AI Ghidra and Radare2 : AI-powered reverse engineering.
AI agents that can disassemble, decompile, scan with YARA, and Perfect for malware analysis, vulnerability research, and automated reporting, understands binaries in natural language.
- https://t.co/nbs39c26pw
🗺️ 𝗥𝗕𝗔𝗖𝗠𝗮𝗽 - 𝗜𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗺𝗮𝗽 𝗼𝗳 𝗠𝟯𝟲𝟱 𝗥𝗕𝗔𝗖 𝗿𝗼𝗹𝗲𝘀
Just came across this cool tool built by 𝗝𝗮𝗰𝗼𝗯 𝗦𝗵𝗲𝗿𝗶𝗱𝗮𝗻 (𝗦𝗲𝗻𝗶𝗼𝗿 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗣𝘂𝗿𝘃𝗶𝗲𝘄 𝗘𝗻𝗴𝗶𝗻𝗲𝗲𝗿) and sharing it with fellow defenders.
𝗥𝗕𝗔𝗖𝗠𝗮𝗽 𝗰𝗼𝘃𝗲𝗿𝘀 𝟵 𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝗮𝗻𝗱 𝟯𝟮𝟳 𝗿𝗼𝗹𝗲𝘀: Entra, Purview, Intune, Exchange, SharePoint, Defender XDR, Fabric, Power Platform, and Security Copilot.
For each role you get:
• Permissions and scope
• Use cases and when to assign it
• Prerequisites, best practices, and security considerations
• Service-specific gotchas and related roles
Tool's link:🫡
https://t.co/U7u3emEmsn
#Cybersecurity #RBACMap #RBAC
🛡️ Anthropic Cybersecurity Skills - The Largest Open-Source Cybersecurity Skills Library for AI Agents
Anthropic Cybersecurity Skills is a collection of 754 production-grade cybersecurity skills across 26 security domains, designed to give AI agents structured workflows for DFIR, Threat Hunting, Threat Intelligence, Cloud Security, Web Security, Pentesting, Malware Analysis, SOC Operations, and more.
Each skill is mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF, making it a powerful knowledge base for Claude Code, Copilot, Cursor, Gemini CLI, Codex CLI, LangChain, CrewAI, AutoGen, and other AI agent platforms.
🔗 https://t.co/SfV3E8nI0G
#CyberSecurity #ThreatIntel #DFIR #SOC #AIAgents #MITRE #InfoSec
🚨 BREAKING: More than 400 Arch Linux User Repository packages have been compromised with infostealer malware and a rootkit.
Attacker posed as a trusted maintainer and "adopted" orphaned packages.
Arch maintainers are purging infected packages now. Audit your AUR installs.
> be pakistan government
> develop custom malware
> used to target high profile targets
> used against indian military and political ppl
> named SHEETCREEP
> send indian ppl file
> UAE-India Strategic Partnership Week
> malicious .lnk file
> .lnk executes malicious c sharp code
> does a bunch of stuff for persistence
> exfiltrates data to Google Sheets
> Google Sheets can be used to control victim pcs
> pakistan gov hardcodes google c2 sheet
> PAKISTAN GOV HARDCODES GOOGLE C2 SHEET
> embed access key in payload
> EMBED ACCESS KEY IN PAYLOAD
> malware nerds find it
> look inside
> find all targets from pakistan gov
> monitoring 91 ppl they think important
THEY STARTED SO STRONG. WHY DID YOU HARDCODE EVERYTHING. YOU BURNED YOUR OPERATION
https://t.co/PcCeV05cu3
Our new blog post details our investigation into how a compromised MSP led to at least one of its customers being compromised, including deployment of the BRICKSTORM malware on multiple edge devices.
Tools like Snaffler are great, but crawling SMB shares creates a telemetry nightmare. You instantly light up the SIEM with :
- 5140 / 5145 (Network Share Access)
- 4656 / 4663 (Object & File Access)
So I built Invoke-WindowsSearch to query the native Windows Search DB (OLE DB) directly via WinRM/RPC, It extracts the targets without touching the actual files, completely bypassing the 4663 and 5145 detection footprint.
Trade-offs: Requires the WSearch service (disabled by default on Server OS) and lacks complex regex capabilities. Know your environment before execution.
#RedTeam #ActiveDirectory #OPSEC #ThreatHunting #PowerShell
Stop burning RDP persistence with 4732 alerts. Bypass the "Remote Desktop Users" group entirely.
GUI access only requires:
- SeRemoteInteractiveLogonRight (Inject SID via secedit)
- RDP-Tcp listener permissions (Modify CIM class)
OPSEC: Trades 4732 for 4704. Most SOCs don't tune 4704 with the same aggression.
h/t @Cptjesus for the concept.
Conditional Access policies won’t stop token theft—and standard MFA won't fix it either.
When teams roll out Microsoft Authenticator push codes or SMS, some assume the cloud perimeter is safe. But sophisticated actors have moved completely past brute-forcing passwords. They use Adversary-in-the-Middle (AiTM) phishing frameworks like Evilginx.
The attack flow is clean: The proxy site mirrors your Entra ID login page. The user enters credentials and solves the genuine MFA challenge.
Once Entra ID validates the session, it issues an ESTSAUTH session cookie. The malicious proxy server snatches that cookie before passing it back to the victim’s browser.
The Result: The attacker drops that stolen cookie into their own machine. Because the session has already passed the MFA verification loop, they gain instant access to the mailbox or cloud apps. They bypass standard Conditional Access rules seamlessly.
, when an identical session jumps between network or device contexts
Advanced features like Continuous Access Evaluation (CAE), Token Protection session controls, or strict device compliance rules can mitigate this. But they are rarely part of an organization’s "default" browser-based setups.
Because a stolen token completely bypasses the sign-in loop, you cannot hunt for it by looking for failed logins. You have to hunt for Session Anomalies—specifically when an identical session jumps network or device context mid-lifecycle.
From Sentinel or Entra ID Advanced Hunting, you can run the below KQL query to identify active token replays across interactive and non-interactive sign-ins:
🚨 Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes
Source: https://t.co/mrxx28VoH5
Hackers can weaponize a legitimately signed Lenovo driver to terminate security processes, highlighting a dangerous Bring Your Own Vulnerable Driver (BYOVD) attack vector that can bypass endpoint protection controls.
A Lenovo driver, BootRepair.sys, originally associated with the Lenovo PC Manager utility, was discovered to be able to kill arbitrary processes at the kernel level. As the driver is legitimately signed and initially undetected, it can evade traditional security controls that rely on signature trust.
#cybersecuritynews
goLoL - a Windows host scanner that finds LOLBAS binaries present on the current machine and lists techniques you can run at your current privilege level with MITRE ATT&CK mappings and example commands https://t.co/0CIRynqovI
Found a Tailscale API key on an assessment?
In their latest research, @KingOfTheNOPs & @Sw4mp_f0x created TailscaleHound to turn your Tailnet into a BloodHound graph to visualize access paths between Azure & Tailscale.
Check it out ⤵️ https://t.co/KuCU5H0D8Z