Kamal

IRFlow Timeline v1.0.7 is live. This one focuses on a problem I think DFIR teams will see more often: AI assistant usage becoming part of the investigation surface. You can now collect and normalize local AI usage history from tools like Claude Code, ChatGPT Desktop, Cursor, GitHub Copilot, OpenAI Codex, Gemini CLI, Continue, Windsurf, and Claude Desktop into a unified timeline view. Also added AI Secret Hunt, which helps identify secrets, tokens, API keys, private keys, and credentials that may have been pasted into AI assistants during real investigations or day-to-day engineering work. The goal is simple: make AI app activity easier to preserve, search, tag, and correlate during incident response. AI usage is becoming part of the forensic record. We need tooling that treats it that way. Link in the comment ⬇️ #DFIR #IncidentResponse

𝗜𝗻𝘁𝗿𝗼𝗱𝘂𝗰𝗶𝗻𝗴 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗣𝗹𝗮𝘆𝗴𝗿𝗼𝘂𝗻𝗱. 𝗡𝗼𝘄 𝗹𝗶𝘃𝗲 𝗶𝗻 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗟𝗮𝗯𝘀! Launch a disposable Elastic or Splunk lab, run controlled adversary emulation, hunt the telemetry, and validate detection ideas against observed events. 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗮𝘃𝗮𝗶𝗹𝗮𝗯𝗹𝗲 𝗼𝘂𝘁 𝗼𝗳 𝘁𝗵𝗲 𝗯𝗼𝘅 𝗶𝗻𝗰𝗹𝘂𝗱𝗲𝘀: - 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗹𝗮𝗯𝘀: Sysmon, Windows event logs, FLARE VM tooling, and Elastic Defend EDR when using Elastic environments. - 𝗟𝗶𝗻𝘂𝘅 𝗹𝗮𝗯𝘀: Sysmon for Linux, auditd, syslog, and Elastic Defend EDR when using Elastic environments. - 𝗙𝘂𝗹𝗹 𝗲𝗺𝘂𝗹𝗮𝘁𝗶𝗼𝗻 𝗹𝗮𝗯𝘀: a Kali attacker box equipped with Sliver, PoshC2, Merlin, and other tooling so you can test C2 workflows and detections hands-on in a controlled lab. Navigate to the Atomic catalog, run an approved emulation with one click, inspect the resulting telemetry in your SIEM, or access the target host yourself and experiment as much as you want. Run. Hunt. Validate. Watch: https://t.co/Zn751KBEXP Read the blog post: https://t.co/09qas8gBye

10 LINKS THAT WILL CHANGE HOW YOU LOOK AT THE INTERNET FOREVER. Save this list. Most people will never see it. 1. https://t.co/UnDnW16EM2 Shows every data breach your email has ever leaked in. 2. https://t.co/DWPtjQdmaY Reveals every social profile and login tied to any email address. 3. https://t.co/b0di40J0mR Tells you how trackable your browser fingerprint really is. 4. https://t.co/3oOgXHyaCp Checks if your VPN is actually working or silently exposing your real IP. 5. https://t.co/M49l1nqMGf Direct links to delete your account from any major service. 6. https://t.co/s6MXurFwoY Scans any file or link against 70+ antivirus engines in seconds. 7. https://t.co/LHTmczBjTS Shows if your face was used to train AI models without consent. 8. https://t.co/rF6OanX5a0 Exposes every piece of data your browser leaks to websites. 9. https://t.co/2AUNi4oSDr Tells you which apps on your PC are bloatware or spyware. 10. https://t.co/7SLjuIK4GR Removes paywalls from news sites so reading stays free. Thanks me later.

Our printed documentation book has been updated for Security Onion 3.1 and is available from Amazon now! For those who don't know, we offer a softcover copy of our documentation for the current version of Security Onion via Amazon. All proceeds go to the Rural Technology Fund, and the book comes with a 20% off discount code for our on-demand training and the Security Onion Certified Professsional (SOCP) certification exam.

Conditional Access policies won’t stop token theft—and standard MFA won't fix it either. When teams roll out Microsoft Authenticator push codes or SMS, some assume the cloud perimeter is safe. But sophisticated actors have moved completely past brute-forcing passwords. They use Adversary-in-the-Middle (AiTM) phishing frameworks like Evilginx. The attack flow is clean: The proxy site mirrors your Entra ID login page. The user enters credentials and solves the genuine MFA challenge. Once Entra ID validates the session, it issues an ESTSAUTH session cookie. The malicious proxy server snatches that cookie before passing it back to the victim’s browser. The Result: The attacker drops that stolen cookie into their own machine. Because the session has already passed the MFA verification loop, they gain instant access to the mailbox or cloud apps. They bypass standard Conditional Access rules seamlessly. , when an identical session jumps between network or device contexts Advanced features like Continuous Access Evaluation (CAE), Token Protection session controls, or strict device compliance rules can mitigate this. But they are rarely part of an organization’s "default" browser-based setups. Because a stolen token completely bypasses the sign-in loop, you cannot hunt for it by looking for failed logins. You have to hunt for Session Anomalies—specifically when an identical session jumps network or device context mid-lifecycle. From Sentinel or Entra ID Advanced Hunting, you can run the below KQL query to identify active token replays across interactive and non-interactive sign-ins:

10 GitHub repos that should be illegal — they're killing $50 billion in corporate revenue. SAVE IT 1. yt-dlp Downloads any video from YouTube, X, TikTok, Instagram, anywhere. YouTube Premium charges $14 a month to do less than this. It is 100% free. Repo → https://t.co/TaRtkcd4qy 2. Ollama Run GPT-4-class AI on your laptop. No API costs. Developers spend $500 a month on OpenAI for what Ollama runs offline for $0. Repo → https://t.co/gyZhUdzsnZ 3. Fooocus Midjourney-quality image generation on your own GPU. Midjourney charges $30 a month. Fooocus runs unlimited generations for free. Repo → https://t.co/NDPJpIdYJs 4. Whisper OpenAI's transcription model, open-sourced. Otter charges $20 a month for what Whisper does for free, in 99 languages. Repo → https://t.co/blaJ4i4MnH 5. Plausible Analytics Privacy-first Google Analytics replacement. Google Analytics 360 costs $150,000 a year for enterprises. Plausible self-hosted costs $0. Repo → https://t.co/RFrcpqTBQ7 6. AppFlowy Open-source Notion. Notion charges $20 per user per month for teams. AppFlowy runs unlimited users on your server for free. Repo → https://t.co/IDMykTCkMU 7. Penpot Open-source Figma. Figma charges $45 per editor per month. Penpot does the same job, self-hosted, free forever. Repo → https://t.co/Lx1CYUP4p4 8. n8n Open-source Zapier. Zapier Pro costs $600 a month for a real workflow. n8n self-hosted runs unlimited automations for $0. Repo → https://t.co/hdycABGGc1 9. Cal .com Open-source Calendly. Calendly Teams costs $16 per user per month. Cal. com is free for individuals and open source for teams. Repo → https://t.co/haz8ihRsHm 10. Bitwarden Open-source 1Password. Password managers charge $8 per user. Bitwarden is unlimited, forever, free. Repo → https://t.co/XCZ2JtWqWQ Here's the wildest part: That's $50 billion in corporate revenue these repos are quietly destroying every single year. None of these are illegal. All of them should be. Save this. Share it with the person in your life still paying for what's been free this whole time. 100% free. 100% open source.

GOOGLE JUST SHIPPED ITS ENTIRE 2026 ROADMAP IN ONE KEYNOTE Gemini 3.5 Flash → new flagship. frontier brain, agentic, beats 3.1 pro, 4x faster Gemini 3.5 Pro → the bigger one, drops next month Gemini Omni → any input in, editable VIDEO out Gemini Spark → a personal agent that actually DOES things across your apps Daily Brief → your morning, pre-read from gmail, calendar and tasks Neural Expressive → the gemini app got a full redesign Universal Cart → one agentic cart across gemini, youtube and gmail Information Agents → search that monitors the web 24/7 FOR you Intelligent Search Box → expands as you type for real conversations Search Mini Apps → build your own dashboards inside search AI Mode → now fully running on gemini 3.5 flash Gmail Live → talk to your inbox Docs Live → write and edit docs by voice AI Inbox → gmail, organized by ai Google Keep → speak freely, it cleans it into notes Google Pics → a brand new ai image and design app Ask YouTube → search the ENTIRE youtube catalogue with answers Android XR Glasses → "intelligent eyewear," audio glasses this fall Android Halo → a live strip showing what your agent is doing Antigravity 2.0 → the agent-first dev platform, upgraded Flow + Flow Music → now standalone mobile apps

Yes. Attackers can create hidden admin accounts on Windows that fly completely under the radar. The most common method is registry manipulation. By modifying a specific key under HKLM\SAM, they can create an account that doesn’t appear on the login screen or in normal user management tools. It shows up nowhere a regular user would look. Another approach is cloning an existing account. Attackers copy the RID of a legitimate admin account onto a low-privilege or guest account. On the surface it looks harmless. Under the hood it has full admin rights. Net user commands can also create accounts that blend in with system defaults, especially if named something generic like $ appended accounts, which Windows hides from standard directory listings by design. How to actually catch it: Run net user and wmic useraccount list full and compare results. Discrepancies are a red flag. Check the SAM registry directly or use tools like Autoruns and GMER. Review Event ID 4720 (account created) and 4728/4732 (group membership changes) in the Security event log. Most people never check. That’s exactly why it works.

50 WEBSITES THAT FEEL ILLEGAL TO KNOW ABOUT 1. cobalt. tools — download any video from socials 2. photopea. com — Photoshop but completely free 3. temp-mail. org — disposable email in one click 4. tinywow. com — 100+ free tools in one site 5. archive. org — access any old webpage ever 6. libgen. li — millions of free textbooks 7. sci-hub. al — free research papers 8. alternativeto. net — find free app alternatives 9. justwatch. com — find where to stream anything 10. gutenberg. org — 70K free classic books 11. pdfdrive. com — free PDF downloads 12. openculture. com — free courses from top unis 13. wolframalpha. com — solve any math instantly 14. remove. bg — remove backgrounds in one click 15. cleanup. pictures — erase objects from photos 16. unscreen. com — remove video backgrounds free 17. squoosh. app — compress any image free 18. excalidraw. com — hand drawn diagrams free 19. carbon. now. sh — turn code into beautiful art 20. ray. so — stunning code screenshots 21. flightradar24. com — track any flight in real time 22. camelcamelcamel. com — track Amazon price history 23. haveibeenpwned. com — check if you were hacked 24. virustotal. com — scan any file for malware 25. privnote. com — send self destructing messages 26. file. io — share files that auto delete 27. archive. ph — save any webpage forever 28. accountkiller. com — delete yourself from any site 29. radio. garden — listen to any radio worldwide 30. tunefind. com — find songs from any show 31. musicforprogramming. net — music to focus with 32. mynoise. net — custom focus soundscapes 33. annasarchive. org — search every book ever written 34. elicit. com — AI research paper assistant 35. consensus. app — search what science agrees on 36. connectedpapers. com — map research visually 37. semanticscholar. org — free academic search 38. scispace. com — understand any research paper 39. summarize. tech — summarize any YouTube video 40. phind. com — AI search for developers 41. regex101. com — test any regex instantly 42. codebeautify. org — format any code cleanly 43. explainshell. com — understand terminal commands 44. tldraw. com — infinite whiteboard in browser 45. downdetector. com — check if any site is down 46. tineye. com — reverse image search 47. fast. com — check your internet speed 48. smallpdf. com — edit PDFs free 49. ilovepdf. com — merge and split PDFs 50. 10minutemail. com — temp email in seconds All legal. All free. All hidden from you. Bookmark this before it disappears.