English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦
2.5K posts
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦
@philtrem2000
Husband, father, teammate. IT Product Owner and Solution Architect with a passion for cloud, code and empowering teams.
Toronto Beigetreten Aralık 2008
2.1K Folgt445 Follower
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
Really enjoyed this interview by @elijahwoodward9 with @bunsofwrath12 on Team Cymru’s “Future of Threat Intelligence”
A lot of good DFIR points in there that often get ignored in enterprise envs:
- why default Win event log sizes are a forensic disaster
- why Sysmon deployments are often stale or incomplete
- the forensic value of Volume Shadow Copies and the $J USN Journal
- why EDR alone is not enough
- how true positives get buried in alert fatigue
- using AI as a force multiplier for parsing logs and writing one-off tooling, while still not treating it as forensic ground truth
Also liked the practical angle throughout the whole discussion. Felt very experience-driven, not theoretical.
Worth watching
youtu.be/4KF9jkoM0V4?is…
YouTube
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
‼️🚨 Microsoft calls this "intended behaviour," so here we go.
How to dump the credentials of every user stored in Microsoft Edge:
1. Open Edge. Don't browse anywhere, just open it.
2. Flip to Task Manager, find Edge, expand the task.
3. Highlight the "browser" sub-task, right-click, and choose "Create Memory Dump."
4. Open the dump file and look for credentials.
The logged-in Windows user can dump every stored Edge credential with no additional rights. Which means any malware that user executes has those credentials for the asking.
Thanks to Rob VandenBrink at SANS: isc.sans.edu/diary/32954
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
Unit 42 | The npm Threat Landscape: Attack Surface and Mitigations unit42.paloaltonetworks.com/monitoring-npm…
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
Our investigation has revealed that the incident originated from a third-party AI tool with hundreds of users whose Google Workspace OAuth app was compromised.
We recommend that Google Workspace Administrators check for usage of this app immediately. #indicators-of-compromise-iocs" target="_blank" rel="nofollow noopener">vercel.com/kb/bulletin/ve…
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
We dug into this more: The blast radius is larger than it looks. Axios only needed to be resolved somewhere in the dependency graph during the window (e.g. via CLI tools, npx installs, CI jobs, etc). In some cases, you can check now and see nothing, even if it ran. 🫥
socket.dev/blog/hidden-bl…
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
More relevant than ever …
Florian Roth ⚡️@cyb3rops
If you’re looking for ways to reduce the risk from compromised #NPM packages, here’s a solid post from Hacker News. I contains a few practical steps to harden your setup: - Use pnpm. It’s faster, takes less space, and blocks post-install scripts by default. Most of them are useless or shady anyway. - Set minimumReleaseAge to delay fresh packages. In recent attacks, that delay alone would’ve been enough to avoid pulling malicious versions. - On Linux, wrap your package manager in bubblewrap. Keeps the junk from touching sensitive files like ~/.ssh No tools to buy. No pipelines to rebuild. Just small changes that help. Hacker News post: news.ycombinator.com/item?id=452743… Config: #minimumreleaseage" target="_blank" rel="nofollow noopener">pnpm.io/settings#minim…
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
Best practices for securing Microsoft Intune
In view of the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment. Microsoft has newly released the following guidance:
techcommunity.microsoft.com/blog/intunecus…
#Cybersecurity #MicrosoftIntune #Hardening
English
@HackingDave @HackingDave Nice cut with a Jamie Diamon intro.
English
Here's my CNBC interview today on Iran.
TrustedSec@TrustedSec
"Things that were typically off the table before are now on the table as far as what Iran will be targeting and that's what we need to be concerned with." Watch @HackingDave talk about the #Stryker cyber attack and why in time of warfare the private sector is in scope. @CNBC
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
daylight savings sucks
Now I’m jet lagged and I haven’t even gone anywhere
English
🚨 On 2/6/26, #BeyondTrust disclosed a critical RCE vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) products.
The flaw has been assigned CVE-2026-1731 and a near-maximum CVSSv4 score of 9.9.
More in the Rapid7 blog: r-7.co/4arAjln
English
RT @cyb3rops: Here’s how I currently see software development.
Imagine a farmer who grows cabbage.
He has one large field and several sma…
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs
- update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe
- file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll
- network IOCs incl. api[.]skycloudcenter[.]com (-> 61.4.102[.]97), api[.]wiresguard[.]com, 59.110.7[.]32, 124.222.137[.]114
by @rapid7
rapid7.com/blog/post/tr-c…
Florian Roth ⚡️@cyb3rops
This is bad. Putty level bad. notepad-plus-plus.org/news/hijacked-…
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
For convenience: I wrote a small collector that pulls all SHA-256, SHA-1 and MD5 hashes from Notepad++ releases and compiles them into big CSV + JSON files
Use it to check if any Notepad++ installs in your org match known-good release hashes - and spot weird/malicious outliers
github.com/Neo23x0/notepa…
Florian Roth ⚡️@cyb3rops
This is bad. Putty level bad. notepad-plus-plus.org/news/hijacked-…
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
the brand new sensation
that’s sweeping your nation
it’s our special military operation
m.youtube.com/shorts/Xq4TpiK…
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
Google now lets you change your @gmail.com address, rolling out - @mayank_jee
bleepingcomputer.com/news/technolog…
bleepingcomputer.com/news/technolog…
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
My annual MRI scan gives me a USB stick with the data, but you need this commercial windows software to open it.
Ran Claude on the stick and asked it to make me a html based viewer tool. This looks... way better.
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet
What frequently happens when people read threat reports is
1. they notice the IOCs
2. go to Virustotal and check if their org's AV covers the threat
But they shouldn't stop there.
They should click on "Security vendor's analysis on: ..."
3. select the earliest date
4. check if their vendor detected the threat when it was first uploaded to VT (>= when it was seen in the wild)
This sub menu is often ignored but it can tell you a lot about the AVs ability to spot new threats
English
Philippe Tremblay 🇨🇦🇫🇷 🇺🇦 retweetet