Wrote up a qilin ransomware case I worked on. 88 day dwell, 12 hosts encrypted in under 5 hours, defender only reacted 47 minutes after encryption started. The anydesk install sat there for 11 weeks. One alert would have killed it. https://t.co/LLyYaT9sUL
Big shoutout to @rahulpandharkar for catching two sneaky bugs ๐
The entire /build Canvas route was 404ing and a .gitignore bug was silently hiding any fix from git. He spotted both, patched all 3 missing pages, and sent a clean PR.
Go check it out โ https://t.co/LwnYnrfdUN
I tweeted about wanting this tool. Then I built it.
LabForge โ the Packet Tracer of cybersecurity.
Drag-and-drop your lab topology, zone your network, pin CVEs to nodes, score attack paths, then hit Generate. Your full VM range spins up.
Open source ๐
https://t.co/DokN5BtLLK
I tweeted about wanting this tool. Then I built it.
LabForge โ the Packet Tracer of cybersecurity.
Drag-and-drop your lab topology, zone your network, pin CVEs to nodes, score attack paths, then hit Generate. Your full VM range spins up.
Open source ๐
https://t.co/DokN5BtLLK
@gadievron@dcuthbert@halvarflake@mbrg0 I was thinking along similar lines, focusing on your /exploit feature.
As a pentester, I frequently uncover vulnerable endpoints lacking public exploits. I envisioned a tool combining an LLM with Vagrant environments to safely reproduce these issues.
Every pentester knows the drill.
Find a vuln, no public PoC โ you need a lab. So you spend 2hrs on Vagrantfiles and the wrong OS.
Demoing to a client? Teaching a class? Your โlabโ is three undocumented VMs on a laptop.
LabForge exists because that pain is universal.
Wrote up a qilin ransomware case I worked on. 88 day dwell, 12 hosts encrypted in under 5 hours, defender only reacted 47 minutes after encryption started. The anydesk install sat there for 11 weeks. One alert would have killed it. https://t.co/LLyYaT9sUL
@m1ru1 Yes, it was internet-facing. Issue was, it was an unpatched server that every user hit daily by GPO policy. Even if you segment it properly, the docs still live there and the auth surface is still exposed.
@m1ru1 No, at least not on the machines we had access to last year. Why? CVE-2025-53770 was exploited before detection signatures existed and the SharePoint server was never imaged, so even if Defender fired, we wouldn't have that data.
Lets start a threat hunting thread where we reveal some of our secret hunting methods. I will start first.
Check SSL info on IP webscans. This way you can find configured domains from threat actors on confirmed malicious IP infrastructure.
Also you can pivot beyond cloudflare
One of the major objectives for the full Sysmon View rewrite is to support multiplatforms. A new release with macOS and Linux support is now live โ appreciate your help in testing and evaluation.
https://t.co/PVjDmkqlpb
#SysmonTools#Sysmon#DFIR#ThreatHunting#BlueTeam
For anyone that conducts research. Please make sure you search for any
public reporting on any of the indicators you found.
Whilst your research might of not kicked off by the public reporting it is still worth to reference and cite these public reportings :-)
We don't know exactly how Handala got into Kash Patel's accounts. But from responding to MOIS-linked intrusions: it's rarely a zero-day.
It's credential dumps. Stealer logs. Data sitting in the open for years.
Let me show you what we found. ๐งต
TeamPCP has done ANOTHER supply chain attack.
My Brother in Christ, how many of these fuckin' things are you going to do? YOU'VE DONE 50 FUCKING SUPPLY CHAIN ATTACKS. 50 SUPPLY CHAIN ATTACKS IN EIGHT FUCKING DAYS.
March 19th:
- Trivy
March 20th:
- EmilGroup (28 packages)
- OpenGov (16 packages)
- Teale-io (eslint-config)
- AIRTM (uuid-base32)
- PypeSteam (floating-ui-dom)
March 23rd:
- Checkmarx
March 24th:
- LiteLLM
March 27th:
- Telnyx