lateral movement. It scans EVTX files offline, generates a consolidated timeline of security-relevant events, and outputs to CSV, JSON, or HTML — whatever fits your workflow. Real-world use case: You've pulled EVTX logs from 50 endpoints during an active IR engagement. Instead of manually parsing Security.evtx looking for 4624/4625 patterns, you point Hayabusa at the entire dataset. Within minutes, you have a sorted timeline flagging Mimikatz execution, suspicious PowerShell, and abnormal logon patterns — all color-coded by severity. Why it matters: Traditional EVTX analysis is slow. Hayabusa's Rust core makes it blazing fast, and Sigma rule compatibility means your existing detection content works out of the box. It's offline-capable, so you can analyze logs on an isolated IR laptop without network dependencies. Alternatives: DeepBlueCLI (PowerShell-based, lighter but slower), EvtxECmd (Eric Zimmerman's tool, great for parsing but less detection-focused), and Chainsaw (another Rust option with Sigma support). Get it: hXXps://github[.]com/Yamato-Security/hayabusa #DFIRTools #IncidentResponse

🚨 HIGH: CVE-2025-10101 (CVSS 7.8) - Heap buffer overflow in Avast/AVG/Norton Antivirus when scanning malformed Mach-O files. Local code execution or DoS possible. Update to VPS 25090300 immediately. #CVE #Vulnerability #PatchNow #ThreatIntel

This IP just sent a phishing email to your CEO. api-spotlight | DFIR Media #DFIR #CyberSecurity #InfoSec

This DNS query just exposed a botnet hiding in plain sight. Detection Rule Friday | DFIR Media #DFIR #CyberSecurity #InfoSec

🚨 CRITICAL: CVE-2026-35273 in Oracle PeopleSoft PeopleTools allows unauthenticated takeover. CISA KEV listed, ransomware exploitation known. Patch immediately. #CVE #PatchNow #ThreatIntel

Attackers just ran a reverse shell — but you missed it. Artifact of the Day | DFIR Media #DFIR #CyberSecurity #InfoSec

🚨 HIGH SEVERITY: CVE-2026-7368 (CVSS 8.1) Yarbo cloud platform lacks device/user authorization. Any valid credential grants fleet-wide access to all robots globally. Attackers can subscribe to telemetry & send commands using only serial numbers. #CVE #Vulnerability #PatchNow

🚨 CRITICAL: CVE-2026-6853 (CVSS 9.8) Pause Mobile App vulnerable to authentication bypass via brute force. Versions 1.0.6 to <1.5 affected. Update immediately. #CVE #Vulnerability #PatchNow #ThreatIntel

🚨 HIGH SEVERITY: CVE-2026-50633 (CVSS 8.1) JNDI Injection in Apache CXF JCA module enables code execution if attacker manipulates ra[.]xml or runtime parameters. Patch NOW: Upgrade to 4.2.2 or 4.1.7 #CVE #PatchNow #ThreatIntel

🚨 HIGH SEVERITY: CVE-2026-6211 (CVSS 8.7) Unrestricted file upload flaw in Global IT Informatics WEOLL v2.0.9-3[.]2[.]45[.]33. Allows attackers to bypass ACLs & upload dangerous files. Patch to v3.2.45.33 immediately. #CVE #Vulnerability #PatchNow

🚨 CRITICAL: CVE-2026-54133 (CVSS 9.8) jmespath[.]php <2.9.1 allows RCE via attacker-controlled expressions in CompilerRuntime. Patch to 2.9.1 immediately or use AstRuntime for untrusted input. #CVE #Vulnerability #PatchNow

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as _http_client and _http_server. These are not blocked when the public modules are excluded. Sandboxed code can use these internal builtins to make outbound HTTP requests and open listening HTTP sockets even though the public network modules are denied. This issue has been patched in version 3.11.4.