EncapsulateJay

Most SOC reports and write-ups are punchy, to-the-point, polished reports. After all, every investigation (regardless of vertical) starts out as a chaotic mix of different threads that we corral into order like a tired sheepdog dreaming of making it as an internet meme and retiring on the royalties. Unfortunately, these polished reports don't capture how we actually form our suspicions, the pivots, the dead ends, the moment it all starts to make some semblance of sense. If you've ever wondered what that process actually looks like, I've spun up a blog series that breaks down real MDR incidents to capture what it's like riding the investigation roller-coaster, so those new to the industry can see how we progress from start to end within the context of a SOC investigation. Please enjoy this breakdown of a threat actor's attempt to enumerate and pivot further into the victim's environment — made with 100% organic human analyst tears! jevonang.com/Investigations…

DFIR analysts who use macOS as their daily driver deserve free and native forensic tooling. So I built one. 🍎 Introducing 𝗜𝗥𝗙𝗹𝗼𝘄 𝗧𝗶𝗺𝗲𝗹𝗶𝗻𝗲 — a timeline analysis app built from the ground up for Mac-based DFIR folks, forensic investigators, or SOC analysts. Built in appreciation of, and inspired by, Eric Zimmerman’s Timeline Explorer. Every feature in this tool was shaped by real IR casework. Handling massive timelines, parsing artifacts here and there, and pivoting across logs during active investigations. I built IRFlow Timeline to be the native macOS timeline analyzer that actually keeps up with a live case. Every button and view is intentional; if it’s in the app, it’s because I needed it mid-case and realized the standard tools fell short. No dependencies. Zero setup. Just drag, drop, and analyze. #dfir #incidentresponse #timeline #macos #threathunitng #digitalforensics

Really great report here from @malforsec, @lapadrino, and @PeteO @TheDFIRReport . Even easier on the eye with the site's new facelift, give it a read 🔥thedfirreport.com/2026/02/23/apa…

@Kostastsale Wishing you all the success In the world with this venture mate! No doubt it will be a high quality resource!

📢 𝗜’𝗺 𝗮𝗻𝗻𝗼𝘂𝗻𝗰𝗶𝗻𝗴 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗟𝗮𝗯𝘀, 𝗹𝗮𝘂𝗻𝗰𝗵𝗶𝗻𝗴 𝗻𝗲𝘅𝘁 𝘆𝗲𝗮𝗿! After building threat hunting teams for large MSSPs, creating DFIR Labs for TheDFIRReport, and sharing years of free threat hunting material, I want to bring everything together into one platform. Something closer to how investigations actually work, not another set of CTF-like labs or check-the-box exercises. • 𝗖𝗵𝗼𝗼𝘀𝗲 𝘆𝗼𝘂𝗿 𝗼𝘄𝗻 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻 𝗽𝗮𝘁𝗵: your choices determine how the investigation unfolds. • 𝗡𝗼 𝗺𝗼𝗿𝗲 𝗸𝗲𝘆𝘄𝗼𝗿𝗱 𝗺𝗮𝘁𝗰𝗵𝗶𝗻𝗴. Answers are evaluated on intent and accuracy. • Work directly in 𝗘𝗹𝗮𝘀𝘁𝗶𝗰, 𝗦𝗽𝗹𝘂𝗻𝗸, 𝗼𝗿 𝗔𝘇𝘂𝗿𝗲 𝗗𝗮𝘁𝗮 𝗘𝘅𝗽𝗹𝗼𝗿𝗲𝗿 and learn to investigate and hunt using hypotheses. 𝗧𝗵𝗲 𝘄𝗮𝗶𝘁𝗹𝗶𝘀𝘁 𝗶𝘀 𝗻𝗼𝘄 𝗼𝗽𝗲𝗻!! Those who sign up will receive a founders discount, early beta access, and the opportunity to provide feedback during development. The waitlist will close once a certain number of people have signed up and may reopen later if more testers are needed. This is something I wish existed when I was starting in the industry, and something I still want today. Register now, and more details soon. threathuntinglabs.com

@TheDFIRReport crew have gone and done it again. Really interesting report here. Sneaky exposed RDP port lead to full blown ransomware. Great work @Friffnz @MittenSec

@Friffnz @SecBlueTeam Telling you, man, your handle should be Baba Yaga. Those who know know 🤣

Look what finally turned up today! Thanks @SecBlueTeam !

@TheDFIRReport dropped the full report related to the CTF event that was held over the weekend. @RussianPanda9xx smashed it on this one 💣 thedfirreport.com/2025/09/29/fro…

Cheers to @TheDFIRReport team for all the guidance and mentorship. This was a really interesting case to work!

ClickFix just got clever-ditched Win+R for Win+X (Power User Menu) ⚠️ New variant drops Lumma after Defender exclusion: - Prompts for elevation till user accept - Add defender exclusion on %temp% - Drops & runs Lumma Multiple Sigma rules fired 💥 Process Tree👇

There's pretty much never been a better time to start learning or get hands on blue team experience through labs. The availability and quality of labs being released today compared to 4 years ago is night and day. Training providers like Xintra are paving the way for the future!

If you’re running an SSLVPN (SonicWall, Fortigate, etc.) and not retaining those logs, you’re setting yourself up for disaster. It's not uncommon to see sub-10 minute slices of activity in the totality of exported logs; which is next to useless.

🚨 Case from @HuntressLabs 🔎 Cephalus seen side loading DLL 'SentinelAgentCore.dll' into legitimate 'SentinelBrowserNativeHost.exe' for ransomware execution ✏️ File extension for encrypted files - '.sss'

🚨 Search for software, end up getting ransomware! SEO-driven #Bumblebee malware campaigns observed throughout July led to domain compromise, data theft & #Akira ransomware. Tools included #AdaptixC2 & #Netscan. thedfirreport.com/2025/08/05/fro…

Anton bringing the heat as always!

@SecurityAura 100% something as simple as an org implementing a standardised naming convention for all workstations and servers ahead of time can help detect anomalies super quick during an IR engagement.

Meme'ing aside, do not underestimate the power of naming conventions for stuff such as systems, accounts, services, tasks, etc. There is SO many detection and/or hunting possibilities you can/could unlock if you were to just ... name things properly.

Proud to work alongside these two 🔥 Congrats to you both!

Best case scenario: send the VPN logs to a SIEM solution for safekeeping. VPN compromises are on the rise, and this will save you a lot of heartache in the heat of an incident.

If not, some awkward conversations need to be had........

If your organisation uses a third-party managed IT provider, and said IT provider says you have a shiny VPN with logging enabled. Please challenge the provider to prove that the VPN logs are configured correctly. A trusted IT partner will be happy to do this.

HijackLibs.net details hundreds of publicly disclosed DLL Hijacking opportunities. With over 700 stars on GitHub and a growing list, @Wietze does an amazing job maintaining it. Despite this contributing can be time consuming. That's why I've created HijackLibs Helper!👇