My SANS Purple Team Series: Threat-Informed Detection Engineering Webinar with @jorgeorchilles is on YouTube! Video: youtu.be/2czm8dhziX8 Blog post: sans.org/blog/purple-teaming…

What do you call a technique that’s documented in the popular CTI framework?

👀 github.com/SnailSploit/Claud…

Pretty interesting: retrieves the command-and-control (C2) domain from a blockchain smart contract. Instead of hardcoding the server address... queries multiple Polygon RPC endpoints defined in CONTRACT_CONFIG.RPC_HOSTS levelblue.com/blogs/spiderla…

This is very interesting for those working in DFIR: youtu.be/OsUg3TlAqjQ?si=N7GU…

GenAI hype - when will we hit peak ignorance?

Dropping a new tool today: TTPRunner - One-click Vectr deploy - Give it a threat report, PDF, or just plain-english instructions and it'll build an execution & simulation plan for you - Executions are tracked via notes and automatically sync'd with Vectr Works great with: github.com/Antonlovesdnb/Con… Check it out! 🔽 github.com/Antonlovesdnb/TTP…

Can LNK files ever be trusted? ⚡ My latest blog post demonstrates several new LNK abuse methods, allowing you to fully spoof the target shown in Explorer. It also introduces tools to create your own LNKs, and detected spoofed ones yourself. 🐬 wietzebeukema.nl/blog/trust-…

I’m gonna need a copy of coalfire’s contract template since it’s battle tested and held up in court 😆 arstechnica.com/security/202…

AI can help build C2s and payloads, but often this seems to be the case.

“Benchmarked frontier AI models on realistic SecOps tasks using Cotool’s agent harness and the Splunk BOTSv3 dataset. GPT-5 achieved the highest accuracy (63%), while Claude Haiku-4.5 completed tasks the fastest with strong accuracy.“ cotool.ai/blog/evaluating-ai…

👀

🎄 It’s time! The 2025 SANS Holiday Hack Challenge is officially OPEN! Something’s off in the neighborhood… disappearing items, strange sightings, a chill in the air. ❄️ Can you uncover what’s really going on? Play now 👉 sans.org/u/1D01 #HolidayHackChallenge

Interesting worm: wiz.io/blog/shai-hulud-npm-s…

binarydefense.com/resources/… (s/o tool author: @TwoSevenOneT)

IP2LoRa Meshtastic 👀

Remember that you can scan without Nmap. PowerShell can do the basics just fine. sans.org/blog/pen-test-poste…

If you have Active Directory Certificate Services (ADCS) in your environment, run Locksmith now! In Active Directory Security Assessments, we have found critical security issues in *most* ADCS configurations. The great thing about Locksmith is that it doesn't just highlight the security issues in your ADCS environment, but also provides the command to remediate it! If you're a pentester/red teamer, Locksmith is great for you to provide remediation recommendations to your customers. github.com/jakehildreth/Lock… #ActiveDirectorySecurityTip

Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. We have outlined mitigations and detections in our blog. Our team is working urgently to release a security update and will share more details as they become available. Read the full guidance in our blog: msft.it/6013s8oCc

Watch it here: youtube.com/watch?v=cFd_glOu…

Interesting malware analysis from NCSC on AUTHENTIC ANTICS ncsc.gov.uk/static-assets/do…