''Digging into Windows Defender Detection History (WDDH)'' #infosec #pentest #redteam #blueteam orangecyberdefense.com/globa…

Its been a while since i look into the repo. i have made some updates and uploaded some poc for the past few weeks: RtlUserFiberStart LdrEnumerateLoadedModules ProxyDLL loads UUID shellcode exec etc ... github.com/Whitecat18/Rust-f…

📣 𝗔𝗻𝗻𝗼𝘂𝗻𝗰𝗲𝗺𝗲𝗻𝘁 𝗳𝗿𝗼𝗺 𝗞𝗤𝗟𝗪𝗶𝘇𝗮𝗿𝗱 To all the new followers—welcome aboard! 🚀 I’ve published 385 KQL detection codes on Detections.ai, all under my profile: 𝗞𝗤𝗟𝗪𝗶𝘇𝗮𝗿𝗱. 🔐 Use invite code Slim2025 to join the community and follow me for the latest updates in detection logic, threat hunting, and Defender XDR insights. 𝗧𝗵𝗮𝗻𝗸𝘀 𝗳𝗼𝗿 𝗯𝗲𝗶𝗻𝗴 𝗽𝗮𝗿𝘁 𝗼𝗳 𝘁𝗵𝗲 𝗷𝗼𝘂𝗿𝗻𝗲𝘆! ☺️ #DetectionsAI #KQL #Detection #ThreatHunting #DefenderXDR #Sentinel #CyberSecurity

Cracking the Beast👹: Detection Logic for a Modern RaaS Threat A proactive defense and early detection for BEAST Ransomware. Launched in early 2025 as a Ransomware-as-a-Service, Beast spreads via phishing and SMB port scanning, avoids execution in CIS countries, and employs ChaCha20 encryption with embedded metadata to prevent recovery. asec.ahnlab.com/en/90792/ #Cybersecurity #RaaS #BEAST #DefenderXDR

Do NOT enable mail forwarding in your organization! If you really need mail forwarding enabled, make sure to set it up only for a specific group and add approved users to it. Do not enable it for everyone! Once mail forwarding is enabled, it can be configured in these ways: - The user can set it in OWA (email forwarding settings) - The user can create an inbox rule in Outlook or OWA - An admin can set it up in the Microsoft 365 admin center or PowerShell - An admin can set up a Transport rule Why not enable it for everyone? Unrestricted forwarding can create serious security and compliance risks. Attackers who gain access to a mailbox often set up automatic forwarding to external addresses to steal data, monitor communications, or spread spam and phishing messages. This can lead to data leaks and reputation damage. Read more: o365info.com/forward-mail-po… Please double-check your configuration! #Microsoft365 #ExchangeOnline #EmailSecurity #CyberSecurity

Finding misconfigs in Active Directory is free…outside of your time. Here are 9 of my favorite tools (all free): Overall - PingCastle/PurpleKnight Permissions - ADeleg/ADeleginator* Attack paths - BloodHound Applocker - Applocker Inspector* ADCS - Locksmith Logon scripts - ScriptSentry* GPO - GPOZaurr * = utterly biased, tools I made

Bypassing static analysis - Deep DivE lorenzomeacci.com/bypassing-…

Analysis of Beast ransomware from MDE Perspective Beast ransomware evolved from the Monster ransomware strain. They emerged as a Ransomware-as-a-Service (RaaS) in February 2025, and officially launched their Tor-based data leak site in July. As of August 2025, they have publicly disclosed 16 victim organizations from the United States, Europe, Asia, and Latin America. The victims come from various industries including manufacturing, construction, healthcare, business services, and education. As of today, at least 1008 devices running Microsoft Defender for Endpoint have been infected by Beast Ransomware starting as early as 27 Jun 24 and most recent incident was 24 Oct 25 (13 days ago). If you want early detect this ransomware, monitor your endpoint SMB connections, the infected endpoint will perform a SMB discovery and spread to shared folders on the network. Look for RUN registry change on this endpoint for persistency.🔬 #Cybersecurity #RaaS #BEAST #DefenderXDR

🔒 Secure Bits 💡 𝗧𝗿𝗶𝗴𝗴𝗲𝗿𝗶𝗻𝗴 𝗮 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗰𝗹𝗶𝗲𝗻𝘁 𝘁𝗼 𝗿𝗲𝗽𝗼𝗿𝘁 𝘁𝗼 𝗪𝗦𝗨𝗦 𝗰𝗮𝗻 𝗯𝗲 𝘀𝘂𝗿𝗽𝗿𝗶𝘀𝗶𝗻𝗴𝗹𝘆 𝘁𝗿𝗶𝗰𝗸𝘆 — each OS version seems to have its own magic command that works. I got tired of remembering them all and "Check for updates" is not very reliable… 𝘀𝗼 𝗵𝗲𝗿𝗲’𝘀 𝗮 𝗼𝗻𝗲-𝗹𝗶𝗻𝗲𝗿 𝘁𝗵𝗮𝘁 𝗮𝗹𝘄𝗮𝘆𝘀 𝘄𝗼𝗿𝗸𝘀: $UpdateSession = new-Object -com "Microsoft.Update.Session"; $Updates = $UpdateSession.CreateUpdateSearcher().Search($Criteria).Updates; wuauclt /reportnow; usoclient startscan ✅ Works across OS versions ✅ Forces a WSUS status report ✅ Initiates a scan for updates How do you usually force WSUS reporting? Check out also my new "𝗕𝘂𝗶𝗹𝗱𝗶𝗻𝗴 𝗮 𝗦𝗲𝗰𝘂𝗿𝗲 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆" course, where students learn about similar topics—horizon-secured.com/courses/… #WindowsServer #WSUS #PowerShell #SysAdmin #HorizonSecured

''GitHub - anvbis/chrome_v8_ndays: Chrome V8 n-day exploits that Ive written.'' #infosec #pentest #redteam #blueteam github.com/anvbis/chrome_v8_…

The 2025 SANS #HolidayHack Challenge launched about an hour ago! Come have some fun building cybersecurity skills in this free @SANSInstitute gift to the community. sans.org/holidayhack New micro-challenges, new gamified world, new music, new game dynamics! Check it out!

I'm playing around with the "Controlled Folder Access" feature in Microsoft Defender because we saw the following alert during a recent incident response case: C:\Windows\System32\mstsc.exe has been blocked from modifying %userprofile%\Documents\ by Controlled Folder Access. [..] Process Name:%bC:\Windows\System32\mstsc.exe Controlled Folder Access works by allowing only trusted apps to access protected folders. At first, I was excited and assumed that it would also block access to folders like C:\Users\Public\ and report when someone drops a binary there. However, that was not the case. I wrote a small PowerShell script that renames all executables in my home folder, and, as expected, this process was killed by Defender and an alert was generated. As Microsoft states, "Controlled Folder Access is especially useful in helping to protect your documents and information from ransomware." [1] However, do companies actually enable this feature in production? And I ask myself: Is it really useful once a ransomware group strikes? We increasingly see groups bypassing these protective mechanisms by encrypting at the ESXi level or encrypting network drives instead. [1] learn.microsoft.com/en-us/de…

SilentButDeadly is a powerful tool for red teamers and security researchers. It uses Windows Filtering Platform (WFP) to block cloud connectivity of EDR/AV software—like SentinelOne and Windows Defender—without terminating processes, enabling stealthy network isolation for pre-engagement testing, malware analysis, and adversarial simulations #Cybersecurity #Redteam #ImpairDefense github.com/loosehose/SilentB…

From LNK to PlugX: Tracking UNC6384’s Zero-Day Abuse Chain arcticwolf.com/resources/blo… Chinese threat actor UNC6384 is actively exploiting a newly disclosed Windows LNK zero-day vulnerability (ZDI-CAN-25373) to target European diplomats with PlugX malware via Canon DLL sideloading, as reported by Arctic Wolf Labs. The initial stage involves a malicious LNK file embedded in EU/NATO-themed spearphishing emails—making early detection of shortcut file execution a critical warning signal. I’ve authored a Microsoft Defender XDR detection rule to catch this abuse chain and help teams stay ahead.🤝 #Cybersecurity #ZeroDay #ZDICAN25373

Just when you think you know your way around Linux.. binfmt_misc: Hold my beer. binfmt_misc provides a nifty way (once the attacker has gained root rights on the machine) to create a little backdoor to regain root access when the original access no longer works. This mechanism is not really known, according to blog posts and articles on the topic, which makes it a perfect fit for staying under the radar. dfir.ch/posts/today_i_learne…

🔍 Detecting Windows Accessibility Flaw Abuse via Narrator DLL The TrustedSec blog post "Hack-cessibility: When DLL Hijacks Meet Windows Helpers" explores how attackers can exploit Windows accessibility features—like Narrator.exe—to achieve persistence and code execution via DLL hijacking, even on modern Windows systems. By planting a malicious DLL in expected paths and manipulating registry keys, attackers can trigger execution as a user or SYSTEM, and even use these techniques for lateral movement. To help defenders monitor such abuse, I’ve written a DefenderXDR detection rule tailored to these tactics.🫡 trustedsec.com/blog/hack-ces… #Cybersecurity #DllHijack #Persistence

Computer Science is not science, and it's not about computers. Got reminded about this gem from MIT the other day

นาน ๆ มาที SANS Thailand Community Night 2025 (12 Nov 2025) หัวข้อ "Securing the Things That Make All the Things Work" บรรยายโดย Tim Conway (SANS ICS Curriculum Lead) Register here sans.org/mlp/community-night…

Just like chocolate and peanut butter, runZero and BloodHound are an amazing combination. Today we are introducing runZeroHound - an open source toolkit for bringing runZero Asset Inventory data into BloodHound attack graphs: runzero.com/blog/introducing…

Stealing Microsoft Teams access tokens in 2025 blog.randorisec.fr/ms-teams-…