Nader Zaveri

🔎 𝗦𝗲𝗮𝗿𝗰𝗵 𝗘𝗻𝗴𝗶𝗻𝗲𝘀 𝗳𝗼𝗿 𝗣𝗲𝗻𝘁𝗲𝘀𝘁𝗲𝗿𝘀 🌐 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 / 𝗦𝗲𝗿𝘃𝗲𝗿𝘀 • shodan.io • censys.io • onyphe.io • ivre.rocks 📡 𝗧𝗵𝗿𝗲𝗮𝘁 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 • app.binaryedge.io / binaryedge.io • viz.greynoise.io • fofa.info • zoomeye.org • leakix.net • socradar.io • pulsedive.com 🕵️ 𝗢𝗦𝗜𝗡𝗧 & 𝗔𝘁𝘁𝗮𝗰𝗸 𝗦𝘂𝗿𝗳𝗮𝗰𝗲 • intelx.io • app.netlas.io • fullhunt.io 💻 𝗖𝗼𝗱𝗲 & 𝗪𝗲𝗯 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀 • grep.app • searchcode.com • publicwww.com • urlscan.io 📧 𝗘𝗺𝗮𝗶𝗹 & 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆 • hunter.io 📶 𝗦𝗽𝗲𝗰𝗶𝗮𝗹𝗶𝘇𝗲𝗱 • wigle.net → WiFi networks • crt.sh → SSL certificates • vulners.com → vulnerabilities • google.com → dorks 🎯 Don’t just collect tools. Use them for recon, enumeration, and validation. #OSINT #Pentesting #CyberSecurity #BugBounty

Suspicious MFA authentication approval was added to Entra ID risk protections. Limited to P2 customers 😢

M365Pwned. Red Team tooling for Microsoft 365 exploitation via Microsoft Graph API, by @OtterHacker github.com/OtterHacker/M3…

Monitoring Claude Cowork on Microsoft 365 🔍 Claude Cowork, Anthropic’s agentic AI, goes beyond chat—it acts as a hands‑on desktop assistant (macOS/Windows) capable of executing complex, multi‑step tasks. With direct access to files, browsers, and apps, it can generate documents, organize data, and manage workflows. But defenders, here’s the key risk: 👉 Any device running Claude Cowork may be accessing Microsoft 365 data (SharePoint, OneDrive, Teams, Outlook) via the M365 Connector for Claude. By monitoring both endpoint signals and connector activity, defenders gain visibility into where governance decisions meet user behavior—ensuring connector risks are identified and contained before they escalate. KQL Code: github.com/SlimKQL/Detect… #Cybersecurity #Claude #AgenticAI #Compliance #DefenderXDR

MICROSOFT OPEN-SOURCED THEIR ENTIRE SENTINEL SECURITY TOOLKIT most teams building on azure figure out threat detection the hard way trial and error, custom KQL, dashboards built from nothing, playbooks written by hand nobody told them it was already done the sentinel github repo has: ▫️ 1000+ pre-built threat detection rules ▫️ hunting queries for active threat investigation ▫️ automated response playbooks ▫️ security workbooks + dashboards ▫️ data connectors for 100s of sources the hard part was already done github.com/Azure/Azure-Se…

NIST AI Incident Management ($46 fee for virtual) nist.gov/news-events/ev… Get on this.

We identified an exposed server that provided unusual visibility into a large-scale, multi-victim exploitation and collection operation. Artifacts on the host showed that Claude Code and OpenClaw were embedded in the operator's day-to-day workflow, supporting troubleshooting, orchestration, and refinement of the collection pipeline. Logs indicated more than 900 confirmed compromises, with tens of thousands of harvested .env files spanning AI, cloud, payments, databases, messaging and more. Read the full report: thedfirreport.com/2026/04/22/bis…

Tool to monitor and analyze your internet traffic in real time • Live traffic stats, charts & connection insights • Detect services, protocols, trojans (6000+) • View IP geolocation, ASN & domains • Export traffic as PCAP for analysis • Alerts + blacklist suspicious connections github.com/GyulyVGC/sniff… #NetworkSecurity #CyberSecurity #BlueTeam

MagicSword now integrates LOLExfil and ExtSentry, two community intelligence sources that close two of the widest gaps in endpoint security. ⚙️LOLExfil: 200+ tools attackers use to get your data out. Blocked. 🧩ExtSentry: malicious and compromised browser extensions. Blocked. No rules to write. No lists to maintain. Automated. This integration is built on the work of @mthcht2, threat hunter, detection engineer, and the mind behind LOLExfil, ExtSentry, ThreatHunting-Keywords, LOLC2, BADGUIDs, and more. Projects like these represent the best of community-driven security research: freely available, actively maintained, and built for operational use. Why it matters: attackers rarely show up with suspicious software. They use the same tools already installed on the system, file transfer utilities, cloud backup clients, remote access tools, browser extensions with broad permissions. The same tools IT teams use every day. In December 2024, a single phishing campaign compromised 35 Chrome extensions and exposed 2.6 million users. None of it looked malicious. Now it gets blocked. 👉 magicsword.io/blog/lolexfil-…

Mandiant released gopacket, a Go rewrite of Impacket After compiling the tools, THOR detected 9 of 62 hacktools immediately through generic rules, including: 170ef61d8089a3c57ed1a078f81af7e4a433321c6a96b2a96e35a950dc0834e0 1badb2936e22803cceca5bf792fb1b8376af0b1cd920569458107ed473220d1f 481e7b5bc44a924d048d054fc8d165b8427d3a2ba5e7a24e255c47f53d5fefa3 We’ve since added coverage for the remaining tools. That is a big part of what sets Nextron apart. When new tooling appears, a good part is often already covered by our generic detection logic, before we even add dedicated rules. github.com/mandiant/gopac…

🔴 Active Directory Attack Architecture – Visualized Like Never Before If you’re into Red Teaming / AD Exploitation, this is 🔥 This interactive map breaks down how attackers move from initial access ➝ domain dominance using real-world techniques. 💡 Why it matters: Modern cyber attacks don’t happen in one step — they follow structured paths like reconnaissance, exploitation, lateral movement, and privilege escalation () 🎯 What you’ll learn: • Attack paths inside AD • Privilege escalation chains • Lateral movement techniques • Real attacker mindset 🧠 Think like an attacker → defend like a pro 🔗 Explore here: kypvas.github.io/ad_attack_arch… #cybersecurity #redteam #activedirectory #pentesting #infosec #ethicalhacking #mitreattack #oscp

Zero Trust Explorer (by Merill Fernando): interactive map of M365/Azure security controls across identity, devices, apps, and data. Great way to see how Entra ID, Defender, Intune, and Purview fit together in real architectures. buff.ly/5cBFqy6 #ZeroTrust

Many of you know the Linux #auditd config I’ve maintained for years. It was always meant to be a simplified, detection-agnostic baseline for #Linux 🐧 We’ve now changed the way it works ⚡️ The core idea is: audit.rules should act as the sensor, not the detection engine That means: - generic process_creation - fewer brittle per-binary rules - better portability - CI validation We preserved the old baseline as v0.1.0 and released v0.2.0 as the new streamlined model github.com/Neo23x0/auditd… co-op with @petri_ph

To check if your Google Workspace has been compromised by the same tool that compromised Vercel: 1. Go to admin.google.com/ac/owl/list?ta… - This is Google Admin Console > Security > Access and Data Control > API Controls > Manage app access > Accessed Apps 2. Filter by ID = …v79i7bbvqj.apps.googleusercontent.com - This is the ID of the compromised OAuth app If you see an app after filtering, you have potentially been compromised

“So WSUS with HTTPS is secure, you said? 😂” Turns out… not really. According to the excellent research by Alexander Neff and Phil Knüfer in “Using ADCS to Attack HTTPS‑Enabled WSUS Clients,” a misconfigured ADCS environment can completely undermine HTTPS‑protected WSUS. They demonstrate how overly permissive certificate templates—especially those allowing user‑defined subject names and limited to the Server Authentication EKU—let an attacker obtain a trusted certificate and impersonate a WSUS server. Combine that with classic WSUS interception techniques, and suddenly you can push malicious updates that run with full admin privileges on Windows clients, all while the traffic looks perfectly valid and encrypted. From a defender’s point of view, the big question becomes: How do you detect if your WSUS clients have been talking to a hijacked WSUS server? 😅 Good news: it is detectable—and here’s the KQL to help you spot it. #Cyberesecurity #WSUSHiJackAttack

🧑‍💻Cross‑tenant helpdesk impersonation to data exfiltration Microsoft’s latest blog outlines a full attack chain for cross‑tenant helpdesk impersonation, but it does not provide advanced hunting KQL for the Initial Access stage — the most fundamental alert SecOps should prioritize. My custom KQL detection for “Initial Access” fills this critical gap by ensuring defenders are notified at the very first possible contact point. Microsoft Defender Research Blog Link: microsoft.com/en-us/security… KQL Detection: github.com/SlimKQL/Detect… #Cybersecurity #Helpdesk #Impersonation #Teams #DefenderXDR

Launching today: Threat Hunting Labs private threat intelligence feed THL enterprise customers now get access to a dedicated intel feed built around high-fidelity IOCs curated by our team, structured in STIX 2.1 and delivered over TAXII 2.1. It integrates directly with your SIEM or security tooling. Signed webhooks if you want push delivery. No noise layers on top. Included free for enterprise customers in year one. If you're already a THL customer, reach out and we'll get you set up. If you're not, this is a good time to ask what that looks like. 👉 intel.threathuntinglabs.com

TeamPCP: Cloud-Native Ransomware by Assaf Morag Explore the alarming tactics of TeamPCP, the group behind the compromise of over 60,000 servers, with 97% being cloud workloads. Discover how they exploit Docker APIs, Kubernetes clusters, and more to deploy a privileged DaemonSet for cluster-wide persistence. Each infected host acts as a scanner, enabling worm-like propagation through your cloud infrastructure. This was first mentioned in AWS Security Digest Issue #248: awssecuritydigest.com/past-issues/aw… Read here: flare.io/learn/resource…

🚨 Active Directory Pentesting Lab Setup 🚨 🔥 Telegram: t.me/hackinarticles ✴ Twitter: x.com/hackinarticles Build your own Active Directory lab to simulate real-world enterprise attacks. This setup helps security professionals practice AD exploitation techniques in a safe environment. ⚡ Lab Highlights 🖥️ Install Windows Server as Domain Controller 🌐 Configure AD DS, DNS & Domain (ignite.local) 👤 Create Users & Organizational Units 💻 Join Windows client to domain 🚀 Practice Areas 🔍 Active Directory Enumeration 🔐 Privilege Escalation 🔄 Lateral Movement 🎯 Post-Exploitation Techniques 💡 A properly configured AD lab is essential for mastering internal network attacks and red team operations. 📖 Article: hackingarticles.in/active-directo… #ActiveDirectory #Pentesting #CyberSecurity #RedTeam #EthicalHacking #Infosec

RC4 Depreciation Readiness Dashboard is now live on GitHub. If you’re working through RC4 deprecation planning in Active Directory, this tool is designed to help you quickly assess your estate and identify where attention is needed. How to use it: 1. Run the script against your Active Directory forest 2. Open the HTML dashboard 3. Upload the master CSV generated by the script The dashboard then gives you a clear view of the data you need to support remediation planning and help move your environment toward RC4 readiness. your current estate and plan the remediation work needed to become RC4-ready. GitHub link below 👇 github.com/greebo-labs/rc… #Microsoft #ActiveDirectory #WindowsServer #RC4