I ended up finding a typosquatted fake SharePoInt.exe, hiding in Temp, calling out to a C2 sever, launched through legit Windows DCOM service.
Full investigation writeup here:
https://t.co/an8DwPIGRM
Spent my evening hunting a 'suspicious connection via port 5678 alert '
flagged on a host named WIN-105. My job was to figure out whether this was something to worry about or just noise.
.
Investigated a SIEM alert flagged for an unusual TLD (.me)
Went through WHOIS โ DNS โ SPF/DMARC/DKIM โ VirusTotal โ SIEM pivot
A suspicious TLD without failed auth or a payload
is just noise. Context is everything in alert triage.
more
https://t.co/FrATXAbPnj
#SOC
โผ๏ธ๐จ This is alarming: Researchers found a one-click data exfiltration vulnerability in M365 Copilot. A single click on a trusted microsoft[.]com link let attackers pull emails, MFA codes, meeting notes, and SharePoint/OneDrive files, no permissions or second click required.
Microsoft has patched it as CVE-2026-42824, rated critical.
Tuff time ahead, this the moment when businesses increase the cost of imported goods to cover the margin. Others with deep pockets taking advantage of this by importing in bulk at a cheaper price before the raise.
Imported goods from China are set to become more expensive in Kenya from 15 June.
This comes after China-related shipping costs were increased, adding about Sh12,000 for a 20ft container and Sh118,000 for a 40ft container.
JUST IN: Google is paying SpaceX nearly $1 billion a month for GPUs.
Anthropic is paying $1.25 billion a month.
Elon Musk is renting to both his biggest rivals. and Jensen Huang is supplying the chips to everyone.
hereโs the full picture:
โ Google signed a $920M/month deal with SpaceX for 110,000 NVIDIA GPUs. runs through June 2029. nearly $30 billion total.
โ Anthropic signed a $1.25B/month deal with SpaceX last month for all compute at Colossus 1.
โ both deals run on NVIDIA chips โ the same ones Jensen Huang sells to everyone.
so the scoreboard right now:
Google pays Musk. Anthropic pays Musk. Musk competes with both through xAI. Jensen supplies the chips to all of them.
A single SIEM alert. One audit log. A fully executed intrusion โ running undetected for 3 hours.
SSH brute force โ malicious scripts โ typosquatted domain โ cryptominer.
Shell history can be deleted. Audit logs cannot.
Full case study
https://t.co/ZIsYXPVL2B
#ThreatHunting
Everyday I study for 2 hours,this has been helpful to me as a student and whenever I skip a day I add 2hours to the next day. Tomorrow I'm supposed to study for 2months.
@comomtl@pinkcliper Just remember the last person in the network node can trace you. It all a matter of interest and resources. Anonymity is an illusion
Indicators to hunt for:
โข Unusually large POST requests
โข Traffic to rare/low reputation domains
โข Frequent small requests (beaconing)
โข Multiple uploads forming a large transfer
Even normal protocols can hide malicious activity.
Day 60 of learning SOC
Today I explored detecting data exfiltration over HTTP. Attackers hide stolen data in POST requests, query strings, headers, or chunked uploads. Hunting large POST requests and unusual domains in logs can reveal suspicious uploads to external servers.
Common HTTP exfiltration techniques:
โข Large POST uploads to attacker servers
โข Encoded data in GET requests
โข Data hidden in HTTP headers
โข Chunked/multipart uploads
โข HTTPS tunneling to hide payloads
DAY 59 of SOC Learning
Investigated a WordPress webshell. Logs revealed a brute-forced login, shadyshell.php upload, and commands like whoami, uname -a. https://t.co/VsbkIFCZOI confirmed privilege escalation attempt. Logs tell the storyโif you know how to read them.
#SOC