CyberPatriot

@soolidsnakee @vxunderground @HackingLZ @virusbtn Makes sense :~) Will keep breaking it down until I finally understand it 😆Appreciate the great work you guys are doing! Keep it up!

@TeamOffSec @vxunderground @HackingLZ @virusbtn Hey welcome, well, we are in the AI era now hehe, The best way is to feed it to an LLM and ask it to summarize it for you in a higher level. You could also ask the LLM to explain the difficult stuff with examples etc Have fun 😄

Reposting to get as much visibility on this, the threat actor is still actively targetting crypto/finance companies We are still tracking their infra with fresh new transactions in the blockchain for domain rotation elastic.co/security-labs/… @vxunderground @HackingLZ @virusbtn @malwrhunterteam @cyb3rops #malwareanalysis #reverseengineer

@fr0gger_ When it comes to the Pyramid of Pain, where do IoPCs land? How are these prompts detected in a way where they aren't like hashes that can be easily modified? I'm assuming this has to do with the semantic detection in the NOVA rule framework, but would love an explanation on this!

🤓 Very interesting Incident Response case by Gambit Security where analysts uncovered a threat actor leveraging Claude Code and OpenAI api to breach the Mexico government infrastructure. I really appreciate the level of details in the report, especially around the Indicators of Prompt Compromise (IoPC). I extracted most of the prompts (IoPC) used in this attack and I published them into PromptIntel with the ref "MX-GOV-AI-BREACH", so you can understand the risk and take the next step to detect suspicious patterns in your environment. promptintel.novahunting.ai/feed

@magicswordio I get why vendors would be incentivized to keep the "detection cycle" going, but why would they willingly do that for their own company when they could implement your solutions and reduce the flow of alerts? Maybe I'm missing something here, but my point is the problem is deeper

@magicswordio I like the takes in this article, but want to push back against something. The claim that companies are neglecting prevention because "detection engineering is a business model" makes it sound like the security teams are purposefully leaving themselves open to attacks. Thoughts?

The top 10 attack techniques from the 2026 CrowdStrike, Red Canary, and Mandiant reports are the same techniques from 2021. From 2019. From years before that. PowerShell. WMI. cmd.exe. RMM tool abuse. Scheduled tasks. Signed binary abuse. They're enumerated in public GitHub repos. They're versioned. They have machine-readable artifacts. And most of them are blockable today with tooling that already ships with Windows. We're not writing detections because we have to. We're writing them because we've convinced ourselves prevention is impossible, while the evidence stacks up in the other direction every single year. The average eCrime breakout time is now 29 minutes. The fastest observed: 27 seconds. At that speed, detect-and-respond isn't a strategy. It's a coin flip. New blog, we pulled the receipts. 👉magicsword.io/blog/the-top-1…

@_JohnHammond Crazy how the executable was just sitting there on the host device since 2024... Wonder when the domain became expired.

This is such a cool story.

@fr0gger_ Curious if you've taken a look at this technical report yet. It reminded me of your work related to IoPC since there were logs of the actor's prompts in the report. Crazy real world impact as well!

@ipurple @M_haggis Is it that the organization's aren't using enough rules to cover these procedures or that the rules aren't specific enough in the first place? I understand the MCP server is useful for searching through existing rules for varying use cases, but still confused about this

@M_haggis Looking forward to seeing how this project progresses. In every org I’ve worked in, I’ve had to do this manually - showing the SOC that a technique has multiple procedures, and their rule only covers one of them. It’s a classic SOC and detection‑engineering gap.

🚨 Security Detections MCP v3.1 is live 🚨 8,200+ detections. 6 platforms. 1 MCP server your AI can actually reason over. Ask it: "what's our ransomware coverage?" Get a real answer across Sigma, Splunk, Elastic, KQL, Sublime, and CrowdStrike CQL. New in 3.1: 📧 900+ @sublime_sec email detections (h/t @MSAdministrator) 🛡️ CrowdStrike CQL Hub (cql-hub.com) 🤖 Feed it a CISA alert, get a PR draft back ⚡ npx -y security-detections-mcp Get it -> github.com/MHaggis/Securi…

@M_haggis In your opinion, how effective are these rules at actually detecting threats? I've recently gotten into detection engineering and was testing out Sigma rules against the acme4 dataset , but it seemed like the rules were completely overlooking the malicious traffic

@jamieantisocial Exactly! Same goes for the over-exposed scope of the macOS sandbox

there is no avoiding fundamental security principles.

@vxunderground That feeling of getting back into the swing of things is so satisfying! Hope you enjoy learning some new stuff during your cooldown :p

Experiencing some pretty hardcore burn out in malware. However, a word of advice for the noobs, or less-er experienced people in cybersecurity, "burn out" is part of the natural progression of this ecosystem and it happens to everyone. Your brain is a muscle (not literally, but brains have this dumb stuff called neuroplasticity, some nerd stuff, whatever), and just like a muscle, you need down time to heal, and science, or something. Myself personally, I tend to go through waves of absurd productivity with little to no pacing. I get extremely excited, rip through code, ... and then lose control and crash and burn. Then it takes me anywhere between a few days, ... or few weeks, ... or worse case a few months to recompose myself and get back in the game. This is a good opportunity to switch it up a little bit. Instead of going schizo on malware, I've been exploring the internet, reading about current geopolitical stuff, and reading some psychology stuff. I personally think it's important to keep "exercising" the muscle (plus I like learning), but some of my peers decompress altogether and switch to consuming high quality brain rot. Anyway, the point being, if you've been going hard and suddenly you feel disappointed, or sad, or don't feel that "spark", or feel yourself struggling to even do a few lines of code, it is almost certainly burn out. I know some nerds are kind of hard on themselves, so don't beat yourself up if you feel this way. It happens to all of us (unless you're abusing narcotics to stay locked in). Take this as a sign and use the opportunity to do something else. One day you'll be doing something and out of seemingly nowhere you'll feel that "spark" again and be like HOLY FUCK, I WANT TO CODE (or whatever you do). Pic unrelated

@Antonlovesdnb Sounds good. Excited to take a look at the course and continue following your work!

@TeamOffSec Great question, the course is on sale now, and it's lifetime access. I'd grab the course, poke around, see what interests you then go dig into that, and then you can always come back the course :)

#ClaudeForBlueTeam - Day 19 - very special edition! Launching a brand new course today: AI Cyber Defense Ops If you've been enjoying the #ClaudeForBlueTeam content and have wanted to learn how to build your own workflows using Claude, then this course is for you. I'll be going live with @_JohnHammond at 1PM EST today ( April 3rd ) to showcase it, tune in!

@SBousseaden Maybe I'm misunderstanding, but would it be possible for an attacker to rename one of the startup files, and then run the commands described in this article? Huge fan of your guys' work! Keep it up :~)

very cool research! that's why we already pushed some GenAI related EDR detection like this one #L8" target="_blank" rel="nofollow noopener">github.com/elastic/protec…

@malwareunicorn This was a really interesting read! Amazing Job! Could there be some sort of "Separation of Duties" for agents, where the agent reading the code isn't the one that's also executing it? I'm very new to this topic, but would be curious if there could be some sort of intermediator.

New blog: We found a sandbox breakout and remote dev tunnel bug in Cursor. Called it NomShub. It was fun making my vscode dev tunnel C2 dashboard pink. na2.hubs.ly/H04GPbw0

@sherrod_im @dez_ @m19o__ Woahh this would be cool! Vouch over here from a listener to the podcast

@dez_ @m19o__ Hey Joe. Would you be willing to come on the Microsoft threat intelligence podcast to talk about this ? We’re for real! thecyberwire.com/podcasts/micro…

We open sourced the tool used to detect the Axios supply chain compromise! I built it Friday after a red eye home from RSAC. Also, wrote up the full story, including the hectic moments after that first critical alert github.com/elastic/supply…

@fr0gger_ Is this TeamPCP or different this time? What's the process for analyzing supply chain attacks like this? Where do you start?

💥 Supply chain nightmare continues! Axios a widely used HTTP client got compromised. Malicious versions: - axios 1.14.1 (latest) - axios 0.30.4 (legacy) - plain-crypto-js 4.2.x (postinstall backdoor) NPM supply chain attacks are becoming more common, so I put together a short cheat sheet you can keep around to secure your pipeline.

@1ZRR4H Ooo which site is this?

83.142.209.204? 🤔

@fr0gger_ For instance, I'm really eager to learn more about threat hunting, and it can be quite tempting to just focus on learning more about creating these agentic systems, but I know there has to be a solid base of basics like understanding detection rules, windows event logs etc.

@fr0gger_ As a student, I understand the importance of being proactive and understanding tomorrow's problems and technologies today, but a lot of this came down to your strong fundamentals like you said. How would you balance learning this "old" vs "new" knowledge if you restarted today?