If you ever wondered what goes into merging a Sigma rule in the @sigma_hq repo, check out the latest blog. SigmaHQ Quality Assurance Pipeline - https://t.co/A2OuF1VOcw We delve into the process we go through to ensure the community contributed rules are up to par.

Slides for my PyBay talk on typeagent are up;

Reversing Microsoft Defender's signatures for evasion. Deep dive into VDM guts - a gzip-compressed files with no encryption to evade entire signatures with just 1 byte change. A research by RETooling crew (@DrCh40s && @t0nvi). Nicely done, chaps! Post: https://t.co/jpjmDl10f9

RPC Part 6 is live. I cover the toolset for external RPC research, demonstrate how to enumerate network interfaces without authentication using rpcmap, and show how to call custom RPC functions with Impacket to help develop an external fuzzer. https://t.co/CrTKM6vrD9

If you've used TryHackMe you're probably in the top 1% of hackers 🤓

Ready, Set, Rumble! The wait is over – Sonic Rumble is live worldwide on iOS, Android, and Steam 🌍 Join Sonic in the ultimate arcade royale where up to 32 players battle for glory!

AdminSDHolder: the AD security feature everyone thinks they understand but probably don't. 😬 @JimSycurity went to the source code to debunk decades of misconceptions — including ones in Microsoft's own docs. Read more ⤵️ https://t.co/Vo9XksEfmn

For all of the contributors that aim to propose enhancements or additions to the @sigma_hq specification in the future. We have introduced a new issue template that aims to track these proposals. We're calling it SEP (Sigma Enhancement Proposal). The template contains all the

@yamatosecurity @sigma_hq It will work like that already. experimental will be reserved for untested rules. test will be tested and stable is for tested and unchanged rules for the past 90 days. We already have enforcement in place that will ensure that if you set test/stable you MUST have a linked test.

Chat are we cooked 🍚

🔥 CVE-2025-59287 | Splunk Security Content Drop 🔥 🚨 WSUS RCE goes deeper than expected! While digging into telemetry for CVE-2025-59287, we found a twist: 💥 Common chain → wsusservice.exe → cmd.exe or w3wp.exe → cmd.exe ⚙️ Alternate chain → mmc.exe → cmd.exe when an

Regression (True Positive) testing is coming to @sigma_hq starting from the next rule release in December. We will introduce a new CI that will validate a rule against a log. We will start with EVTX logs and extend beyond to other formats and logsources We're also introducing a

New Sigma release r2025-10-01 is available for download. 🌟37 New Rules 🛡️16 Rule updates 🔬45 Rule Fixes Here is a quick overview: - New AWS and Github based rules covering deletion of VPC flows, KMS imports, changing archive status or pages of a repo - Winrs usage as a

We’d love to see more feedback from orgs that rely on Sigma rules Even simple stats from production use are valuable. - A rule of level high that triggered 236,992 times probably needs rework. - A rule of level critical that triggered 234 times probably needs rework. - A rule of

Fun @sigma_hq stats for the end of the week. We have now reached 22 million package downloads since we started doing package releases 2 years ago. We also crossed 5700 PRs/Issues :)

Just posted a write-up on a DC hang traced to a deadlock inside LSASS. I break down call stacks, the blocked threads, and how doing LDAP work in DllMain triggered the issue.

Remember an EDR has to cover one or a few implementations of a technique in order to claim coverage. Whilst you don't need (nor want) to be covered in all implementations. You might wanna know which are covered and if they matter for your use case.

😂

Today I am happy to release a new blog post about Pointer Authentication (PAC) on Windows ARM64! This post takes a look at the Windows implementation of PAC in both user-mode and kernel-mode. I must say, I have REALLY been enjoying Windows on ARM!! https://t.co/isnItJ0nb3

🚨 New ClickGrab Updates! I just dropped a video walking through the latest enhancements to ClickGrab: 🧩 Brand-new ClickFix techniques 🌐 Community feed integration from Carson ➡️ https://t.co/1ryWC5T7hl 🔀 Updates to the redirect follower 📄 Raw HTML of the compromised sites

1⃣ The @Huntress team uncovered a campaign by a likely China-nexus threat actor. The most novel finding is use of a publicly available tool called Nezha as a post-exploitation C2 agent. This is the first public reporting of the tool I've seen.