Christopher Glyer

After more than a decade - today is my last day @FireEye. Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow

New updates to the blog today w/focus on Storm-2603 (lots of community interest) “we have observed…Storm-2603, exploiting these vulnerabilities to deploy ransomware” Blog includes Storm-2603 TTPs, persistence (IIS backdoor & fast reverse proxy usage), C2 servers, & new IOCs

This mitigation is critical (esp based on Storm-2603 exploitation) and I expect it’s most-likely to be overlooked: 🔃🔑 Rotate SharePoint Server ASP .NET machine keys • After applying the latest security updates above or enabling AMSI, it is critical that customers rotate…

I'm taking a 2 second break from the other shitshow to bring you some delicious lore regarding DPRK IT Workers and their love of Minions. 😄 wsj.com/lifestyle/nort…

Update: Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771.

Speakeasy is still one of my favorite tools. I needed a quick way to validate keying techniques on some C payloads and whammy github.com/mandiant/speak…

New in the Defender XDR advanced hunting platform, GraphApiAuditEvents - any blue team, threat hunter or those working on detections should make sure they get familiar with this data, it can be key for detecting malicious activity in your environment. It shows information about…

Wow. Spain is putting salt typhoon out of business. They are just going to hand it all to them: Huawei contracted to manage their wiretaps…. therecord.media/spain-awards-c…

Well... that's one way to address the threat of the PRC hacking into your infrastructure to steal your wiretap intercepts. I guess.

Google Threat Intelligence Group published technical documentation on UNC6040, a financially motivated threat cluster specializing in voice phishing campaigns targeting Salesforce environments. 📍 "UNC6040 has demonstrated repeated success in breaching networks by having its…

Fun little experiment: are LLMs trained on leaked but still classified data? (And/or good at retrieving knowledge from those leaked primary source documents)? Test: "What was CROSSBONES in an NTOC context?" Answer is 100% classified, not in blogs or press coverage.

We've released Procmon for Linux, Sysmon for Linux, and SysinternalsEBPF with Azure Linux 3.0 support! Get the tools at sysinternals.com. See what's new on the Sysinternals Blog: techcommunity.microsoft.com/blog/Sysintern…

I take it that Grok’s latest training round included the playing cards from Cards Against Humanity

Creating on-the-fly graphs with #Kusto is nice via make-graph, but what if Kusto could natively handle graphs as a data source just like it does with tables? Meet Persistent Graphs, now in preview: 📎learn.microsoft.com/en-us/kusto/ma… ➡️ azure.microsoft.com/en-us/updates/…