Johan

The software supply chain has a new predator. 🐛 Meet Iron Worm, the "rustier cousin" of the infamous Shai-Hulud worm. Just like its predecessor, it burrows into dev environments, steals credentials, and self-propagates through trusted GitHub and npm workflows. Except this one is built in heavy, async Rust, hides behind an eBPF kernel rootkit, and talks over Tor. Full teardown of the beast: https://t.co/9Tn4G8tluW

Bypassing AMSI is useless if you get caught by Script Block Logging (4104) 5 seconds later. I compiled a complete reference guide for PowerShell Defense Evasion covering the full chain: AMSI, AppLocker, CLM escapes, and blinding the logs. Read the full breakdown below https://t.co/VTCTVGq6Zp

Your XDR monitors vssadmin.exe and ntdsutil.exe. If an attacker runs those binaries on a DC, a high-severity alert is triggered. So how do real-world threat actors still walk away with ntds.dit? They don't use the standard Windows utilities. They use native API calls or alternative administrative mechanisms to interact with the Volume Shadow Copy (VSS) service directly—masking the extraction as routine backup operations. Instead of spawning loud processes, sophisticated actors manipulate VSS via: Direct COM/API interaction: Compiling custom binaries that call the VSS API directly, bypassing process-name logging entirely. NTDSDumpEx or native Esentutl: Leveraging esentutl.exe (a native Windows database utility) to copy locked database files via alternative volume paths. PowerShell WMI/CIM objects: Invoking the Win32_ShadowCopy class directly to create snapshots without ever touching vssadmin. If you are only waiting for an EDR signature on "ntdsutil," you are missing the broader footprint of snapshot manipulation. To build resilient detection strategies, look for the underlying side effects: untrusted non-system processes mounting global root paths or atypical processes reading directly from a volume snapshot folder. You don't need complex queries to detect these activities. Drop the below into your MDE or Sentinel to identify anomalous processes interacting with shadow copy volumes:

🧙‍♂️Kongtukes Unmasked — DefenderXDR detection of evolved Modelorat🐀 https://t.co/Xkjri3CnSL Threat actors never stop iterating. Kongtukes has evolved its help desk lure playbook into the Modelorat campaign — a reminder that social engineering remains one of the most effective initial access tactics. To stay ahead, I built a KQL threat detection that flags suspicious helpdesk style Teams impersonation attempt and traces the pivot into RAT activity. This detection logic ensures SecOps teams don’t miss the earliest signals of compromise. https://t.co/PvuBemDakV #ThreatHunting #DefenderXDR #Kongtukes #DetectionEngineering