Cyber Triage

Cyber Triage 3.16 is out: Investigate Faster with *Enterprise* Read Brian Carrier’s release blog: cybertriage.com/blog/cyber-tri… Interested in trying Enterprise? Contact us: cybertriage.com/contact/

Kerberoasting and its artifacts. From attack breakdown to behavior detection. A detailed process walk-through by Chris Ray (@cybertriage) Source: cybertriage.com/blog/dfir-brea… #redteam #blueteam #maldev #malwaredevelopment

DFIR is changing fast. How do investigators adapt their approach to stay effective? Today, 11 AM EST, Blake Regan and Brian Carrier debate when and when *not* to use EDR in DFIR, plus provide tools + techniques to use in modern investigations. Register: register.gotowebinar.com/register/90391…

To EDR or not EDR? That’s the investigator’s question. Next Thursday, Blake Regan and Brian Carrier will tackle that and other questions facing SOC and IR teams trying to adapt to emerging threats and evolving tech. Register here: register.gotowebinar.com/register/90391…

New DFIR Research: Pulseway (RMM) Abuse ⤵ Our team recently observed a threat actor using Pulseway for remote access and gaining full control of a system. Read @MikeWilko's research + investigation tips from the case: cybertriage.com/blog/dfir-next…

85% of attacks use LOTL The Socrates of SOC investigations teaches his best approach⤵ This Thursday, Wade Wells, detection and response expert, shares: → War stories → Investigation approach → Top 3 tips for elite endpoint triage Register: register.gotowebinar.com/register/70352…

Catch DFIR’s Con Artists Thursday’s RMM masterclass: → Commonly abused RMM tools → DFIR artifacts they leave behind → Insights from those artifacts → How to investigate With Professor Mike Wilkinson Register: attendee.gotowebinar.com/register/69551…

Keep your eye on AnyDesk. Learn how to investigate suspicious AnyDesk use from Chris Ray: cybertriage.com/blog/dfir-next… P.S. Share this post to help other DFIR pros!

RMMs: The Perfect Diguise. And attackers will get away with it, unless you learn to unmask them. Next Thursday, @MikeWilko will teach you just that. Register: attendee.gotowebinar.com/register/69551…

Free your mind: Automate your DFIR. Tomorrow, join @carrier4n6 and Chris Ray as they demo the new Defender → Cyber Triage automation. Register: attendee.gotowebinar.com/register/41993…

Our 3 Best DFIR Blogs of 2025 (Ranked by views) ⤵ #1 Registry Forensics Cheat Sheet: cybertriage.com/blog/windows-r… #2 WMI Malware Forensics Guide: cybertriage.com/blog/wmi-malwa… #3 NTUSER.DAT Forensics: cybertriage.com/blog/ntuser-da… P.S. Share this post to help other DFIR pros!

New DFIR Research: Chris Ray’s comprehensive list of LogMeIn artifacts ⤵ → Windows events → Registry keys → Exe names → Domains → Log files → Folders Right here: cybertriage.com/blog/dfir-next… P.S. Share this post to help other DFIR pros!

New SOC DFIR Automation ⤵ CyberTriage 3.15 can automatically pull + analyze Defender data. See it live with @carrier4n6 and Chris Ray on September 11. Register: attendee.gotowebinar.com/register/41993…

Learn AI basics in DFIR: → AI + LMMs in DFIR overview → When to apply AI to investigations → Live demo of LLM + Cyber Triage Join experts @carrier4n6 and @sidprobstein tomorrow! Register: attendee.gotowebinar.com/register/24378…

Save this DFIR mini series: Jump Lists 2025 ⤵ → What Is a Jump List: cybertriage.com/blog/what-is-a… → Jump List Forensics: cybertriage.com/blog/jump-list… → Jump Lists Cache: cybertriage.com/blog/what-is-j… P.S. Share this post to help other DFIR pros!

AI in DFIR has “levels” Only one doesn’t involve the investigator: Level 4 The ideal: → Full automation (level 4) for low-risk decisions. → Recommendation (level 3) for higher risk decisions.

AI in digital investigations. Learn the basics from these 2 “guys”: → @carrier4n6 → @sidprobstein Register now: attendee.gotowebinar.com/register/24378…

Save this DFIR series: Windows Registry Forensics 2025 ⤵ → Registry Forensics 2025: cybertriage.com/blog/windows-r… → Forensics Cheatsheet: cybertriage.com/blog/windows-r… → Forensics Tools: cybertriage.com/blog/2025-guid… P.S. Share this post to help other DFIR pros!

Understand investigation automation. @carrier4n6’s framework: cybertriage.com/blog/3-ways-to… You can test all 3 automation types with Cyber Triage. Trial copy: cybertriage.com/download-eval/

Philosoraptor’s easiest question yet! And creators, Mike Cohen and Brian Carrier, explain how to this Thursday. With this integration, Velociraptor scans thousands of endpoints, and Cyber Triage dives into ~20 where the attacker was active. To register: register.gotowebinar.com/register/12891…