Nels

Most highly effective analysts don't just read logs; they mentally map out the network and visualize the attack as physical movement. They conceptualize functional boundaries and the attack surface available at any given foothold (even if they don't realize they're doing it). If you find yourself struggling to understand an attacker's next move or what to look for, grab a piece of paper and literally draw the network graph and the event relationships. Making your thinking visual can change how you process the playing field and what's happening on it. #SOC #DFIR

🤓 How many times did you questioned yourself about a claims in a threat report? The "Trust me bro" is not always reliable! The Admiralty System also known as the NATO System, is a method used to evaluate collected intelligence. I created an Agent Skill for it! Mini thread👇

Everyone wants to jump to the exciting part of threat hunting: finding the weird process tree, following attacker behavior, proving the intrusion path. But the boring work comes first. Data normalization, parsing, and configuration are the foundation. If that layer is weak, your hunt is weak. We put together a short write-up on how we handle this at Threat Hunting Labs 👇

Want to know why I hate shock and awe in InfoSec? Early in my pentest career I was on an engagement with both a network pentest and a physical assessment. The network was flat, critical systems mixed in with everything else, plenty of issues to go around. On the physical side, someone walked in the front door, ended up in a conference room, plugged in got DA. When we came back for the following year, the physical side had been locked down badges, cameras, access control, the works. The network? The same issues from the previous report. Just because AI is helping find bugs and you want to scan all your internal code with LLMs doesn't mean you can take your foot off the gas with other internal security projects and fundamentals.

Thread: Deep analysis of the axios npm supply chain compromise All 5 payloads downloaded from VT, reversed in an isolated VM. Full report + detection rules: https://t.co/5VYX0VD7Tz What's in the gist (8 files): 1. Verified Threat Intel Report (all hashes VT-confirmed) 2. Full RE of every payload (source code recovered for all 3 RATs) 3. C2 protocol specification (complete JSON schema, state machine) 4. 8 YARA rules (tested, 100% detection) 5. 8 Sigma rules (Win/Mac/Linux) 6. 11 Suricata/Snort IDS rules (including Base64 beacon patterns) 7. Machine-readable IOC bundle (JSON, 14 SHA256 + network + MITRE) 8. Extension.SubRoutine research (see below) Novel findings not in any vendor report: - Extension.SubRoutine.Run2() — the .NET process injection DLL is completely undocumented. Zero results across all public sources. Custom-built injector, not from any known tool. - Linux RAT (https://t.co/QIVd7ac3uM, 0/76 detection) has a bug — peinject command references undefined variable b64_string. Binary injection crashes on Linux. - macOS RAT has zero hardcoded IPs/domains. C2 is runtime-only via argv[1]. Compiled with SDK 26.2.0 (latest Xcode). Build UUID: c848257813983360905d7ad0f7e5e3f5. - C2 server confirmed as Express.js via URLScan X-Powered-By header. - https://t.co/av1ZFLe9ak in the POST body is not an npm URL — it's the National Association of Pastoral Musicians. Designed to look legit in network logs. - Hostwinds AS54290 has confirmed Lazarus infrastructure in the same /18 subnet (https://t.co/jSNf9hnyjh research). - macOS RAT classified as NukeSped by 4 AV engines. JA3 fingerprint 773906b0... mimics Safari 15.5 — nation-state TLS tradecraft. - All 3 RATs share identical 4-command protocol: kill, peinject, runscript, rundir with status codes "Wow"/"Zzz". - Zenbox memory dump (47MB) downloaded and analyzed — 12 PE files extracted. Extension.SubRoutine DLL not recoverable (C2 was offline during sandbox run). Setup.js fully deobfuscated — all 18 XOR-encoded strings decoded including full VBScript and AppleScript payloads. macOS binary reversed with radare2 — main(), Report(), DoWork(), DoActionIjt(), DoActionScpt(), RunProcess() all reconstructed. Uses fork+execv (not system()), CurlGuard RAII pattern, nlohmann/json v3.11.3.