Evidence at the Moment of Attack. Answers at AI Speed.

Wiz Sensor Forensics is now generally available - automatically capturing forensic artifacts at the moment of detection and using AI to accelerate investigation for SOC and IR teams...

CVE-2026-40029 parseusbs < 1.9 Command Injection via Crafted LNK Filename

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename wi...

CVE-2026-40029

Technical details (affected product/component/version, root cause, impact, and remediation) are not publicly provided in the supplied documents; monitor for updates.

The king is dead, long live the king! Windows 10 EOL and Windows 11 forensic artifacts

Introduction Windows 11 was released a few years ago, yet it has seen relatively weak enterprise adoption. According to statistics from our Global Emergency Response Team GERT investigations, as recently as early 2025, we found that Windows 7, which reached end of support in 2020, was encountered...

RCE to Sliver: IR Tales from the Field

Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog. Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the sourc...

Douglas-042 - Powershell Script To Help Speed ​​Up Threat Hunting Incident Response Processes

DOUGLAS-042 stands as an ingenious embodiment of a PowerShell script meticulously designed to expedite the triage process and facilitate the meticulous collection of crucial evidence derived from both forensic artifacts and the ephemeral landscape of volatile data. Its fundamental mission revolve...

Using Velociraptor for large-scale endpoint visibility and rapid threat hunting

TL;DR Network-wide collection, acquisition and monitoring tool for use in DFIR engagements Designed for enterprise networks 150k+ Deployments aren’t unheard of Boasts many features that your commercial EDR has, and a few more Flexible querying language that can adapt to new threats and encourages...

Join us for VeloCON 2023: Digging Deeper Together!

September 13, 2023 at 9 am ET Rapid7 is thrilled to announce that the 2nd annual VeloCON: Digging Deeper Together virtual summit will be held this September 13th at 9 am ET. Once again, the conference will be online and completely free! VeloCON is a one-day event focused on the Velociraptor...

VeloCON 2023: Submissions Wanted!

Rapid7 is thrilled to announce that the 2nd annual VeloCON virtual summit will be held this September date TBD, with times oriented to the continental USA time zones. Once again, the conference will be online and completely free! VeloCON is a one-day event focused on the Velociraptor community...

LEAF - Linux Evidence Acquisition Framework

Linux Evidence Acquisition Framework LEAF acquires artifacts and evidence from Linux EXT4 systems, accepting user input to customize the functionality of the tool for easier scalability. Offering several modules and parameters as input, LEAF is able to use smart analysis to extract Linux artifact...

Looking Over the Nation-State Actors’ Shoulders

Looking over the nation-state actors’ shoulders: Even they have a difficult day sometimes By Trellix and Marc Elias · Febraury 17, 2022 Have you ever been curious about how nation-state actors operate and what their day-to-day work looks like? This blog reveals some of these details observed base...

Looking Over the Nation-State Actors’ Shoulders

Looking over the nation-state actors’ shoulders: Even they have a difficult day sometimes By Trellix and Marc Elias · Febraury 17, 2022 Have you ever been curious about how nation-state actors operate and what their day-to-day work looks like? This blog reveals some of these details observed base...

MDR Vendor Must-Haves, Part 1: Deep Observation of Real-Time Endpoint Data

This blog post is part of an ongoing series about evaluating Managed Detection and Response MDR providers. For more insights, check out our guide, “10 Things Your MDR Service Must Do.” Assessing Managed Detection and Response MDR vendors is no easy task. However, evaluating each based on...

Chinese APT Hackers Target Southeast Asian Government Institutions

Cybersecurity researchers today unveiled a complex and targeted espionage attack on potential government sector victims in South East Asia that they believe was carried out by a sophisticated Chinese APT group at least since 2018. "The attack has a complex and complete arsenal of droppers,...

Excelerating Analysis, Part 2 — X[LOOKUP] Gon’ Pivot To Ya

In December 2019, we published a blog post on augmenting analysis using Microsoft Excel for various data sets for incident response investigations. As we described, investigations often include custom or proprietary log formats and miscellaneous, non-traditional forensic artifacts. There are, of...

Finding Evil in Windows 10 Compressed Memory, Part Two: Virtual Store Deep Dive

Introduction This blog post is the second in a three-part series covering our Windows 10 memory forensics research and it coincides with our BlackHat USA 2019 presentation. In Part One of the series, we covered the integration of the research in both Volatily and Rekall memory forensics tools. We...

How CB LiveOps Helps with Incident Response

Security and IT Operations teams often have no reliable way to assess the current state of endpoints across their enterprise, leading to increased risk of breach, inability to make informed remediation decisions, and unnecessary spending on infrastructure maintenance. A real-time endpoint query a...

Carbon Black Report: A Case Study on No More IR Busy Work

From discovery to data acquisition to remediation, IR teams might spend hours of their precious time doing tedious labor — for instance, going in and grabbing an organization’s relevant forensic artifacts such as event logs one by one. What IR teams want to spend time doing: finding the bad guys...

Cold Disk Quick Response: CDQR

Cold Disk Quick Response tool The CDQR tool uses Plaso to parse disk images with specific parsers and create easy to analyze custom reports. The parsers were chosen based on my experience and triaging best practices and the custom reports group like items together to make analysis easier. The...