Patterson Cake

Ready to level up your SOC skills? Join us at the Antisyphon Training SOC Summit on March 25! Kick things off with “Needle Hunting: An Endpoint Investigation Cheat Sheet” with Patterson Cake. antisyphontraining.com/event/soc-summ…

Our SOC Summit is coming up in March and if you've been itching to learn more about the blue team then come check out over 10+ talks guiding you through the world of Security Operations Centers. Learn more and join us here: antisyphontraining.com/event/soc-summ…

Want to test/learn/train AI for Incident Response? Need some test data and documented backstory, with IOC cheat sheets? Check it! github.com/secure-cake/rt…

🚨 It’s back! 🚨 The INFOSEC SURVIVAL GUIDE has returned! Read our FREE Orange Book: Incident Response below or at the link here -- blackhillsinfosec.com/prompt-zine/pr… In the United States? Get a physical copy shipped to you for FREE -- spearphish-general-store.myshopify.com/products/the-i… If you loved our Yellow and Green book or it's your first time hearing about our survival guides — now’s your chance. If you didn’t… you already know why this one’s worth grabbing. 🟧💥

In case you missed it! bleepingcomputer.com/news/microsoft…

"When performing Windows endpoint investigations, with a typical average of 200K-500K event log entries per host, we can use Hayabusa to reduce and prioritize our event analysis." Read more: blackhillsinfosec.com/wrangling-wind… Wrangling Windows Event Logs with Hayabusa and SOF-ELK (Part 1) by: @securecake Published: 9/17/2025

"In part 1, we used Hayabusa to reduce/refine Windows Event Logs from a single endpoint [...] But what if we need to wrangle Windows Event Logs for more than one system?" Read more: blackhillsinfosec.com/wrangling-wind… Wrangling Windows Events Logs with Hayabusa and SOF-ELK (Part 2) by: Patterson Cake Published: 10/01/2025

Howdy, friends! Just FYI - I've updated my "Rapid Endpoint Investigations" workflow for the latest version of Velociraptor, as there were some significant changes/updates: github.com/secure-cake/ra…

**NEW** BHIS | Blog When investigating a security event on a Windows endpoint, what is your favorite Windows Event ID? Wrangling Windows Events Logs with Hayabusa and SOF-ELK (Part 2) by: @securecake Published: 10/01/2025 Learn more: blackhillsinfosec.com/wrangling-wind…

"Although Direct Send is not new, we have seen a recent surge in threat actors abusing it..." Read more: blackhillsinfosec.com/disabling-m365… Stop Spoofing Yourself! Disabling M365 Direct Send by: @securecake Published: 8/20/2025

"[...] we’ll discuss how Hayabusa and [...] (SOF-ELK) can help us wrangle EVTX files (Windows Event Log files) for maximum effect during a Windows endpoint investigation!" Read more: blackhillsinfosec.com/wrangling-wind… Wrangling Windows Event Logs with Hayabusa and SOF-ELK (Part 1) by: @securecake Published: 9/17/2025

@SecurityTrybe Shallow Fake

What type of Cyberattack would this be?

Hey folks! Join us for a free one-hour training session with Antisyphon instructors and AI security researchers Derek Banks and Brian Fehrman on attacking and defending AI systems. Wednesday, June 4th - 12:00 PM EDT Register: events.zoom.us/ev/AokxHboDBGQ…

What could an attacker do with access to your AI assistant? Bronwen Aker joined us for a free one-hour Black Hills Information Security webcast to give us some on security lessons! We got a hands-on look at how Microsoft Copilot works in business settings, as Bronwen showed how it accesses data and helps with tasks like drafting emails or finding files, which can be useful or risky depending on permissions and context! Watch it for FREE here - youtube.com/live/-lwe9yc9f…

You’ve received a “true positive” security alert for a Windows or Linux endpoint. This is not a drill! Your environment is under attack! This is war and you need to take rapid, decisive steps to determine: Has the endpoint been compromised? Have other systems been impacted? What actions should come next? Patterson Cake will take you through live demonstrations & hands-on labs to help you get through similar IR scenarios with confidence in our next Pay-What-You-Can Workshop: Rapid Endpoint Investigations, live THIS FRIDAY, June 6th. Register here: antisyphontraining.com/course/worksho…

Had a hard time finding a succinct, detect/respond write-up for SentinelOne Singularity syntax, cheat sheet and queries...so started creating one (definitely WIP!): github.com/secure-cake/se…

@levi_reuss Thank you very much, Levi!

His scripts to do this can be found at github.com/secure-cake/wi…. Thanks for sharing @SecureCake . I really got a lot out of your talk.

Today I learned about a new technique for windows malware investigation analysis I had never thought about using comparisons between a known good machine and a machine with malware. The video for this was at youtube.com/watch?v=TsTBnA…

Hey folks! From multiple layers of obfuscation to conditional behavior to sandbox avoidance, malware can indeed be complicated. But ultimately, when a Windows malware event occurs, the most important questions are “if” and “how” it impacted your environment! Thursday, March 14th - 1:00 PM EDT Register: events.zoom.us/ev/An_coMKNRmd… In this free one-hour Black Hills Information Security (BHIS) webcast, Patterson Cake - Incident Responder, will discuss a simplified approach and tactical tips for answering those questions when investigating malware events on your Windows endpoints. If you want to register for upcoming webcast you can below: events.zoom.us/eo/AqZceUFfoY1…

**NEW** BHIS | BLOG Do you use OSINT for IR? How about investigating bank robberies? OSINT for Incident Response (Part 2) by: @Securecake Published: 3/7/2024 Learn more: blackhillsinfosec.com/osint-for-inci…

That one time I caught a bank robber (well, kinda...): blackhillsinfosec.com/osint-for-inci…