The Haag™ That is a great write up! IIS modules are one of my “favorite” persistence mechanisms (they can be hard to find for defenders). You mentioned it in your blog post - but for those looking additional reading on IIS modules microsoft.com/en-us/security… & microsoft.com/en-us/security…

Shootin' for all the options here haha some other variants:

First - Happy Friday

Second - A few images generated over the week lol

So I was deep in my webshell era this week 🧙‍♂️🕸️💻 and—plot twist—I totally got owned... by myself 😂 Naturally, I pulled the classic move: Did I read the source? Nope. Did I run it anyway? YOLO 🪂💥 Next thing I know, it casually goes full ninja mode and drops: cmd.exe ➡️

🔥 I've been talking about IIS modules for a while now 🗣️ The Splunk Threat Research Team just released our blog around CVE-2025-53770 SharePoint attacks and how some adversaries are using IIS modules for persistence 💀 🎯 Ways to hunt and gather these sneaky DLLs 🔍 Detection

Got a new Huntress blog out today taking a look at some intrusion analysis methodology with practical examples - check it out! huntress.com/blog/intrusion…

Grateful that a community project like LOLRMM went from this weekend hackathon to full blown project now mentioned by CISA: cisa.gov/news-events/cy…

I did an analysis of TPwSav.sys driver and write a proof of concept exploiting the arbitrary physical memory read and write primitive for fun :) You can find the quick writeup here, zeifan.my/TPwSav-Driver-… Blackpoint analysis: blackpointcyber.com/blog/qilin-ran…

If you’re in the area you should come hang out. I hear they will talk about Atomic Red Team 😉 Cya there!

LOLRMM.io now tracks over 290 RMMs, with new ones being added regularly. These tools provide legitimate functionality but are frequently repurposed by attackers. Read here: buff.ly/oNbWfa6 If you're not using them in your setup, why allow them to run?

Solid #LOLDrivers in the wild research right here.

🚀 It's been almost a year since ShellSweepX dropped 🐚🧹 🎯 Time to TAKE BACK THE LAND from threat actors! 🛡️ 🔥 Hunt Smarter, Hunt Harder with: 🤖 AI-powered analysis (Claude & GPT-4o) 📊 ML models YOU can tune 🎯 YARA rule integration 📈 Entropy & standard deviation analysis

I’m using this on a set of web servers. THOR Cloud runs daily scans, and if a web shell or reverse shell gets dropped, I get an alert in Slack - no manual checks needed. Here’s how to set this up yourself 👇 How to get notified shortly after a web shell lands on one of your

[New Blog 📚] The Ghost in the Logs: DFIR Through a Palimpsest Lens In this latest blog, I try to link the literary and historical concept "palimpsest" into the DFIR world. “Forensic echoes” linger for those who are quite enough to listen. Read More - nasbench.medium.com/the-ghost-in-t…

[New Blog 📚] From Telemetry to Signals: Designing Detections with an Audience in Mind A Schrödinger’s Detection is a detection that is both great and bad at the same time to two different audiences In this short blog, I try to illustrate how knowing the audience consuming your

LOLdrivers.io now has SIEM queries and a tool section for those looking to operationalize the data. Thanks to Mehmet Ergene and The Haag™ for sharing the queries with the community! Also shout out to Tenable for sharing the Nessus plugin, Oddvar Moe for the

Bespoke Red Canary, a Zscaler company stickers

[New Blog 📚] The Fragile Balance: Assumptions, Tuning, and Telemetry Limits In Detection Engineering If you ever struggle with false positives and the idea of tuning detections. This is for you. Read More - nasbench.medium.com/the-fragile-ba…