Pham Tai Tue

My presentation at Security Bootcamp 2024. This is the 11th edition of this conference, with the theme Humanity, over 2 days, Sep 28-29, in Phu Quoc. My presentation focus on What, Why, and How to hunt, so I named it "Let the Hunt Begin!" Check it out: github.com/tuedenn/Presen…

@_ZeroPointSec @fortraofficial @_CobaltStrike @OutflankNL @_CoreImpact Wow, congrats sir @_RastaMouse

Exciting news: Zero-Point Security has joined @fortraofficial and will work alongside the @_CobaltStrike, @OutflankNL, and @_CoreImpact teams to develop the next generation of offensive security training! Get more details on the blog cobaltstrike.com/blog/new-mouse…

🧵 The axios @npmjs compromise dropped a @macOS backdoor that closely mirrors North Korea's (@DPRK) recent WAVESHAPER backdoor. Let's take a quick look the full intrusion:

ElasticSecurityLabs detects the Axios npm supply chain attack across Linux, Windows & macOS. Our behavioral detections caught it without relying on static indicators. Full malware analysis dropping soon: go.es.io/488UwvJ

You can reduce a lot of package supply chain risk with one boring rule: - Do not install fresh releases immediately. use a minimum release age - delay new package versions by a few days or a week - let the ecosystem inspect the package before your pipeline pulls it In many recent cases, that delay alone would have been enough. Let everyone else, scanners, sandboxes, analysts, regexes, AI, and poor souls on incident response, look at the package first 😏 PS: pnpm has a pretty useful setting for this: minimumReleaseAge

@RexorVc0 looks very promising

🚨 Big news: New TH Book 🏹 After years in Threat Hunting, I wrote the book I always wanted when I started. The Art of Threat Hunting, practical, technical, no fluff. ⚡Hypothesis generation, queries & adaptation stuff, CTI-driven programs, documentation, team alignment. The full lifecycle. 🦖Full breakdown on the blog: rexorvc0.com 🔗Available on Amazon: amazon.com/Art-Threat-Hun… #ThreatHunting #BlueTeam #Cybersecurity #Research #CTI #Malware #threat

This but with DFIR. AI is going to make people dumber, not better, examiners, because most people won't do the work to verify the findings. Having to verify everything ai spits out is gonna take longer than you investing the time to actually understand the topic and doing it right the first time. There are no shortcuts.

Sysmon View 2 is here & is now fully open source! I've rewritten it entirely: New modern UI & many quality-of-life improvements. Thank you all, this rewrite took a long time but was worth it. github.com/nshalabi/Sysmo… #SysmonTools #Sysmon #DFIR #ThreatHunting #BlueTeam #InfoSec

@RussianPanda9xx Nha Trang đẹp lắm Anna 😁 hãy uống thử bia Huda

Thought I was going to Vietnam, not freaking Russian Disneyland 💀 There is an insane amount of Russians here 😂

💡 The PEAK Threat Hunting Framework: Full Guide and Examples hunt.io/glossary/peak-… Threat hunting works best when it’s structured. The PEAK framework (Prepare, Execute, Act with Knowledge) gives teams a clear way to run consistent, repeatable hunts instead of one-off investigations. But execution is where it often breaks, and that’s where Hunt fits in. We help analysts pivot from IOCs into full infrastructure, correlate data fast, and keep investigations moving without losing context or switching tools. #ThreatHunting #ThreatIntelligence #CyberSecurity

The Microsoft Defender Research team has published guidance on detecting, investigating, and defending against the sophisticated CI/CD-focused supply chain compromise involving the widely used open-source vulnerability scanner Trivy: msft.it/6016QQ6wq

The Agentic SOC isn't a concept anymore. It's a shift in how the SOC actually functions. Observe: Centralized data, logs and events aggregated in one place. The core strength of any SIEM. Detect: Endpoint protection, cloud and identity detections, 1,700+ pre-built rules in Elastic SIEM alone. High quality alerts at scale. Act: Triage, investigate, respond. The critical final stage, and the one AI changes most. Alert triage, incident investigation, escalation, response, threat hunting. All of it can be agentic. All of it natively in Elastic. Full breakdown: go.es.io/3PFVwB7

@sapirxfed Nice pic. Btw Viet Nam still have many more beauty places waiting you on your next trips

A day after arriving in Vietnam, everything changed back home. A 2-week trip turned into a month in Vietnam and Thailand.🇹🇭🇻🇳 It was an amazing month, but there’s no place like home.❤️ Back to work.🫡

🔍 We’ve updated LOLRMM to better separate Remote Access Tools (RATs) from Remote Monitoring & Management (RMM) tools. Not all remote access is equal. RMMs are typically legitimate admin tools, while RATs are more often purpose-built for control and persistence. ✅207 tools classified as RMM (full management platforms: Atera, ConnectWise, NinjaRMM, Kaseya, etc.) ✅86 tools classified as RAT (VNC, RDP, SSH, tunneling, file transfer: PuTTY, TightVNC, ngrok, Tailscale, WinSCP, etc.) This change brings more clarity to the dataset, making it easier for defenders to classify behavior and build the right detections. Check it out🧩 PR → github.com/magicsword-io/…

the best detections target what an adversary can 𝗻𝗼𝘁 change about a behavior. iimp0ster.github.io/detection-chok…

Going to be spinning up a little series of posts with some Blue Team specific Claude tips - follow along with #ClaudeForBlueTeam First tip - ATT&CK can be downloaded as a JSON file, which Claude loves to work with. Remember, ATT&CK has a Data Source component - use Claude to ask some questions like "What logs do I need to detect X" or "What data source do I need to enable to cover the most techniques"

@r3nzsec @Antonlovesdnb Fantastic! I had a wow. It’s exactly what I was looking for. With so many features than TimelineExplorer. I hope there with be versions for both Win & Linux

DFIR analysts who use macOS as their daily driver deserve free and native forensic tooling. So I built one. 🍎 Introducing 𝗜𝗥𝗙𝗹𝗼𝘄 𝗧𝗶𝗺𝗲𝗹𝗶𝗻𝗲 — a timeline analysis app built from the ground up for Mac-based DFIR folks, forensic investigators, or SOC analysts. Built in appreciation of, and inspired by, Eric Zimmerman’s Timeline Explorer. Every feature in this tool was shaped by real IR casework. Handling massive timelines, parsing artifacts here and there, and pivoting across logs during active investigations. I built IRFlow Timeline to be the native macOS timeline analyzer that actually keeps up with a live case. Every button and view is intentional; if it’s in the app, it’s because I needed it mid-case and realized the standard tools fell short. No dependencies. Zero setup. Just drag, drop, and analyze. #dfir #incidentresponse #timeline #macos #threathunitng #digitalforensics

Reminder that “0apt” leak site is a likely scam operation, using big brand names to attract attention. There are no samples and no proof of these attacks yet. Analysis like this is vital to help teams not get spun up unnecessarily (a major factor that leads analyst fatigue) 1/2

The new @REMnux MCP server lets AI analyze malware using the REMnux toolkit. I was surprised at the depth of investigation it delivers. Most of my time went into capturing how I approach malware analysis and providing AI the right guidance at the right time, so it can think and adapt as it works. zeltser.com/ai-malware-ana…

I've used Gmail for 20 years. Almost 2M emails, 150K attachments. Rather than let Google hold my data hostage, I built msgvault: local-first email archive with a terminal UI and MCP server, powered by DuckDB. Open source, single Go binary. wesmckinney.com/blog/announcin…