Olivia
Online
DefSecSentinel
@DefSecSentinel
179CPT Cyber Operations Technician 170A @MOARNG
Joined April 2017
1.1K Following
2K Followers
617 Posts
@SBousseaden and I did some investigations into Tycoon 2FA recently. Focused on the infrastructure, how the kit works for not only M365, but Google Workspace as well. Made a few detections for each platform. Give it a read. Hope you enjoy. #phishing #threatdetection
Happy Hunting!
https://t.co/EIX75iln3S
MiniPlasma LPE exploit works perftectly. Elastic Defend behavior protection catches the exploit primitives involved in the chain, providing detection coverage even against fresh public exploit.
https://t.co/81lEg2J3MA
We just posted some additional detection guidance for #CopyFail and #DirtyFrag using EQL, ES|QL and Auditd detection rules/hunts + mitigations. Find them below!
https://t.co/SCqn4OL1Sz
Detection guidance for CopyFail (CVE-2026-31431) and DirtyFrag (ITW Linux page cache LPE): EQL, ES|QL, and auditd detection rules and hunts included:
https://t.co/EdTUjIeJi2
Who to follow
Craig Rowland - Agentless Linux Security
@CraigHRowland
Agentless Linux security. No endpoint agents and no drama. Linux malware, forensics, intrusion detection, and hacking. Founder @SandflySecurity.
Elastic Security Labs
@elasticseclabs
Elastic Security Labs is democratizing security by sharing knowledge and capabilities necessary to prepare for threats. Spiritually serving humanity since 2019.
Andrew Pease
@andythevariable
Elastic Security Labs Technical Lead. Lawful Neutral. Threat Hunting with the Elastic Stack author. Retired CW4.
Yesterday was my last day at @elastic.
It was an incredible run. I’m grateful for the opportunity I was given to help build Elastic’s #macOS endpoint agent and endpoint/SIEM detections from the ground up, work that delivered real impact for customers and made life harder for the adversaries.
It was truly an honor to work alongside so many talented people, and I’m very proud of everything we built together. Wishing Elastic and everyone there nothing but the best.
I’ll be looking for my next adventure soon. Stay tuned!
good to see EXISTING Elastic generic privesc behavior detection/protection triggering on the RedSun LPE exploit with no prior knowledge of the vuln-details.
https://t.co/z25p2zCtzE
google workspace logs from reports API...
here's a simple query (Elastic) to check for the vercel 3rd-party OAuth app auth event:
```
data_stream.dataset: "google_workspace.token" and event.action: "authorize" and google_workspace.token.client\.id: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent\.com
```
from there, the same app ID shows up in a few other GWS fields/datastreams:
- token\.app_name -> human-readable app label
- drive.originating_app_id: 110671459871 -> every file the app viewed/downloaded/copied (prefix only, it's typically the GCP project number IIRC)
- admin.oauth2.application\.id / .name -> admin-side OAuth approvals + domain-wide delegation grants
for everything else (gmail, login, meet, chat, calendar, groups, DLP rules) I'd try actor pivot on source.user.\email + a time window around the consent event (reports API can lag up to 3 days, so go wide and check ingestion).
good luck hunters!
#Vercel #GoogleWorkspace #threathunting
Attackers in containers don't leave persistent artifacts. No files on disk. No post-incident logs. Just short-lived runtime behavior.
Traditional detection approaches weren't built for this. Defend for Containers is.
@RFGroenewoud published a deep-dive on how D4C captures runtime signals inside containerized Linux workloads, and how to build detection logic on top of it.
The key things D4C gives you that you don't get elsewhere:
- process.interactive flags hands-on-keyboard activity in production containers — rare and high-signal
- Linux capability fields (effective + permitted) let you assess actual exploit potential, not just process names
- Every event enriched with pod name, namespace, cluster, and privilege context
- Policy wildcards let you scope detections to specific images, namespaces, or directory trees
https://t.co/7nKk7mllv7
You are going to want to check out this awesome new research write-up from the team. Very interesting and somewhat creative initial access method. Includes a @macos piece as well. Shout out to @soolidsnakee, @SBousseaden and team working hard to get this out.
We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto.
The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault.
Full analysis: https://t.co/y7sGjClCKc
New #research together with @SBousseaden and @DanielStepanic at @elasticseclabs.
We uncovered a campaign abusing Obsidian plugins and vault feature to deliver multi-platform payloads targeting both #Windows and #macOS.
The final stage is #PHANTOMPULSE, an AI-built RAT that resolves its #C2 from Ethereum blockchain transactions and its loader #PHANTOMPULL
A deep dive into the RAT internals is coming next. Stay tuned.
https://t.co/nFAOUGmUc4
We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto.
The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault.
Full analysis: https://t.co/y7sGjClCKc
Not every “old” GitHub repo is actually old.
I break down DPRK-linked repo tradecraft abusing commit-date spoofing to fake legitimacy, while hiding obfuscated loaders in trusted config files. One sample had 100+ stars.
Research:
https://t.co/8mPwuQTj4S
Thanks @pcaversaccio for recreating the spoofed commit and helping validate the technique.
It seems possible that clickfix malware is already switching tactics to evade the new Terminal copy/paste security feature in macOS 26.4.
New research by @JamfThreatLabs around evolving ClickFix techniques using Script Editor, perhaps they have a reason to move away from Terminal recently!
Follow our research with the new @JamfThreatLabs handle! We may also share some additional intel on the macOS threat landscape from time to time!
Hello World!
One of our researchers built an AI powered supply chain monitoring tool on a Friday afternoon.
The following Monday night it caught the Axios npm compromise before most people knew it existed.
Elastic Security Labs is open sourcing the tool.
Full story by @dez_ here: https://t.co/wjT58qQYNO
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers