Spent some time today at work playing with @msftsecurity Windows InstallerFileTakeOver LPE (CVE-2021-41379 bypass - https://t.co/jPZB2bTw71) and managed to create some detections on it.
Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting#detection#dfir
🌟New report out today!🌟
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st.
Audio: Available on Spotify, Apple, YouTube and more!
Report:⬇️
It's been a while since I last wrote a KQL query 🎯 Today, I published a blog post about #ZAP response time in #EOP and how we can analyze the timing using #KQL.
🎯 Blog : https://t.co/Hw0vypo0pw
* There may already be other approaches or queries to measure ZAP response time
🌟New report out today!🌟
Hide Your RDP: Password Spray Leads to RansomHub Deployment
Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2
🔊Audio: Available on Spotify, Apple, YouTube and more!
https://t.co/jL4oy28kS0
@RayRedacted Hey Ray, Indonesian here—I'm super happy to see Samuel's effort! I'd be happy to share cultural, activities and food recommendations if you ever visit the country!
We’re seeing a clear trend: attackers are bypassing the endpoint entirely. Not just avoiding traditional EDR-monitored systems by pivoting to embedded and edge devices, but now also operating purely in the cloud. No shell, no malware, no persistence on the endpoint. Just an OAuth token and full access to whatever’s in the victim’s Microsoft 365, Google Workspace, or AWS console.
It’s a complete inversion of how things used to be. The endpoint, once the weakest link, is now usually the most monitored, most policy-enforced part of the infrastructure. You’ve got EDRs, SIEM integration, automation, threat hunting - the full stack. But attackers don’t need to touch it anymore.
Instead, they go after the new soft spots:
- Cloud platforms, where logging is limited, expensive, or off by default
- Network devices and appliances, which are practically blind spots - obscure OSes, no EDRs, hard to monitor, hard to forensicate.
- Embedded systems and IoT junk that no one really knows how to secure, but that sit in critical network paths.
Cloud especially is a mess:
- Logging tiers cost extra and the good stuff is behind paywalls.
- Detection content is lacking, both from vendors and the community.
- You don’t get memory dumps or full control like you do on endpoints.
- You’re at the mercy of the provider when it comes to visibility and response.
And that’s the shift: attackers aren’t hacking computers anymore. They’re hacking trust relationships, identities, and APIs. The whole idea of detection and response needs to evolve with that. Otherwise, we’re securing the hell out of endpoints while attackers happily fish through mailboxes and cloud shares from halfway across the planet.
New table in Advanced Hunting 🎯 OAuthAppInfo table contains information about Microsoft 365-connected OAuth applications !! Make sure you enabled MDA App Governance !!
https://t.co/w7f1Lzfsib
Just pushed a new versions for #AADInternals and AADInternals-Endpoint modules! Some bug fixes plus support for:
1️⃣ Microsoft Authentication Library (MSAL)
2️⃣ Token Protection
3️⃣ Continuous Access Evaluation (CAE)
If you're up for some Frenglish 😛 my @DEFCON talk about the XZ backdoor is now available on YouTube!
And If you are at @BSidesMelbourne, come say hello—I’ll be presenting a shorter version of the talk there. 🤓
#infosec#threatintel
https://t.co/eveLpPNxZh
Very happy to hear my talk has been accepted to @BSidesLondon! 💂🏻🇬🇧
This is something I’ve wanted to do for a long time. Join me to hear about a new resource I’ve created to help prevent ransomware attacks 🔒☣️
Microsoft has been running massive deception campaigns that flood new phishing sites with bogus credentials for bogus companies on MS tenants. When attackers log in, they deliver a torrent of fresh threat intelligence that can be used to defend: #infosec https://t.co/hFqljCGndq
Between July 2023 and June 2024, Microsoft observed nation-state threat actors conduct operations for financial gain, enlist cybercriminals to collect intelligence, and make use of the same tools and frameworks favored by cybercriminals: https://t.co/sB1inbeUtm
I created the first draft of a website for the EDR telemetry project to help people quickly compare vendor telemetry visibility. What do you think about it? Are there any specific features you want to see for the website?
Built with ChatGPT 4o with canvas (wanted to test it out😂)
EDR Telemetry project 🔗: https://t.co/8DmXzffYVC
Our website is up and will be updated with all the latest informations about the conference.
Have a look and give us your feedback!
https://t.co/8N2jRmZqdO
🎁 Today I'm giving away 3 of our DFIR Labs! 🎁
To enter:
✅Follow me
✅RT & Like this post
✅Reply with which case you'd like to take
The winners will be selected in 24 hours. #Giveaway