kocka

What D4C catches across the kill chain: - curl spawns a shell interpreter → caught at Stage 1 - Service account token check (/var/run/secrets/...) → flags Kubernetes pivot intent - kube. py downloaded to /tmp, executed immediately → cluster-wide lateral movement begins - Competitor mining processes killed via pkill → even that gets flagged Real-world scenario. Real detection logic. Full MITRE ATT&CK coverage from exec to impact. Read the full blog: go.es.io/3NWVjt2

🙏thanks for the well written details

New #research together with @SBousseaden and @DanielStepanic at @elasticseclabs. We uncovered a campaign abusing Obsidian plugins and vault feature to deliver multi-platform payloads targeting both #Windows and #macOS. The final stage is #PHANTOMPULSE, an AI-built RAT that resolves its #C2 from Ethereum blockchain transactions and its loader #PHANTOMPULL A deep dive into the RAT internals is coming next. Stay tuned. elastic.co/security-labs/…

d01a.github.io/syscalls/ #syscall #peb #export #apihashing

Remote DLL Injection with Timer-based Shellcode Execution Classic DLL injection using CreateThreadpoolTimer to execute shellcode in memory. It can help evade antivirus detection github.com/andreisss/Remo… #apt #redteam

Releasing NtWARden - Windows Analysis and Research Toolkit 🦉 github.com/mrT4ntr4/NtWar… - Processes, Services, Network, ETW, IPC, Registry - Kernel Callbacks, SSDT, BYOVD scanning, GDT/IDT - Per-process analysis - direct syscalls, user hooks, etc - Remote Inspection - and more!

For people who asked before for the code implementation of SilentHarvest technique, where you can collect Windows secrets without EDR detection and SYSTEM Furkan has implemented it in Nim, thanks to him. Haven’t tried it yet or looked at the code, but you can try it and tell.

UnderlayCopy_bof BOF for Havoc that copies locked Windows files (SAM, SYSTEM, NTDS.dit) via raw MFT parsing. No VSS, no Registry APIs, no PowerShell github.com/Muz1K1zuM/Unde… #blueteam #redteam #dfir

Research shows how Palo Alto Cortex XDR predefined BIOC behavioral rules can be decrypted and analyzed. By understanding rule logic and built-in exceptions, attackers can adapt techniques to evade detection and bypass behavioral protections. core-jmp.org/2026/03/decryp…

Chinese cyber threat actor, almost certainly Mustang Panda, launched an espionage campaign against Persian Gulf countries exactly 24 hours after the US-Israeli strikes on Iran began. The cyber operators were ready. The decryption key is literally the war's start date. The attack uses a lure disguised as a PDF showing missile strikes on a US base in Bahrain - the kind of thing genuinely circulating at the time. Upon opening the file, a chain of components installs a backdoor PlugX. Multiple decoy layers, encrypted payloads, obfuscation designed to make reverse-engineering difficult. It reliably phones home via encrypted HTTPS, using Google's DNS to hide even that traffic. The decryption key baked into the malware is 20260301@@@.

Reverse engineering undocumented Windows Kernel features to work with the EDR TLDR; Reverse engineering Windows internals: because sometimes the best way to fix a problem is to take the operating system apart. fluxsec.red/reverse-engine…

klist2kirbi is a tool that convert klist.exe output into a valid kirbi ticket ! Available in kerlab github.com/airbus-cert/ke… 🔵 Microsoft-Windows-Security-Kerberos #ETW provider exposed the event ID 202 that will monitor attempts to export sessions keys🔵

Using Crystal Palace and AdaptixC2 maorsabag.github.io/posts/adaptix-…

Built an evasive CS RL with Crystal Palace that bypasses Elastic EDR. The evasion lives inside the blob. Not in how it got there. Blog: lorenzomeacci.com/bypassing-edr-… Source: github.com/kapla0011/Kapl…

SysWhispers4 just dropped !!! github.com/JoasASantos/Sy…

Your EDR just coerced itself. 🫠 Drop a crafted LNK → MsSense.exe makes a CreateFile call → machine account hands over its Net-NTLMv2 hash over WebDAV → relay to LDAP → Shadow Credentials or RBCD. No user interaction. No exotic exploit. Just vibes and a shortcut file. If you're running Microsoft Defender for Endpoint, this one is literally about you. 👀 Full attack + detection breakdown 👇 youtu.be/30Qiq_Gt_bA #purpleteam #MDE #NTLMcoercion #detectionengineering

#Kernel_Security "Unveiling BYOVD Threats: Malware’s Use and Abuse of Kernel Drivers", Feb. 2026. ]-> Artifact zenodo.org/records/170475… // BYOVD attacks abuse legitimate, digitally signed Windows drivers that contain hidden flaws, allowing adversaries to slip into kernel space, disable security controls, and sustain stealthy campaigns ranging from ransomware to state-sponsored espionage. We first introduce the first dynamic taxonomy of BYOVD behavior. We propose a virtualization-based sandbox that follows every step of a driver’s execution path, from the originating user-mode request down to the lowest-level kernel instructions, without requiring driver re-signing or host mod-ifications

Unveiling BYOVD Threats: Malware’s Use and Abuse of Kernel Drivers The document introduces a virtualization-based analysis sandbox specifically designed to detect suspicious driver interactions originating from user-mode processes ndss-symposium.org/wp-content/upl…

@saxboatsec @MaybeSpecter Although the client IP looks like a HTB vpn pool

@saxboatsec @MaybeSpecter HTB usually dont put the flag to c:\loot, but admin desktop/documents folder

Splunk RCE !