This is it folks! This is the last weekend to submit a DEATHCon workshop CFP proposal if you want to get in the first round of acceptance! We've got a lot of great submissions already but there's room for yours too! deathcon.io Click on CFP. Conf can pay for travel!

Malware campaigns are targeting real estate agents. Attackers build rapport, then send a malicious Zoom link that grants full remote access. Indicators of compromise and detection guidance here: sublime.security/blog/scamme…

🎯 Added this Velociraptor artifact on the exchange to assist scoping IOCs related to the recent publicly disclosed Notepad supply chain attack. - Find impacted notepad versions - Find suspicious files in public reports - Find public reported network urls in running processes - Find Warbird clipc.dll shellcode loader strings 🔗 docs.velociraptor.app/exchan…

#100DaysOfYara 🔎 Messed around with detecting the cool Warbird technique outlined by Rapid7 in their recent Chrysalis blog Velociraptor gives us the unique ability to target the VAD with live analysis: 1. Targeting sections mapped to clipc.dll 2. With PAGE_EXECUTE_READ protection 3. DEADBEEF or CAFEFE in the first bytes 🔗github.com/mgreen27/100dayso…

lmao for real?

We’re hiring at Sublime Security 🚀 We’re building security that actually stops email-based attacks, and we’re growing our team with people who want to ship meaningful work at real scale. Open roles include: 🔧 Engineering Manager, Product 🛠 Corporate IT Engineer (US East Coast UK) 📈 Sales Engineering Manager (West Coast) ✉️careers@sublimesecurity.com

Simple scoping for abused/exposed #Notepad via #Velociraptor notebook. For installed apps storing registry values, not portable (more likely to be leveraged given update mechansim, AFAIK). In-depth: rapid7.com/blog/post/tr-chry…. I'm sure @mgreen27 has an uber artifact cooking 🔥

new @velocidex artifact and write-up detailing CVE-2025-14847 and how to detect #MongoBleed from @eric_capuano 🤓🔥🦖 blog.ecapuano.com/p/hunting-…

I just updated the wlambert/velociraptor #velociraptor @velocidex Docker image to 0.75.6 to address CVE-2025-14728, detailed here: docs.velociraptor.app/announ… Repo here, with more long-needed updates coming soon: github.com/weslambert/veloci… #DFIR #Infosec

The extension was approved, now what? Are you going back tomorrow to see if it changed? You know they auto update instantly right? Rolling out to Secure Annex - code change alerts. This takes comparison of the code from the previous version along with additional context to understand how the code in an extension is changing over time.

The DHCP server...

Ransomware has appeared in the VS Marketplace and makes me worry. Clearly created through AI, it makes many mistakes like including decryption tools in extension. If this makes it into the marketplace through, what impact would anything more sophisticated cause? secureannex.com/blog/ransomv…

The SleepyDuck code extension malware is an advanced remote access trojan allowing for remote command execution on any endpoint that installs it. Take down the C2 server? It uses an Ethereum contract to update its settings to a new endpoint. secureannex.com/blog/sleepyd…

Rapid7 recently observed threat actors misusing @velocidex. ⚠️ No vulnerability exists in the tool itself—the risk is in how attackers abuse it. To help org's detect misuse, Velociraptor deliberately creates easy to detect IOCs. Learn what to look for 👉 r-7.co/4g2JomU

The periodic table of Windows event IDs. #ThreatHunting #DFIR

Security Onion 2.4.160 now available including Playbooks, Guided Analysis, MCP Server, and more! Have you ever had an alert and were unsure of what to do next? In this release, when you expand an alert you'll see a new tab called Guided Analysis. This leverages Playbooks to show you plays associated with the alert. These plays include questions which help guide your investigation. Each question has an associated query and the results of that query will be automatically displayed to help you answer the question. This makes you faster and more efficient than ever before!

At Sublime, we don’t just build powerful detection tools 📷 — we empower the community to use them. Over the years, our users have created, tested, and contributed some incredible custom rules to our Core Feed. Today, we’re spotlighting a few standouts from the Sublime Community that help stop real threats in the wild and were added to our Core Feed. sublime.security/blog/commun…

Give it a shot by importing this workflow: github.com/generalplantain/t…

🎁 Giveaway! 🎁 ContinuumCon - a conference with hands on workshops. One session I'm particularly fond of is 'Demystifying browser extensions'. Secure Annex is giving away 2 Defender tickets. Repost this message and I'll notify by 6/18. continuumcon.com/

i actually just gave a talk on this topic. tldr: depends on the use case. today there are practical constraints that make certain classes of problems infeasible to be solved this way due to tradeoffs on speed, efficacy, and cost. but maybe someday