Rem

Thoughts & SecOps/IR workflows for Agentic AI: sudorem.dev/blog/agentic-a… This mostly just consolidates a heavy period of "mess around" I've been in with AI into some tangible takeaways and real world systems.

This is cool, did something similar today and pointed Claude at API docs to get a CLI tool bootstrapped. This probably would've saved some time.

"You guys look like you do cool security stuff, I wanna' come party too," should be a valid cover letter.

Enterprise tier SAST and DAST seem very likely; kind of like a bolt on CodeQL/Dependa/Semgrep. I mean-- these products already exist, they're just third party developed. Would make a lot of sense for Anthropic/OpenAI to target that margin directly-- a lot of that training data can be weaponized anyway for competitive advantages over each other. Would be interested to see if they ever start to target MDR/EDR vendors, many of which are already essentially just wrapping these LLM's anyway, at least to some degree. I imagine the enterprise security space becomes 'How do we feed Claude/Codex the fewest tokens possible to get the maximum security effect?' to aid in cost margins until it collapses into LLM/AI companies taking more of the broad ecosystem on.

Apparently high confidence that the model providers will become security vendors. Given the capital they can leverage, I agree. There’s probably better profit margins there for them. What will they sell? definitely sast, probably enterprise tiers with improved data handling guarantees, DLP and monitoring. Maybe also orchestration frameworks with containerization and runtime monitoring. Maybe also dast (smart crawlers? Automated pentest style, like xbow)

What kind of changes would you advocate for? (Or alternatively put, as a professor where are you seeing shortfalls between what students are leaving you having learned, and where they're struggling in the industry.) (Not trying to put you on the spot here, genuinely curious, I noodle over training a lot, and often come up blank with ideas beyond just... labs and lecture, at least in the operations/IR side.)

I teach security and the gap is real, but it’s not just incompetence. The industry hires people into security roles and then gives them almost no structured training path. We shouldn’t be surprised when the average skill level reflects that.

The “research Twitter” slice of security is tiny. Most people in security aren’t doing exploit dev or vuln research — they’re doing risk, governance, incident response, operations, etc. Calling the whole workforce incompetent because they aren’t researchers misses how the industry actually works.

Python's abuse for DLL sideloading reached its "pinnacle" in Nitrogen's use of Python 3.11 in its 2024 malvertising campaigns. Rapid7 has a really good writeup about it here: rapid7.com/blog/post/2024… If you're into DLL sideloading/hijacking, the security community's chief export for research and detection of these seems to be hijacklibs.net Important nuance: this isn't really a Python vulnerability. The legitimate `python311.dll` is signed, and `Python.exe` isn't spidering around odd places to look for this DLL. (It follows standard DLL search order convention.) The issue is adversaries dropping their own Python runtimes alongside malicious DLLs. It's a low-friction execution container that tends to blend in if you're not explicitly looking for it. Same same for ADNotificationManager.exe, DLPUserAgent.exe, or WerFault.exe, unfortunately. Where we once may have looked at unsigned binaries executing, we now need to look at signed binaries loading unsigned modules or running from unusual locations as a more effective methodology.

@RussianPanda9xx @sudo_Rem Posting about "DLL sideloading" + tagging @sudo_Rem with "Python Security" in profile = *python.exe* abused for DLL sideloading at least since 2026-02-05 easy to spot on VT by unusual / illegitimate filenames (& exec parents) virustotal.com/gui/file/a3e5b…

We promised and we delivered 🔥 Teamed up with my Binja (IDA supremacy but we don't need to talk about that rn 😂) buddy @sudo_Rem 💙 to exorcise this lil Demon 😈 From the spam bombing and fake Outlook patches all the way down to the Havoc Demon. DLL side-loading, Hell's Gate, Halo's Gate... detours... this one had it all. Go give it a read 👇

Special thanks to @RussianPanda9xx for being my reverse engineering buddy and taking on the daunting task of working through the Havoc Demon capabilities while I lost my mind with the DLL payloads.

Adversaries leverage e-mail spam bombing, personal cellphone numbers, fake Outlook patches, and novel DLL side-loading cradles using to evade detections. But that's not all. Microsoft Detours, Hell's Gate, and highly obfuscated functions await us inside this demonic campaign. 👿

🧑‍💼"Your Outlook has an issue. Let me help you fix it." @HuntressLabs Threat Hunting and Tactical Response teams join forces to open new pages on an old playbook, leading to custom Havoc agent deployment via sophisticated DLL side-loading. huntress.com/blog/fake-tech…

@RobTerrin @IceSolst It's important to give back to the broader community IMO. Technical blogs are but one way of doing that-- pulling back the curtain on some tradecraft or malware and letting other people weaponize that information as well.

@IceSolst That's fair! I think the difficulty with technical blogs is often they are true or impressive but not very useful to real organizations.

“How should cybersecurity companies do marketing?” Just look at @HuntressLabs and @ThinkstCanary: - hire fantastic people - publish blog posts to show off real, nuanced research - no theatrical clickbait bs - don’t put lamp shades on heads - word of mouth does the rest

BinaryNinja and IDA screenshots side by side in the next blog. I suspect authorship won’t be hard to guess. @RussianPanda9xx 👀

Dropping a new tool today: TTPRunner - One-click Vectr deploy - Give it a threat report, PDF, or just plain-english instructions and it'll build an execution & simulation plan for you - Executions are tracked via notes and automatically sync'd with Vectr Works great with: github.com/Antonlovesdnb/… Check it out! 🔽 github.com/Antonlovesdnb/…

sudorem.dev/blog/esql-topo… Back at it with another blog, featuring a newly designed website which I'm quite pleased with. This time we're discussing hypothesis driven hunting methodologies and statistical approaches to anomalous authentication detections.

A single copy-paste got this cybercriminal on the network. 40 mins later? Both domain controllers were in scope. We break down the full chain—from ClickFix social engineering to hands-on-keyboard activity. Investigated by: @RussianPanda9xx + @sudo_Rem okt.to/ves7UN

We don't usually see hands-on-keyboard intrusions from #ClickFix @HuntressLabs BUT... when we do... oh boiii.... it's clickfix -> matanbuchus -> AstarionRAT and a lateral movement for extra flavor Yes, the name is a BG3 reference 🧛 Link: huntress.com/blog/clickfix-…

Some tips for organizations using SonicWall SSLVPNs: - SonicWall advised an Essential Credential Reset (sonicwall.com/support/knowle…) following the compromise of Cloud Backup services. We recommend heeding this advice and rotating all credentials. - Ensure SonicWall appliances are operating on the latest SonicOS versions. - Enable & enforce multi-factor authentication/TOTP maximally across SSLVPN accounts. - If using LDAP, audit for Default User Group misconfigurations IAW this guide: sonicwall.com/support/knowle… - Levy features such as account lockout, botnet protection, and password complexity requirements in SonicOS to help deter adversary access. - And as always, SIEMs make a potent way to aggregate and retain logs to highlight and alert on this type of behavior.

🚨Widespread SonicWall SSLVPN Compromise @HuntressLabs has observed a significant uptick in SonicWall SSLVPN intrusions stemming from DigitalOcean, LLC ASNs. This intrusion activity has resulted in 83 compromised SSLVPN accounts over 3 days, both local and LDAP-backed. Source IPs - 192.241.185[.]61 - 159.223.171[.]114 - 138.68.9[.]204 Details - Many authentications were 'replayed' several hours later on some devices from the same source IP addresses. - Multiple SonicWall SSLVPNs showed evidence of 10+ users compromised from the same source IP address. - Authentications where multiple user accounts were compromised were performed alphabetically, with intermittent failures. - Authentications were performed in short "bursts", where multiple user accounts were authenticated in the same 60 second period. - Authentications rarely failed for users who were compromised-- that is, accounts maliciously accessed did not display characteristics of bruteforcing. - This may suggest adversaries possess a valid username/password combination list, and are validating credentials automatically.

Tuesday morning, the Tactical Response crew @HuntressLabs just got together and slammed out a blog within a day, covering how threat actors are abusing a legit employee monitoring tool (Net Monitor for Employees) alongside SimpleHelp as a dual-tool persistence setup, leading to Crazy ransomware. The level of dedication to print W's not just for profit but for the community is unmatched. Proud to be part of this team ♥️ huntress.com/blog/employee-…