KoifSec

I wrote a book! A Dance of Red and Blue - the epistemology, game theory, and craft behind detection engineering. Giving away copies. Reply with your best cybersec joke or meme and I'll pick some folks to send it to. koifsec.medium.com/my-book-a-danc… amazon.com/dp/B0GT1LQHF6

Today I’m launching Threat Hunting Labs. Over the years I’ve analyzed many real-world intrusions. One thing became obvious: most training platforms don’t resemble how investigations actually happen. So I built something different. Threat Hunting Labs focuses on investigation-driven learning using real telemetry and structured investigative paths. If you want to get better at investigating breaches, you should practice investigating breaches. More details here: threathuntinglabs.com/blog/introduci…

@Kostastsale I had the pleasure of beta testing this, highly recommended if this is something you're interested in. Everything Kostas does is worth looking into!

New post out! "The Red Queen’s Race: Arms Race Dynamics in Threat Detection" @koifsec/the-red-queens-race-arms-race-dynamics-in-threat-detection-4f532a149fda" target="_blank" rel="nofollow noopener">medium.com/@koifsec/the-r…

@itsJaimeMedina Great writeup! gonna start testing it out for myself 🙂

Lots of talk about AI coding workflows. Not a lot of "here's exactly how I do it." I'm sharing my exact workflow for using 3 different ai agents (claude code, codex, gemini) build, challenge, and fix each other's work. Nothing fancy, just plain vanilla cli communication to ship features for @FileGrabLink , so lets break it down in this thread:

New post out! detect.fyi/the-invisible-…

If you're dealing with code packages or supply-chain risks, just open-sourced one of my tools - deps.sh - completely usable from the CLI as well. Enjoy!

LSASS DLL loading can be abused to establish persistence inside a highly privileged system process. This registry modification alters the Notification Packages value under the LSA key, causing LSASS to load additional packages at startup. Any unexpected LSA Notification Packages entry should be treated as suspicious. hackers-arise.com/advanced-windo… @three_cube @_aircorridor @DI0256 #redteam #DFIR #blueteam #pentest

@ThruntingLabs I was one of the lucky firsts - I HIGHLY recommend trying this out if you get the chance - this one is different.

We invited the first 150 users who signed up for early access. All invitees receive free credits to go through the investigations we currently have in beta. Great feedback so far!🙏 We will invite the second wave early next week! Thank you to everyone who is providing feedback!

@DfirDiva @13CubedDFIR Investigating Windows Endpoints

📣 I partnered with @13CubedDFIR for a Valentine's Day Giveaway! 🎁 🏆 1 Grand Prize winner will receive one course of their choice from the list below + a 13Cubed Investigator T-Shirt. Courses: - Investigating Windows Endpoints - Investigating Windows Memory - Investigating macOS Endpoints - Investigating Linux Devices Each course comes with a Certificate of Completion as well as Certification attempts. 👕 5 winners will receive 13Cubed Investigator T-Shirts. To Enter: ✅ Like ✅ Comment with the name of the course you want to win ✅ Repost On Valentine's Day (February 14th, 2026) entries from across three social media platforms will be combined and winners will be selected. For more info check out: 13Cubed Courses: training.13cubed.com Certification Information: training.13cubed.com/certifications T-Shirts: shop.13cubed.com #DFIR #DigitalForensics #IncidentResponse

Introducing the "Adversarial Detection Engineering (ADE) Framework" ! Developed by myself and Nikolas Bielski, ADE aims to be for detection rules what MITRE is for attack techniques and CWE is for code. github.com/NikolasBielski… adeframework.org

I came across a GhostPulse/HijackLoader intrusion via ClickFix with some interesting evasion techniques. Starts with a PowerShell cradle (178.17.59\.26:5506) deploying an MSI dropper. The GhostPulse loader (81f9a196...) has 0 detections on VT despite being a known binary — still figuring out how it was weaponized: virustotal.com/gui/file/81f9a… PlaneV128.exe registers a keylogger (RegisterRawInputDevices), injects into Chrome/Edge via SetThreadContext, and launches browsers in headless mode for credential harvesting. Hardware breakpoints set for anti-debugging. PlaneV128.exe dropped sup.msi (164MB) which extracted the superintendent application during its update routine. 172MB exfil to 84.21.173.142:80 over ~18 min. Persistence via Run key (HyperPackQuickCoreator → C:\Users\\AppData\Local\MegaMaxion\superintendent.exe). The superintendent.exe binary appears to be legitimate software, currently investigating for possible DLL side-loading… explorer.exe └─ powershell.exe -nop -w hidden └─ msiexec.exe s1161271080.msi └─ S_Circuitr.exe └─ PlaneV128.exe (GhostPulse) ├─ chrome.exe --headless ├─ msedge.exe --headless └─ msiexec.exe sup.msi └─ superintendent.exe Signed executables using ZONER/Crisp IM certificates observed throughout the chain. Links: • joesandbox.com/analysis/18627… • tria.ge/260205-ce1n5sd… • bazaar.abuse.ch/sample/d63f35e… Hunt for PowerShell cradles paired with --headless browser launches. What's particularly interesting: Multiple components have zero detection. If you've seen similar intrusions or have insights on superintendent.exe/this chain, please comment below or reach out. cc @malwrhunterteam

New post out! "Move and Countermove: Game Theory Aspects of Detection Engineering" koifsec.medium.com/move-and-count…

#GoreloRMM being pushed via a suspected email phishing campaign where the URL leads the user to a site with a "Download Proposal" button. This downloads a raw Gorelo installer. Same lure/tactic used as another campaign at the beginning of the month that pushed #ImmyBot. VT next

I’m moving all Threat Hunting Labs logistics to @ThruntingLabs. I want to keep this personal feed focused on research and thoughts without spamming you with project updates. If you're waiting on access or status news, follow there! 🙏

This is a very interesting intrusion using deno.exe in a way I haven’t personally seen before. What stands out here is not just Deno itself, but the full execution chain and how multiple runtimes are stitched together. It starts via an MSI that launches a VBS script. VBS acts as the initial orchestrator: it drops and runs PowerShell, installs Deno, writes a JavaScript runner to %LOCALAPPDATA%, and explicitly creates a Startup LNK for persistence. That LNK points to a hidden PowerShell command which executes deno run --allow-all romeo_worker74.cjs(good detection opportunity!!), ensuring execution on every user logon. From there, Deno takes over as a loader/backdoor. It fingerprints the host, reaches out to sharecodepro\.com, and waits for server-delivered modules. It then kicks off a scheduled task that runs pythonw.exe from C:\ProgramData\\, executing a Python backdoor. Defender exclusions are added for the Python path to reduce visibility. The Python component connects to 23\.94\.145\.120:9999 as its main C2 and also queries ip-api\.com for basic situational awareness. PowerShell is additionally used to retrieve more payloads (Petuhon\.zip, Smokest120\.zip), indicating parallel tooling or follow-on stages. In short, this is a multi-stage, multi-language intrusion: VBS for orchestration and persistence PowerShell for payload delivery Deno as a modular execution framework Python as a secondary, more traditional C2 channel Lightweight components, user-level persistence, and flexible server-driven capabilities. The execution pattern is the most interesting part here. I'll update this post if anything else.

📢 EDR Silencing 📖 1x Playbook -  A structured breakdown of the full approach 💡 6x Procedures - Practical, reproducible techniques mapped to real-world operator workflows 🚨 1x Sigma Rule - To help defenders spot this activity 💭 Would love your thoughts ipurple.team/2026/01/12/edr… #purpleteam #ipurple #redteam

𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: 𝗡𝗲𝘄 𝗜𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗘𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲, 𝗠𝗜𝗧𝗥𝗘 𝗔𝗧𝗧&𝗖𝗞 𝗜𝗻𝘀𝗶𝗴𝗵𝘁𝘀, 𝗮𝗻𝗱 𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥 We want to start by thanking everyone who supported us as early adopters. Since launching in November, the platform has already helped hundreds of consultants and enterprises navigate the complexity of EDR selection. This new release pushes things forward with a cleaner comparison UX, deeper evaluation context using MITRE ATT&CK evaluation data, and a new vendor added: 𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥. We’ve also introduced 𝗕𝗮𝘀𝗶𝗰 𝗮𝗻𝗱 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝘁𝗶𝗲𝗿𝘀 to better reflect how different users engage with the platform. With the 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝘁𝗶𝗲𝗿, we’re introducing a deep dive into the technical justification and expert analysis behind every single feature in our comparison for the EDR vendors we currently support. We’ve also expanded 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 options for organizations that need additional flexibility, scale, and support on top of the Advanced tier. Check out the new tiers now: edr-comparison.com/pricing

@malmoeb This is really insightful, thanks Stephan! any good leads on how to detect this via native Windows logging? The problem is that since Python can be installed anywhere, you can't audit in advance for EID 4663. Best to do IMO is audit the usual "suspect" paths.

During a recent engagement, we reviewed the collected AutoRuns data from all endpoints on the network. In that dataset, we identified the following scheduled task: Name: 523135538 Command Line: C:\programdata\cp49s\pythonw.exe There are a few things odd here. First, the name of the Scheduled Task (some random numbers). Second, the installation Path (Programdata\cp49s\). Third, Python is launched without any command-line arguments or a reference to a Python script, meaning the interpreter is started by itself. Our initial hypothesis was DLL sideloading. After examining the Python directory, we identified a file named sitecustomize[.]py: "Python's sitecustomize[.]py and usercustomize[.]py are scripts that execute automatically when Python starts, allowing for environment-specific customizations. Adversaries can exploit these files to maintain persistence by injecting malicious code." [1] Path: C:\ProgramData\cp49s\Lib\sitecustomize[.]py Content: See the image below. So, this means that every time the Scheduled Task runs, the Python interpreter is executed, effectively loading the malicious Python file named b5yogiiy3c.dll. A pretty sneaky way, and something you should watch out for during your next hunting session or IR gig. 🤓 [1] detection.fyi/elastic/detect…