Automating CrowdStrike Network Containment
In a previous post, we have shown how Velociraptor and CrowdStrike can work together to speed up the deep‑dive phase of an investigation. One topic left open was containment. When an EDR flags genuinely high‑risk behaviour, isolating the host is often the safest move, and—if your rules are well tuned—doing it automatically is even better. […]
Ivanti Connect Secure CVE-2025-0282 DslogdRAT Analysis
At the beginning of the year, we investigated a cluster of Ivanti Connect Secure gateways that attackers had breached via CVE-2025-0282. If you missed the story, Mandiant’s write-up laid out a polished, multi-stage operation that combined code redirection, web-shell deployment, and meticulous clean-up. Last week, Florian Roth pointed us to a follow-up from JPCERT/CC that […]
COM Hijacking from a Defenders Perspective
To me, getting into COM was not as trivial as I thought. The first time I encountered COM was many years ago, when I had to identify CLSIDs for Escalation of Privileges on Windows systems. In this blog post, we aim to provide some ideas for blue teamers to detect a specific attack targeting COM, […]
Combining the Raptors – Incident Response using Velociraptor and CrowdStrike Falcon
Although CrowdStrike is a powerful EDR, incidents still happen, even when using thorough prevention policies. In this post, we will use CrowdStrike Falcon in combination with Velociraptor to streamline our incident response processes. If you want to learn more about Velociraptor, check out their docs or one of our previous blog posts, in which we […]
Lumma Stealer Distribution via Fake CAPTCHAs
Last September, I received an email about a supposed security issue in one of my GitHub repositories. The sender claimed they had discovered vulnerabilities in my code and directed me to an external site, github-scanner[.]com, for more information. Once there, I was presented with a CAPTCHA that purportedly confirmed my identity as a human. At […]
Manually Deploying Velociraptor in Microsoft Azure
Velociraptor is an excellent tool for digital forensics and incident response, and their docs already explain how to configure things in the cloud with Google domains. But what if you’re an Azure aficionado? That’s where this post comes in. Key Learnings in this Post Creating the Virtual Network Let’s begin by setting up our virtual […]