Blue team notes is a GitHub cheatsheet of one-liners and scripts I’ve found helpful during incident response and general blue team work

Has my content ever helped you? I'd appreciate you making it known 🥰 After more than 6 years of free content, for the 1st time ever I've been nominated for a #SANSDMA Award 👀🎉 Voting is open until October 8 and I'm alongside other worthy recipients🙏 https://t.co/ctp1FxUDtv

As of Thurs Aug 14th we're seeing clear indications that a threat actor has now weaponised and is exploiting vulnerabilities in Axis camera software (CVE-2025-30023/4/5/6) which was presented at DEFCON. Props to @Cyber4a53 for find. https://t.co/ktPlOJkekW CC: @HuntressLabs 👇

More IPs 64.44.118[.]206 185.199.103[.]100

104.238.220.216 193.163.194.7 194.33.45.155

More IPv4s 193.239.236[.]149 104.238.205[.]105

🔐 Advice from Huntress Disable SonicWall VPN if possible If not, restrict by IP & segment networks No SonicWall comms yet, contact their support IoCs we can share IPv4s: 142.252.99[.]59 45.86.208[.]240 77.247.126[.]239

🚨 SonicWall Exploitation (Zero Day?) 🚨 Huntress is tracking active intrusions via SonicWall devices. Threat actors are bypassing MFA, pivoting to domain controllers, deploying ransomware (likely Akira), and creating users for persistence. Pace suggests possible zero-day

New @Huntress blog! @Purp1eW0lf and I share some old defense evasion tactics from a well-commented script used by Xinglocker in 2021 still being used today! Make sure you can detect them! #detectionengineering #ransomware https://t.co/kISGPUhjJg

Got a new @HuntressLabs blog out today taking a look at some intrusion analysis methodology with practical examples - check it out! https://t.co/cb61n4nFCB

Ludushound shows the power of community driven innovation in cybersecurity. @bagelByt3s created an awesome tool to convert bloodhound data into a working lab in 🏟️ Ludus. Replicate complex live environments with automation - and get back to the fun stuff! https://t.co/19qfjRwaOA

Interesting hands-on-keyboard case today @HuntressLabs -> Suspected VPN initial access -> TA used this to RDP to DC & RDS -> TA created a hidden accounts for persistence -> TA attempted to clear logs for defence evasion -> Huntress evicted TA 😎

Did you know TypedPaths artifact can be helpful to detect the FileFix?

The /proc/net/packet file on Linux shows you all open raw sockets that are grabbing network traffic. I'm going to show you what is in this file and provide a script that lists all processes sniffing traffic to help find malicious sniffers.

Got a new blog out today with my colleagues @xorJosh & @Purp1eW0lf looking at how we utilize ASNs during hunts & investigations at @HuntressLabs - check it out! https://t.co/APjy6rSEdl

🚨 [ New blog ] out today with my 🐐 colleagues @xorJosh and @Purp1eW0lf - this case started with a simple brute force and ended with some really interesting findings - check it out! https://t.co/WllSCwpwAl

Got a new @HuntressLabs blog out today looking at a case that @Purp1eW0lf @xorJosh and I worked on recently - VPN compromise, lateral movement, Veeam exploitation & some methodology notes throughout that newer folks might find particularly interesting! https://t.co/VHIlySEXdM

Fake Generative AI App leads to NetSupport RAT infection

Suspected initial access malware spreading via fake captcha, utilising trycloudflare domains

@birchb0y has an really amazing blog on similar activity he previously looked into: https://t.co/iAqo5by1yl

🚨 The RMM threat landscape is evolving! 🚨 Recent attacks, like those highlighted by @HuntressLabs 🛡️ & CERT-UA 🇺🇦, show how adversaries 🎭 weaponize RMM tools 🛠️ for persistence 🔒 & lateral movement ↔️. 🔍 Enter LOLRMM: your 🧙‍♂️ ally in detecting 👀 & preventing 🚫 RMM abuse.