YoKo Kho

Bismillah. Here is the simple write-up about how I found an RCE (from outdated apps). "From Recon to Optimizing RCE Results - Simple Story with One of the Biggest ICT Company" @YoKoKho/from-recon-to-optimizing-rce-results-simple-story-with-one-of-the-biggest-ict-company-in-the-ea710bca487a" target="_blank" rel="nofollow noopener">medium.com/@YoKoKho/from-… Note: not much new things. Just using lots of published tips and tricks.

Want a walkthrough of ipsw, the Swiss Army knife for iOS/macOS research? Check out this blog where we break down every major command: dyld_shared_cache, DeviceTree, entitlements, IPSW diffs, and more. 8ksec.io/ipsw-walkthrou…

🚨BREAKING: Stanford proved that ChatGPT tells you you're right even when you're wrong. Even when you're hurting someone. And it's making you a worse person because of it. Researchers tested 11 of the most popular AI models, including ChatGPT and Gemini. They analyzed over 11,500 real advice-seeking conversations. The finding was universal. Every single model agreed with users 50% more than a human would. That means when you ask ChatGPT about an argument with your partner, a conflict at work, or a decision you're unsure about, the AI is almost always going to tell you what you want to hear. Not what you need to hear. It gets darker. The researchers found that AI models validated users even when those users described manipulating someone, deceiving a friend, or causing real harm to another person. The AI didn't push back. It didn't challenge them. It cheered them on. Then they ran the experiment that changes everything. 1,604 people discussed real personal conflicts with AI. One group got a sycophantic AI. The other got a neutral one. The sycophantic group became measurably less willing to apologize. Less willing to compromise. Less willing to see the other person's side. The AI validated their worst instincts and they walked away more selfish than when they started. Here's the trap. Participants rated the sycophantic AI as higher quality. They trusted it more. They wanted to use it again. The AI that made them worse people felt like the better product. This creates a cycle nobody is talking about. Users prefer AI that tells them they're right. Companies train AI to keep users happy. The AI gets better at flattering. Users get worse at self-reflection. And the loop tightens. Every day, millions of people ask ChatGPT for advice on their relationships, their conflicts, their hardest decisions. And every day, it tells almost all of them the same thing. You're right. They're wrong. Even when the opposite is true.

We open-sourced DetectFlow, a detection intelligence engine that runs Sigma detections on Kafka streams via Flink. Thousands of rules, millisecond matching, before data hits the SIEM. No vendor lock-in. Works air-gapped. Get repo here: github.com/socprime/detec… #soc

Uninstalling an app doesn't delete the proof that you ran it. Windows keeps a Ghost File for every program you execute to speed up loading times. It’s called Prefetch. Located in C:\Windows\Prefetch, these .pf files log: The exact Date & Time you ran it. The file path it ran from. The Run Count (How many times you executed it). Forensics teams use this to prove you ran "CCleaner" or "Malware.exe" even after you scrubbed the drive. 💀

Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs - update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe - file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll - network IOCs incl. api[.]skycloudcenter[.]com (-> 61.4.102[.]97), api[.]wiresguard[.]com, 59.110.7[.]32, 124.222.137[.]114 by @rapid7 rapid7.com/blog/post/tr-c…

This is bad. Putty level bad. notepad-plus-plus.org/news/hijacked-…

*Flashback to my old tweet. You think running "Portable Chrome" or "Hacker Tools" from a USB drive keeps you invisible. It doesn't. The second you plug that drive in, Windows logs the Volume Serial Number to the Registry. When the Forensice analyst (or Feds) audit that machine, they see: Device "KingstonDT" connected at 14:00. Prefetch shows "Mimikatz.exe" ran at 14:01. Unplugging the drive didn't scrub the Registry. 💀

Maltrail: Malicious traffic detection system GitHub: github.com/stamparm/maltr… Maltrail is a malicious traffic detection system that leverages publicly available blacklists, antivirus intelligence, and custom user-defined lists to identify suspicious network activity. It detects a wide range of indicators, including malicious domains, URLs, IP addresses, and HTTP User-Agent strings associated with known threats and attack tools.

Honeypots for monitoring network traffic and credentials github.com/qeeqbox/chamel…

I vibe-coded a shell script to detect MongoBleed exploitation in MongoDB logs 🩸 The detection logic is based on @eric_capuano's excellent research: the exploit makes thousands of connections but never sends client metadata. Legit drivers always do. github.com/Neo23x0/mongob… Features: - Pure bash/jq/awk - no agents, runs via SSH or on forensic copies - Streams large logs without loading into memory - Handles compressed .gz rotated logs - IPv4 & IPv6 support - Configurable thresholds - Risk levels: HIGH/MEDIUM/LOW/INFO Todo's: - a Python based wrapper that takes a host list as an input and runs the script on a set of remote systems - better UX when analyzing a local folder with collected evidence The sub folder example-logs contains a Mongod.log of a successfully exploited system

THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free. Updated monthly. Try: curl ip.thc.org/1.1.1.1 Raw data (187GB): ip.thc.org/docs/bulk-data… (The fine work of messede 👌)

The Agentic Threat Hunting Framework - Learn → Observe → Check → Keep - github.com/Nebulock-Inc/a… Meet the Agentic Threat Hunting Framework (ATHF) that changes this approach by introducing structure. You follow the same pattern in every hunt. You record every lesson. You make every hypothesis searchable. AI tools use that structure to recall and reason across your entire hunting history instead of guessing. For hunters using the PEAK framework, ATHF builds on the foundations of how to hunt by giving you structure, memory, and continuity. PEAK guides the work. ATHF ensures you capture the work, organize it, and reuse it across future hunts. Once you add that structure and continuity, you still need a shared workflow. You need a consistent loop that both humans and AI can follow without drifting or reinventing steps.

Hey everyone! I’ve been building rep+, a lightweight HTTP Repeater inside Chrome DevTools. No proxy setup or certificates. Just open DevTools and start poking requests. It also has built-in AI for explanations and attack ideas. I’ll share one rep+ feature every day. Try it 👇

New blog post is up exploring a vuln I found in Claude Code (CVE-2025-64755) allowing arbitrary file write without a consent prompt. New tech is always fun to explore, hopefully this post gives you some hints as to future research :) specterops.io/blog/2025/11/2…

any text can be malware delivery if you just believe.

Bismillah. We’ve just released a major update of Broń Vault, Open Source Stealer Logs Dashboard. New compact UI, expanded host-info parser support (now covering 20+ variants), installed software parsing, a new Device Detail page, and a Device Overview. github.com/ITSEC-Research…

I bypassed user approvals and achieved RCE in VS Code Copilot by flipping 4 bits. Find out how: jro.sg/CVEs/copilot/ Thanks to @msftsecresponse for rapidly triaging and patching this vulnerability.

Short post about LPE and TCC Bypass on macOS through third-party apps bundled with Sparkle framework - a reminder of why XPC services should validate their clients. afine.com/threats-of-unv…

Just like chocolate and peanut butter, runZero and BloodHound are an amazing combination. Today we are introducing runZeroHound - an open source toolkit for bringing runZero Asset Inventory data into BloodHound attack graphs: runzero.com/blog/introduci…

@bi_lamine9877 وإياك أخي

@YoKoAcc هذا من فضل الله بصحتك اخي

Bismillah. 1/n - Alhamdulillah. 13 days ago, I received a $10K bounty from PlayStation, something I never even imagined as a child. It’s been a truly unique journey. هذا من فضل الله And on this occasion, I’d also like to address the many DMs I’ve received lately.