I’ve moved all of my blog posts from Medium to a new blog section on my personal website. If you’re looking for a good read, I’d recommend my Cobalt Strike write-ups (Part 1 & Part 2) from 2021–2022. Much of it remains applicable today, along with the threat hunting series,

Merry Christmas to everyone in the Cybersecurity field, and a special Merry Christmas, to the best EDR in the game, CrowdStrike. Thank you for keeping companies who use CS EDR safe during the holidays when threat actors are lurking. You truly are unbypassable nor killable CS.

Registry persistence is well-documented - and unsurprisingly well-detected. We explore a lesser-known technique for arbitrary registry writes against HKCU at medium integrity - without triggering registry callbacks. And in turn those detections. deceptiq.com/blog/ntuser-ma…

We’ve just added 𝗖-𝗣𝗿𝗼𝘁 EDR to the EDR Telemetry Project and it sets a new bar for Linux telemetry! C-Prot is currently #1 in the Linux EDR table, with exceptional depth and quality of raw telemetry. What really stands out is the level of transparency: we got direct access

understanding necessary vs sufficient conditions and execution vs behaviour modality is super important otherwise all your detections end up with mistakes like this but that's the fun!

𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: 𝗡𝗲𝘄 𝗜𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗘𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲, 𝗠𝗜𝗧𝗥𝗘 𝗔𝗧𝗧&𝗖𝗞 𝗜𝗻𝘀𝗶𝗴𝗵𝘁𝘀, 𝗮𝗻𝗱 𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥 We want to start by thanking everyone who supported us as early

WOW. Amazing talk. I thought it's not possible anymore to compromise First party applications. I really recommend watching it. Regardless of the content, its a very funny talk😂 Thanks! Vaisha Bernard youtube.com/watch?v=sWV_3k…

when they bring out the app store on the neuralink I'm going to make an app that reads your brain and tells you which song will sound the best at that moment in time

📣 I partnered with 13Cubed for a Valentine's Day Giveaway! 🎁 🏆 1 Grand Prize winner will receive one course of their choice from the list below + a 13Cubed Investigator T-Shirt. Courses: - Investigating Windows Endpoints - Investigating Windows Memory - Investigating

Havoc Professional Finally Released! 🕸️🕷️ Since our last blog post introducing the Havoc Professional framework and the Kaine-Kit, we've been refining the framework behind the scenes while also welcoming bakki as a new member of our team. This blog post covers the numerous

One of the questions I have received a lot of times and was important to me was making Havoc agnostic to external services such as for reporting, logs and more. With this being said it is really easy to write components for both the backend, frontend (client), and for the agents

I release a short demonstration of the Kaine Extension System, allowing the operator to fully configure what features and evasion capabilities the agent should have and contain. youtube.com/watch?v=a8YZPl…

I have released another video about Havoc Professional! This video is demonstrating the "Fallback Listeners" capability which allows the operator to embed additional listener configurations into the implant in case the primary or secondary listener fails. Link below🔗

My infosec/mixed tech RSS feed: - Bleeping Computer (some sponsored slop gets through) - 404 Media - MIT Technology Review - Detect FYI (shoutout Alex Teixeira) - TrustedSec - BadSectorLabs - DFIR Report - Kostas on Medium - Lucy (goblinloot.net / Connected) - MS tech

🚨Alert: New cryptocurrency stealer likely written in Zig 🔬Report: vmray.com/analyses/vidar… We found a multi-stage infection chain delivering what appears to be a new cryptocurrency clipper, likely written in Zig. The infection begins with Vidar, which drops a heavily obfuscated

good reminder for defence in depth although only one of these vendors has nice logs to work with

third movement of deadline? Azure portal sentinel will be deactivated March 31st 2027

Another small demonstration video is online! In this demonstration we are going to cover the vm-filesystem project which utilizes the Firebeam Virtual Machine to interact with the target filesystem and monkey patch python methods which the File Browser uses to interact with the