Olivia
Online
Maestran
@ma3stran
Ile-de-France, France
Joined August 2012
925 Following
56 Followers
88 Posts
Well, well, well. The public JSON formatter sites your developers paste production data into have been quietly publishing every paste for about seven years. Naturally, we read all seven years of it.
200,000+ documents. Cloud keys, SSH keys, payment API keys, whole tax returns with SSNs, people's full identities, bank balances. Nobody hacked anything. People pasted it in to make it look tidy, as you do.
Full writeup below. Yes, it's as bad as it sounds.
Really enjoyed this interview by @elijahwoodward9 with @bunsofwrath12 on Team Cymru’s “Future of Threat Intelligence”
A lot of good DFIR points in there that often get ignored in enterprise envs:
- why default Win event log sizes are a forensic disaster
- why Sysmon deployments are often stale or incomplete
- the forensic value of Volume Shadow Copies and the $J USN Journal
- why EDR alone is not enough
- how true positives get buried in alert fatigue
- using AI as a force multiplier for parsing logs and writing one-off tooling, while still not treating it as forensic ground truth
Also liked the practical angle throughout the whole discussion. Felt very experience-driven, not theoretical.
Worth watching
https://t.co/SfgqjbR9Eu
Have you noticed that those deep-dive stories about complex Windows malware have pretty much vanished, especially in recent years? It feels like the era of "blockbuster" Windows malware has just gone silent, and this blog post tries to give some answers why.
https://t.co/sFsf3uPm5o
We are working it, sharing what we know as of now - https://t.co/iYq5HUJ767
Finally ...
🚀 New Forensics Technique: Extract AS/400 Licence Keys from Disk Images 🧠
I’m excited to share a brand-new open-source tool to help you recover IBM AS/400, iSeries, and Power Systems licence keys: ExtractAS400LickeysFromDisk
https://t.co/Qa6jEWBLJK
A Painted Symphony is officially kicking off in 2026 with a European tour! 🎼
The French Concert series was such an incredible experience, we couldn’t wait to start planning the next one. We’ve even prepared a little surprise for later today to show you all what went on behind the scenes!!
The European tour will be coming to FIFTEEN cities in Spring 2026. Tickets go on sale Dec 2nd!!
Visit the website to read the full details: https://t.co/8ijyPpsS0l
« J’ai payé 2 fois » : on a reçu l’arnaque hôtelière la plus redoutable de ces derniers mois, voici son mode opératoire
Introduction to the Windows API in Rust with a DLL Loader
TLDR; This post is to serve as an introduction to programming in Rust using the Win32 API by using the most simplest of DLL loading techniques, loading the DLL into our own process.
https://t.co/P9bMnE4d1a
Unit 42 shares a step-by-step guide to cloud incident response. Learn how cloud investigations differ from traditional incidents, focusing on identities, misconfigurations and service interactions. https://t.co/kS7nOz2LEK
We recently took over an APT investigation from another forensic company. While reviewing analysis reports from the other company, we discovered that the attackers had been active in the network for months and had deployed multiple backdoors.
One way they could regain root access on Linux servers was by adding capabilities to the Python binary, for example:
setcap cap_setuid+ep /usr/bin/python3.12
An attacker can now effectively spawn a root shell over the Python binary. The thing about this technique is that they haven't set a suid bit on a binary, or changed the Python binary. By setting the capabilities, attackers can build powerful backdoors.
I wrote about Linux Capabilities and how to find them on my blog if you want to learn more. [1]
[1] https://t.co/Cyad5VS7Cv
Some good tools for doing DNS enumeration:
https://t.co/d9HCvb3DuG
https://t.co/dAGGISNxVa
https://t.co/PI7XsP9eBQ
https://t.co/VKBMt32e0k
https://t.co/PPKJXhc52Y
Cyberattack on Paris Natural History Museum in July disabled alarms and monitoring - leading to physical theft. In September, thieves exploited the vulnerability "opened" by the cyberattack. They calmly cut through doors with angle grinders and used blowtorches to open display cases, stealing 4 gold nuggets weighing 6 kg worth €600,000. Among stolen items were unique 18th-19th century specimens, including the first nugget from French Guiana. Police confirm: thieves knew about disabled systems. Normally alarms would trigger and cameras would record everything, but the cyberattack prevented this. https://t.co/nyp6t5mdVa
Early in my DevOps career, I deleted a 5GB log file from a production server that was running out of space.
I ran df -h expecting to see the disk usage drop. It didn’t.
Still showed 100% full.
No errors, no warnings. Just the same disk usage as before I deleted anything.
That’s when I learned that deleting a file doesn’t always free up space immediately.
In Linux, what we think of as a “file” is actually two separate things: the filename (which is just a pointer) and the inode (which contains the actual data and metadata). When you delete a filename, you’re only removing the pointer. The inode and its data remain on disk as long as any process still has the file open.
In my case, the web server was still writing to that log file. Even though I had deleted the filename, the server process kept its file handle open. The inode stayed alive, invisible to normal file listings but still consuming disk space.
The space was only freed when I restarted the web server, which closed all its file handles.
This is why you need different commands to see the full picture:
# Check filesystem usage
- df -h
# Check actual directory sizes
- du -sh /var/log/*
# Find deleted files still open by processes
- lsof +L1
The du command shows you what’s actually using space in directories, while df shows filesystem-level usage.
When they don’t match, you often have deleted files still held open by running processes.
This is also why proper log rotation doesn’t just delete files. Tools like logrotate rename files and send signals to processes so they can close and reopen their file handles cleanly.
Three key takeaways:
1. Filenames are just pointers to inodes
1. Deletion only happens when no processes reference the inode
1. Always check both df and du when troubleshooting disk space
It’s a small detail, but understanding it can save you from confusing production incidents.
P.S. This post is adapted from a post written by @devops_inside
🔍 SOC Threat Hunting: Turning Insight into Impact
https://t.co/LsaGq7oP57
SOC threat hunting steps in where traditional defense falls short. Analysts start with a signal, a new vulnerability, an anomaly, or threat intel, and craft a hypothesis.
With EDR and other investigative tools, they dig into system behavior to distinguish suspicious activity from normal operations.
Once a threat is confirmed, findings are communicated to response teams, defenses are fortified, and key insights feed back into the hunting process.
Explore how SOC threat hunting delivers meaningful security outcomes ⬇️
#CyberSecurity #SOCTeam #ThreatHunting #ThreatIntelligence
In the past five years, we’ve processed almost 4,000 reports in our research stack – tagging each one by priority and relevance.
These accounts stood out. They consistently publish high-quality, no-nonsense reports that often got tagged with “highprio”.
I’ve left out the usual giants (Mandiant, Microsoft, Palo Alto, etc.). This list is for the others – smaller teams or niche orgs that quietly and regularly deliver value:
@HuntressLabs
@watchtowrcyber
@falconforceteam
@TrustedSec
@TheDFIRReport
@13CubedDFIR
@Synacktiv
@Horizon3Attack
@Huntio
@SpecterOps
All of them are in my “Cyber” list on X:
https://t.co/Vi3g6HWuJU
I use that list as a clean tab when I want to focus on actual work and not get pulled into politics, AI hype, or random chaos.
Might help you too.
🚨 Just hit 1,000+ DF/IR trainings listed. That’s every webinar, course, and conference worth knowing in one place, and in one search box.
Découvrez comment détecter et investiguer une compromission sur GitHub Enterprise avec notre numéro de rentrée, en kiosque dans une semaine !
#blueteam #github #cybersécurité
Last Seen Users on Sotwe
Maz
Seen from Algeria
JAV SUB INDONESIA
Seen from Indonesia
TransVilla || DM FOR PROMO 
Seen from Germany
Arthur
Seen from Indonesia
แพร | แอคล็อค 229฿ ถาวร |
Seen from Thailand
bantu hamil
Seen from Indonesia
denny
🕊
Seen from Egypt
Flirty
Seen from United States
Çiftler Mekanındayız
Seen from Turkey
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.9M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.3M followers
Taylor Swift
@taylorswift13
81.1M followers
Lady Gaga
@ladygaga
72.7M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.3M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.7M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62M followers
CNN
@cnn
61.9M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.4M followers