Oh hell yeah, this is cool! DeviceNetworkEvents | where RemoteIPType == "Public" | where InitiatingProcessVersionInfoOriginalFileName in (( externaldata ( Name:string ) [ "lolbas-project.github.io/api/lolbas.csv" ] with (format=csv, ignoreFirstRecord=true) | distinct Name )) #MDE

KnowsMore: swiss army knife tool for pentesting Microsoft Active Directory meterpreter.org/knowsmore-swis…

Pygmy Goat - Network Device Backdoor (Malware Analysis ) : ncsc.gov.uk/static-assets/…

''Local Administrator Protection | Privilege Protection'' #infosec #pentest #redteam #blueteam call4cloud.nl/local-administ…

Big fan of this streamlined malware analysis setup, from herrcore: youtu.be/adAr0KBJm4U?si…

🚨 #SliverC2 is a command-and-control framework widely used by threat actors 👾 It performs post-#exploitation activities and supports multiple connection protocols like #WireGuard Learn more and collect #IOCs & samples 🔗 any.run/malware-trends…

Malicious apps on Google Play: how threat actors use the DNS protocol to covertly connect trojans to C&C servers news.drweb.com/show/?i=14935&…

Microsoft Dev Tunnels: Tunnelling C2 and More newtonpaul.com/tunneling-c2-t… #threathunting

Creating Resilient Detections medium.com/@vanvleet/crea…

My #parseusbs #DFIR tool got a small update this week to fix an issue on Linux - now tested on Windows cmd/powershell, WSL (the best!), & Ubuntu Parse USB connection artifacts from a Windows volume, including registry & event log data (or offline hives) github.com/khyrenz/parseu…

Local Administrator Protection is Here!!!! At #Ignite2024 , #Microsoft finally officially announced the Local Administrator Protection feature for #Windows11! This game-changing update replaces traditional admin accounts with just-in-time privileges, securing admin rights like

A whitepaper on Win32 shellcoding by the legend Skape! hick.org/code/skape/pap…

Check out our technical analysis of #RaspberryRobin's multilayered approach to thwarting analysis and evading detection. Read the full technical analysis here: zscaler.com/blogs/security…

Cool #DFIR things. training.sleuthkitlabs.com/courses/worksh… Sleuth Kit Labs

#BruteRatel - #Latrodectus - .pdf > url > .js > .msi > .dll wscript.exe Document-v20-19-06.js msiexec.exe /V rundll32.exe C:\Users\Admin\AppData\Roaming\sqx.dll, GetDbInterface (1/3)👇 IOC's github.com/pr0xylife/Latr…

Reading NTFS Dataruns #DFIR #Filesystems This video explains how to locate and read NTFS dataruns in order to find the file clusters. It also covers parsing fragmented files and how to read their dataruns too. youtube.com/watch?v=6WFUM5…

A Windows #Clickfix alternative seen in the wild on a mass-spreading malware campaign bypassing traditional Win+R shortcut restrictions User is asked to open the Windows Power User menu (Win+X), open a Powershell terminal and paste and running a malicious Clickfix-style command

youtube.com/watch?v=2WftJC…

ClickFix just got clever-ditched Win+R for Win+X (Power User Menu) ⚠️ New variant drops Lumma after Defender exclusion: - Prompts for elevation till user accept - Add defender exclusion on %temp% - Drops & runs Lumma Multiple Sigma rules fired 💥 Process Tree👇