Thank you for supporting the CON ~ Black Hills Infosec! @BHinfoSecurity blackhillsinfosec.com

RedacteCON - Registration and CFP are live! Western Colorado's ONLY Cybersecurity CON (9/19/2026 - Colorado Mesa University): redactecon.org/

Your AV just flagged PowerShell running on an endpoint. Totally normal... or is it? That's the LOLBins problem. Learn to tell the difference with hands-on endpoint threat hunting from Patterson Cake. Threat Hunting on the Edge · June 19 🔗 learning.antisyphontraining.…

Ready to level up your SOC skills? Join us at the Antisyphon Training SOC Summit on March 25! Kick things off with “Needle Hunting: An Endpoint Investigation Cheat Sheet” with Patterson Cake. antisyphontraining.com/event…

Our SOC Summit is coming up in March and if you've been itching to learn more about the blue team then come check out over 10 talks guiding you through the world of Security Operations Centers. Learn more and join us here: antisyphontraining.com/event…

Want to test/learn/train AI for Incident Response? Need some test data and documented backstory, with IOC cheat sheets? Check it! github.com/secure-cake/rtw-t…

🚨 It’s back! 🚨 The INFOSEC SURVIVAL GUIDE has returned! Read our FREE Orange Book: Incident Response below or at the link here -- blackhillsinfosec.com/prompt… In the United States? Get a physical copy shipped to you for FREE -- spearphish-general-store.mys… If you loved our Yellow and Green book or it's your first time hearing about our survival guides — now’s your chance. If you didn’t… you already know why this one’s worth grabbing. 🟧💥

In case you missed it! bleepingcomputer.com/news/mi…

"When performing Windows endpoint investigations, with a typical average of 200K-500K event log entries per host, we can use Hayabusa to reduce and prioritize our event analysis." Read more: blackhillsinfosec.com/wrangl… Wrangling Windows Event Logs with Hayabusa and SOF-ELK (Part 1) by: @securecake Published: 9/17/2025

"In part 1, we used Hayabusa to reduce/refine Windows Event Logs from a single endpoint [...] But what if we need to wrangle Windows Event Logs for more than one system?" Read more: blackhillsinfosec.com/wrangl… Wrangling Windows Events Logs with Hayabusa and SOF-ELK (Part 2) by: Patterson Cake Published: 10/01/2025

Howdy, friends! Just FYI - I've updated my "Rapid Endpoint Investigations" workflow for the latest version of Velociraptor, as there were some significant changes/updates: github.com/secure-cake/rapid…

**NEW** BHIS | Blog When investigating a security event on a Windows endpoint, what is your favorite Windows Event ID? Wrangling Windows Events Logs with Hayabusa and SOF-ELK (Part 2) by: @securecake Published: 10/01/2025 Learn more: blackhillsinfosec.com/wrangl…

"Although Direct Send is not new, we have seen a recent surge in threat actors abusing it..." Read more: blackhillsinfosec.com/disabl… Stop Spoofing Yourself! Disabling M365 Direct Send by: @securecake Published: 8/20/2025

"[...] we’ll discuss how Hayabusa and [...] (SOF-ELK) can help us wrangle EVTX files (Windows Event Log files) for maximum effect during a Windows endpoint investigation!" Read more: blackhillsinfosec.com/wrangl… Wrangling Windows Event Logs with Hayabusa and SOF-ELK (Part 1) by: @securecake Published: 9/17/2025

Hey folks! Join us for a free one-hour training session with Antisyphon instructors and AI security researchers Derek Banks and Brian Fehrman on attacking and defending AI systems. Wednesday, June 4th - 12:00 PM EDT Register: events.zoom.us/ev/AokxHboDBG…

What could an attacker do with access to your AI assistant? Bronwen Aker joined us for a free one-hour Black Hills Information Security webcast to give us some on security lessons! We got a hands-on look at how Microsoft Copilot works in business settings, as Bronwen showed how it accesses data and helps with tasks like drafting emails or finding files, which can be useful or risky depending on permissions and context! Watch it for FREE here - youtube.com/live/-lwe9yc9fv0

You’ve received a “true positive” security alert for a Windows or Linux endpoint. This is not a drill! Your environment is under attack! This is war and you need to take rapid, decisive steps to determine: Has the endpoint been compromised? Have other systems been impacted? What actions should come next? Patterson Cake will take you through live demonstrations & hands-on labs to help you get through similar IR scenarios with confidence in our next Pay-What-You-Can Workshop: Rapid Endpoint Investigations, live THIS FRIDAY, June 6th. Register here: antisyphontraining.com/cours…

Had a hard time finding a succinct, detect/respond write-up for SentinelOne Singularity syntax, cheat sheet and queries...so started creating one (definitely WIP!): github.com/secure-cake/senti…

Hey folks! From multiple layers of obfuscation to conditional behavior to sandbox avoidance, malware can indeed be complicated. But ultimately, when a Windows malware event occurs, the most important questions are “if” and “how” it impacted your environment! Thursday, March 14th - 1:00 PM EDT Register: events.zoom.us/ev/An_coMKNRm… In this free one-hour Black Hills Information Security (BHIS) webcast, Patterson Cake - Incident Responder, will discuss a simplified approach and tactical tips for answering those questions when investigating malware events on your Windows endpoints. If you want to register for upcoming webcast you can below: events.zoom.us/eo/AqZceUFfoY…

**NEW** BHIS | BLOG Do you use OSINT for IR? How about investigating bank robberies? OSINT for Incident Response (Part 2) by: @Securecake Published: 3/7/2024 Learn more: blackhillsinfosec.com/osint-…