고정된 트윗
🛡️ SOC Analyst (Tier 1) | Building in Public
What 28 days of real blue-team work looks like:
🔍 Splunk · SIEM · Log Analysis
🧠 MITRE ATT&CK · Threat Detection
💻 Kali · Ubuntu · Windows lab
📜 ISC2 Certified in Cybersecurity
English
William · SOC Analyst (Tier 1)
21.3K posts
William · SOC Analyst (Tier 1)
@WilliamInCyber
SOC Analyst (Tier 1) | Splunk · SIEM · MITRE ATT&CK | 28 hands-on labs | SA-based, UK/Gulf timezone overlap | Open to remote roles
Johannesburg, South Africa 가입일 Mart 2020
971 팔로잉911 팔로워
Built nearly this exact stack.
One tip on step 5: new-admin alerts have evasion paths ADSI/WinNT and net user can slip past naive rules.
I lab-verified that gap and filed it to SigmaHQ (#6057). Worth testing your alert against those, not just the obvious path.
Ahmedkhan@Ahmed___khaan
SIEM Detection Lab Project Steps: 1. Install Wazuh on a Linux VM to act as your central security dashboard. 2. Install the Wazuh agent and Sysmon on a Windows VM to track its background processes. 3. Use Kali or a PowerShell script to run a malicious command like whoami against the Windows VM. 4. Log into your SIEM and build a visual graph that displays successful versus failed logins. 5. Create a custom alert that triggers when a new administrative user is created.
English
Files don't delete the account goes read-only over quota.
You keep everything, just can't add new Drive/Photos/Gmail until you're back under 15GB free. ChatGPT's right here.
This is exactly why I've been eyeing self-hosting: own the storage, own the rules.
DROID@droidbuilds
If I cancel my Google One subscription right now, does my 1.67TB just disappear? 😭
English
@CyberRacheal Practicing in a home lab makes this so easy to understand 😌
English
MAC address table.
The switch reads the source MAC of each frame, records its port, and forwards future traffic there.
Unknown destination = flood all ports once, learn the reply, then unicast.
That same table is where a SOC spots MAC flooding attacks.
Cyber_Racheal@CyberRacheal
You plug an Ethernet cable into a switch port, The link light flashes bright green, Data transfers at maximum speed. How does the switch know where to send your data?🤔
English
@CyberSamuraiDev Mr. Robot was right. Every breach I've read this week came down to a human granting access, not a CVE firing. The vishing call into Charter is the cleanest example no malware, just a convincing voice. Hardest layer to patch is the one that answers the phone.
English
@WilliamInCyber In the words of Elliot Alderson, “People always make the best exploits.”
English
This is why "no exploit needed" keeps coming up.
Vishing into Entra, then Salesforce the only signal is a legit login from the wrong context.
My Hydra brute-force lab showed failed-auth is easy to catch.
The hard part is the successful login that shouldn't have happened.
PhishCore@PhishCore
"Charter Communications confirms a data breach. ShinyHunters stole millions of customer records." Someone called a charter employee on april 1st. They convinced the employee to give access to a Microsoft Entra account. With that access, they were able to get into Salesforce. the attack required no software vulnerability. it exploited an authentication process gap and the absence of phishing-resistant MFA. At least 13 million customer records confirmed exposed. names, addresses, emails, phone numbers, support tickets. Your employees face decisions like this every day. If someone asks for credentials, does your team know what to do? If you have never tested this, you do not know the answer.
English
@WilliamInCyber 😹😹😹😹
As funny as this sounds... it's highly undisputable 😹
This is a world of constant learning and practices, if you snooze you loose😹
English
The "stare at the screen and feel nothing" days are the ones nobody screenshots.
I've had a few mid-lab where nothing clicks and you just close the laptop.
Showing up the next day anyway is the whole skill.
Needed this one.
DALU🤍@iam_dalucynthia
We talk a lot about “passion for tech” but nobody talks about the days you stare at the screen and feel nothing. That’s normal too. YOU’RE NOT FAILING.
English
@somadinaaaa Yeah, can't argue with securing the pipe. I just file the VPN under "necessary, not sufficient" it does nothing once an attacker has valid creds, which is where most of my lab incidents start. Right tool, just not the last line of defense.
English
@WilliamInCyber so does every part of the internet. but we shall do the best we can and play with the cards we're given. we're all vulnerable to an extent but a vpn makes sure the tunnelling is secure.
English
"One layer, not a shield" exactly. Most incidents I see in lab work never touch the transit layer a VPN protects. They're identity (stolen creds), endpoint (malicious PowerShell), or the app itself. Encrypting the pipe does nothing if the attacker walks in with valid keys.
NetworkChuck@NetworkChuck
Using a VPN will protect you from hackers.
English
William · SOC Analyst (Tier 1) 리트윗함
Prompt injection is ranked number 1 on the OWASP Top 10 for LLM Applications.
Most SOC teams have zero detection for it.
Today I built one from scratch.
Here is how Day 2 of my SOC detection lab went 🧵
English
The scary line is "AI feature added to software you already approved."
That's a new NHI inheriting access no one reviewed.
In my AI-era lab the detection challenge was exactly that you can't alert on data access you never knew the agent had.
Visibility first, then rules.
The Hacker News@TheHackersNews
🚨 The biggest Shadow AI risk may not be a new tool. It may be an AI feature quietly added to software your company already approved. Security teams now need to know where AI is active, what data it can access, and what employees are putting into it. The piece uses 🏆 award-winning solutions as examples of how security vendors are approaching the problem. Read the full article: awards.thehackernews.com/blog/shadow-ai…
English
That "create hidden admin" payload is the detection problem I filed a SigmaHQ gap on (#6057) rogue admin creation has evasion paths that slip past surface rules.
Plus a hidden web shell for persistence.
The account creation IS the IOC worth hunting, not just the script.
The Hacker News@TheHackersNews
🛑 Popular #WordPress plugin scripts were tampered with to plant hidden backdoors. The attack hit #JavaScript used by PushEngage, OptinMonster, and TrustPulse. If a logged-in admin loaded the script, attackers could create a rogue admin account and install a hidden web shell. Over 1.2M sites run the three plugins. Read the full article: thehackernews.com/2026/06/popula…
English
@iam_dalucynthia Yeah and if you’re someone you don’t genuinely love learning you can’t do cybersecurity 😂 too much information to absorb & practice
English
@WilliamInCyber I keep telling people...the journey didn't promise to be easy, if you desire to be at the peak, you must give up what everyone else isn't willing to give up and that's comfort. Discipline will become your second name.
English
"No second click required" is the scary part. The exfil rides Copilot's own trust in a microsoft[.]com link exactly the failure I saw in prompt-injection testing: the agent treats trusted-origin input as a trusted instruction. CVE patched, but detection for this class is thin.
International Cyber Digest@IntCyberDigest
‼️🚨 This is alarming: Researchers found a one-click data exfiltration vulnerability in M365 Copilot. A single click on a trusted microsoft[.]com link let attackers pull emails, MFA codes, meeting notes, and SharePoint/OneDrive files, no permissions or second click required. Microsoft has patched it as CVE-2026-42824, rated critical.
English
Agreed it's not net-new for defenders recon, blast radius, thin defenses are old.
But one thing IS new: the agent itself is the trust boundary.
In my prompt-injection lab the untrusted input WAS the instruction.
No exploit fired, the agent just did as told with dev perms.
spencer@techspence
Coding & Computer AI agents + people who have never traditionally been “technical” == mega huge attack surfaces, big blast radius & thinnest defenses This is not “new” for defenders. Just replace AI with regular computers.
English
"Surface vs depth" is real. I'm Tier 1, not doing PHP memory research, but it scales down: I filed a SigmaHQ gap (issue #6057) and the fix only came from going one layer under the surface detection. That's where the misses hide.
Black Hat@BlackHatEvents
Learn how attackers think—and how defenders can stay one step ahead.💥In #BHUSA Briefings Burning Tears of PHP’s Memory Hardening explore the challenges, breakthroughs, and real-world implications of hardening PHP’s memory model against modern exploitation techniques. From uncovering subtle vulnerabilities to strengthening runtime defenses, this session is a must for anyone working in web security, application development, or vulnerability research. 👉 bit.ly/43ZoLCI #BHUSA #CyberSecurity #AppSec #InfoSec #SecurityResearch
English
That "AI Coding Agent trusts external input, runs with dev permissions" panel is the scariest line in the image.
I've tested prompt injection on agentic setups and that's the gap: agent inherits dev perms but treats untrusted input as trusted. No CVE needed.
Ismael Valenzuela@aboutsecurity
This week in @TheMondayBrief we dig into a pattern that is easy to miss: the work attackers do before any advisory drops. Ivanti Sentry, the PeopleSoft campaign against universities, Agentjacking, a record Patch Tuesday. Different stories, same lesson: the exploit is rarely the starting point. What makes this issue special is our guest. I am thrilled to welcome Thomas Roccia (@fr0gger_) to share his perspective on securing AI agents and the risks agentic systems introduce. If you're not subscribed yet, this is a great week to start, so it lands in your inbox every Monday 👇 open.substack.com/pub/themondayb… w/@fulmetalpackets #ThinkRedActBlue #TheMondayBrief #ThreatIntelligence #AISecurity #CyberSecurity
English
LOLBIN abuse is the part that always gets me ftp.exe and %comspec% hijacking are so quiet because the binaries are already trusted.
The detection challenge isn't seeing the process, it's catching the context.
Nice kill-chain trace.
Denise Sophy | Cybersecurity@Denise_Sophy_
Day 84 of #100DaysOfCybersecurity: Completed Sysmon Log Analysis. Traced the attack kill chain from an updater.hta foothold to Python malware. Analyzed LOLBIN abuse (ftp.exe), %comspec% hijacking, and JuicyPotato usage to get a reverse shell. #SOC #DFIR
English
Worth adding: a lot of "data collected and shared" ends up as the raw material for the attacks defenders chase later leaked creds, exposed emails feeding phishing. Privacy hygiene and security hygiene are the same fight from two angles.
Naomi Brockwell priv/acc@naomibrockwell
Our personal data is constantly being collected, sold, and shared without explicit consent. But you can fight back. This Privacy 101 guide shows 6 simple steps to protect your digital life, even if you’re just starting out.
English
The private-to-public hop is where it clicks for a lot of people.
That one public IP for the whole house is also why NAT logs matter on the SOC side when something fires, you're untangling which internal host actually did it.
Welsaid Adogu@welsaid_
Your router gives your phone a private IP. But the internet only sees your public IP ( one address for your entire house). This is exactly why network security matters 🛡️ #Cybersecurity #Neworking
English