Isaac Dunham

The #axios maintainer just confirmed #UNC1069 🇰🇵 used the same playbook we documented in February. Cloned a founder's identity. Built a convincing Slack workspace. Scheduled a call. Fake "update" deployed WAVESHAPER.V2. npm creds stolen. Trojanized axios update pushed.

How Axios was compromised 🤯

New Skills Vault Lesson!: Dan Marr shows how attackers use ICMP tunneling for covert data transmission and how you can detect and investigate it.

We’re seeing a “Missing Font” ClickFix chain in the wild. Flow: 1️⃣ Fake “Missing Font” prompt 2️⃣ Leads to a BSOD-style recovery screen 3️⃣ Prompts users to open Terminal/PowerShell directly (skipping the Run dialog) and execute commands #infosec #DFIR #threatintel

I wrote a blog post detailing what logs you need in your SIEM and why. isaacdunham.github.io/posts/what-sho… #SIEM #SecurityOperations #SOC #DetectionEngineering #cybersecurity

🦔 📹 Video: Building your own AI Malware Analysis Lab ➡️ old system, 16 GB RAM ➡️ using Remnux #MalwareAnalysisForHedgehogs #LLM youtube.com/watch?v=YOduz8…

COMMANDER: We’re fighting for freedom. And part of that freedom… is the freedom to retire with dignity. So we’re going to start accounts called 401(k)s. SOLDIER 1: What’s a 401(k)? COMMANDER: It’s a retirement account. You put money in, it grows tax-free, you take it out when you’re old. SOLDIER 2: So I don’t pay taxes on it? COMMANDER: Well, you pay taxes later. When you withdraw. SOLDIER 2: So it’s not tax-free. COMMANDER: It’s…tax-deferred. SOLDIER 2: What’s the difference? COMMANDER: You pay taxes later instead of now. SOLDIER 1: What if I want to pay taxes now? COMMANDER: Then you do a Roth 401(k). SOLDIER 3: What’s a Roth? COMMANDER: You pay taxes now, and it grows tax-free. SOLDIER 2: That’s what I thought the first one was. COMMANDER: No, the first one you pay taxes later. SOLDIER 1: Which one’s better? COMMANDER: Depends on your tax bracket in retirement. SOLDIER 1: …How would I…know that? COMMANDER: You don’t. You just guess. ⸻ SOLDIER 4: What if I don’t have a 401(k) through my employer? COMMANDER: Then you open an IRA. SOLDIER 4: What’s the difference? COMMANDER: One’s through your job, one’s on your own. SOLDIER 4: Can I have both? COMMANDER: Yes. SOLDIER 4: Should I? COMMANDER: Maybe. SOLDIER 3: Can I do a Roth IRA? COMMANDER: Only if you make under a certain amount. SOLDIER 3: What’s the limit? COMMANDER: Changes every year. SOLDIER 2: What if I make too much? COMMANDER: Then you do a backdoor Roth by putting it in a Traditonal first. SOLDIER 2: …Is that legal? COMMANDER: Surprisingly, yes. SOLDIER 1: What’s a backdoor Roth? COMMANDER: You contribute to a traditional IRA, then convert it to a Roth…but watch out for “pro rata”. SOLDIER 1: Why wouldn’t I just contribute to the Roth directly? COMMANDER: Because you make too much money. SOLDIER 1: But this way I can? COMMANDER: Yes. SOLDIER 1: That feels like a loophole. COMMANDER: It is. But the IRS is cool with it. ⸻ SOLDIER 5: I just changed battalions. What do I do with my old 401(k)? COMMANDER: You roll it over. SOLDIER 5: Into what? COMMANDER: An IRA. Or your new 401(k). Depends. SOLDIER 5: On what? COMMANDER: The funds. The fees. Whether your new plan accepts rollovers. SOLDIER 5: What if I just take the money out? COMMANDER: You’ll pay taxes plus a 10% penalty. SOLDIER 5: What if I’m 59? COMMANDER: Penalty. SOLDIER 5: 59 and a half? COMMANDER: No penalty. SOLDIER 5: …The half matters? COMMANDER: The half matters. ⸻ SOLDIER 3: What’s a mega backdoor Roth? COMMANDER: Okay. So. Your 401(k) has a limit of how much you can contribute. SOLDIER 3: Right. COMMANDER: But the total limit including employer contributions is higher. SOLDIER 3: Okay… COMMANDER: So if your plan allows ~after-tax~ contributions, you can put in more, then convert that to Roth. SOLDIER 3: Does my plan allow that? COMMANDER: I don’t know. You have to ask Betsy. SOLDIER 3: Will Betsy know? COMMANDER: Probably not. ⸻ SOLDIER 2: Can I deduct my IRA contribution on my taxes? COMMANDER: Are you covered by a retirement plan at work? SOLDIER 2: Yes. COMMANDER: Then only if you make under a certain amount per year. SOLDIER 2: What’s the amount? COMMANDER: Depends if you’re married. SOLDIER 2: What if my wife has a plan but I don’t? COMMANDER: Different limit. SOLDIER 2: What if neither of us has a plan? COMMANDER: Full deduction. SOLDIER 2: So it’s better to not have a 401(k)? COMMANDER: No… ⸻ SOLDIER 1: Can I just keep my money in a sock? COMMANDER: You could. But inflation will slowly destroy it. SOLDIER 1: What’s inflation? COMMANDER: (sighs)…

@lillybilly299 Something that's always made me sad is that I, as a civilian not contracted by the government, am forbidden from enrolling here. dliflc.edu

The funny thing about Duolingo and highschool Spanish, etc is that language learning is a solved problem. The military can get people conversational in a new language in like a couple months. We just mostly don't teach languages that way because fuck it I guess

Risk-based alerting (only surfacing alerts that *truly* pose a risk to your organization) is all the rage in detection engineering. I threw together a guide to quickly getting started with RBA in Microsoft Sentinel. isaacdunham.github.io/posts/risk-bas… #DetectionEngineering #SIEM #Sentinel

New research shows Credential Guard can still leak creds By abusing Remote Credential Guard, attackers can request NTLMv1 challenge responses and recover NT hashes - even on fully patched Windows 11 with VBS and PPL - Microsoft confirmed and marked it “won’t fix.” - PoC called DumpGuard Full write-up by @SpecterOps specterops.io/blog/2025/10/2…

I wrote a blog post about dealing with "The Modern Phish" - an email from a legitimate email address, passing all SPF/DKIM/DMARC checks, returning no results from URL scanners, and generally originating from a compromised business email address. isaacdunham.github.io/posts/the-mode…

We found a way to access Max Verstappen's passport, driver's license, and personal information. Along with every other @Formula1 driver's sensitive data. It took us 10 minutes using one simple security flaw 🧵

And yet we can't even get users to read an email from IT

My intermediate level malware analysis course is there. 60% off for the next two weeks. …nalysis-for-hedgehogs.learnworlds.com/course/interme…

The "Malware Analysis – Intermediate Level" training by @struppigel is 60% off right now Knowing the quality of his other content, I’d say this one’s definitely worth checking out …nalysis-for-hedgehogs.learnworlds.com/course/interme…

🔍New Blog: JustAskJacky -- AI brings back classical trojan horse malware 🔗gdatasoftware.com/blog/2025/08/3… #GDATA @GDATA #GDATATechblog

🦔 📹 New Video: There is more than Clean and Malicious ➡️ 7 file analysis verdicts and what they mean #MalwareAnalysisForHedgehogs #Verdicts youtube.com/watch?v=XwT23X…

Good news, the intermediate malware analysis course is almost finished. I have currently a test student working through the course to get rid of mistakes that I do not notice.

Fake DBeaver signed by "LLC Vtorsintez" 🇷🇺 MD5: 4fa9f678df14a33e2e5480d63604f811 (Too big for MalwareBazaar) https://tria[.]ge/250711-n4tsnst1fs/behavioral1 Anti-analysis: wmic memorychip get Capacity -> exits h/t @g0njxa @JAMESWT_WT

@SamErde We had monitoring based on this: learn.microsoft.com/en-us/azure/az… KQL starting point: Usage | where TimeGenerated > ago(30d) | where IsBillable == true | summarize BillableDataGB = sum(Quantity) / 1000 by bin(StartTime, 1d), DataType | render columnchart

Question for #Azure, #Sentinel, and maybe #KQL friends: is there any way to drill my Microsoft Sentinel monthly costs to determine which data sources (or tables) are contributing the most to the accumulated cost? #MicrosoftSentinel