Wes Lambert

Malware campaigns are targeting real estate agents. Attackers build rapport, then send a malicious Zoom link that grants full remote access. Indicators of compromise and detection guidance here: sublime.security/blog/scammers-…

🎯 Added this Velociraptor artifact on the exchange to assist scoping IOCs related to the recent publicly disclosed Notepad++ supply chain attack. - Find impacted notepad++ versions - Find suspicious files in public reports - Find public reported network urls in running processes - Find Warbird clipc.dll shellcode loader strings 🔗 docs.velociraptor.app/exchange/artif…

#100DaysOfYara 🔎 Messed around with detecting the cool Warbird technique outlined by Rapid7 in their recent Chrysalis blog Velociraptor gives us the unique ability to target the VAD with live analysis: 1. Targeting sections mapped to clipc.dll 2. With PAGE_EXECUTE_READ protection 3. DEADBEEF or CAFEFE in the first bytes 🔗github.com/mgreen27/100da…

lmao for real?

We’re hiring at Sublime Security 🚀 We’re building security that actually stops email-based attacks, and we’re growing our team with people who want to ship meaningful work at real scale. Open roles include: 🔧 Engineering Manager, Product 🛠 Corporate IT Engineer (US East Coast + UK) 📈 Sales Engineering Manager (West Coast) ✉️careers@sublimesecurity.com

Simple scoping for abused/exposed #Notepad++ via #Velociraptor notebook. For installed apps storing registry values, not portable (more likely to be leveraged given update mechansim, AFAIK). In-depth: rapid7.com/blog/post/tr-c…. I'm sure @mgreen27 has an uber artifact cooking 🔥

new @velocidex artifact and write-up detailing CVE-2025-14847 and how to detect #MongoBleed from @eric_capuano 🤓🔥🦖 blog.ecapuano.com/p/hunting-mong…

I just updated the wlambert/velociraptor #velociraptor @velocidex Docker image to 0.75.6 to address CVE-2025-14728, detailed here: docs.velociraptor.app/announcements/… Repo here, with more long-needed updates coming soon: github.com/weslambert/vel… #DFIR #Infosec

The extension was approved, now what? Are you going back tomorrow to see if it changed? You know they auto update instantly right? Rolling out to Secure Annex - code change alerts. This takes comparison of the code from the previous version along with additional context to understand how the code in an extension is changing over time.

The DHCP server...

Ransomware has appeared in the VS Marketplace and makes me worry. Clearly created through AI, it makes many mistakes like including decryption tools in extension. If this makes it into the marketplace through, what impact would anything more sophisticated cause? secureannex.com/blog/ransomvibe

@tuckner Nice work, @tuckner!

The SleepyDuck code extension malware is an advanced remote access trojan allowing for remote command execution on any endpoint that installs it. Take down the C2 server? It uses an Ethereum contract to update its settings to a new endpoint. secureannex.com/blog/sleepyduc…

@M_haggis Legends never die 🫡 @bammv wiki.tcl-lang.org/page/Sguil bammv.github.io/sguil/index.ht…

I know I hype Lua.. but today I was told about Tcl. Yep, see you soon.

Rapid7 recently observed threat actors misusing @velocidex. ⚠️ No vulnerability exists in the tool itself—the risk is in how attackers abuse it. To help org's detect misuse, Velociraptor deliberately creates easy to detect IOCs. Learn what to look for 👉 r-7.co/4g2JomU

i have had about 10 cups of coffee today

The periodic table of Windows event IDs. #ThreatHunting #DFIR

@securitybrew So sorry to hear. Wishing you and your family peace and comfort.

My mom died today. My fondest memory of her was car trips where she would define a word and ask me to use it in a sentence. She was an avid reader and so sharp mentally until the end.

Security Onion 2.4.160 now available including Playbooks, Guided Analysis, MCP Server, and more! Have you ever had an alert and were unsure of what to do next? In this release, when you expand an alert you'll see a new tab called Guided Analysis. This leverages Playbooks to show you plays associated with the alert. These plays include questions which help guide your investigation. Each question has an associated query and the results of that query will be automatically displayed to help you answer the question. This makes you faster and more efficient than ever before!

At Sublime, we don’t just build powerful detection tools 📷 — we empower the community to use them. Over the years, our users have created, tested, and contributed some incredible custom rules to our Core Feed. Today, we’re spotlighting a few standouts from the Sublime Community that help stop real threats in the wild and were added to our Core Feed. sublime.security/blog/community…