Profile avatar
kostastsale.bsky.social
@thedfirreport.bsky.social | Sharing insights in #ThreatIntel, #malware, #IR & #Threat_Hunting. Opinions are mine only! ๐Ÿ‡ฌ๐Ÿ‡ท๐Ÿ‡จ๐Ÿ‡ฆ
154 posts 1,202 followers 113 following
Regular Contributor
Active Commenter
Posts 24 Comments 26

I found some time and wrote a blog on the fake reCAPTCHA phishing issue. Wrote a blog on how it all unfolded, the risks of making these tools widely available, and my take on the whole situation. If you're interested, give it a read! ๐Ÿ‘‡ ๐Ÿ”—

submitted 1 day ago โ€ข 0 comments

New blog post: macOS Extended Attributes: Case Study dfir.ch/posts/macos_...

submitted 6 days ago โ€ข 0 comments

LMFAO ๐Ÿ˜‚

submitted 7 days ago โ€ข 0 comments

Hey SDDL SDDL: Breaking Down Windows Security One ACE at a Time www.splunk.com/en_us/blog/s.... Thrilled to share my first blog at @splunk! @mhaggis.bsky.social and I take a deep dive into the weird & exciting world of SDDL and ACEs - what they are, how they work, and how attackers can abuse them.

submitted 8 days ago โ€ข 0 comments

1/ ๐Ÿšจ ๐——๐—™๐—œ๐—ฅ ๐—ง๐—ฒ๐—ฎ๐—บ๐˜€ & ๐—ฆ๐—ข๐—–๐˜€, ๐—œ๐˜โ€™๐˜€ ๐—ง๐—ถ๐—บ๐—ฒ ๐˜๐—ผ ๐—ฆ๐—ฒ๐˜๐˜๐—น๐—ฒ ๐˜๐—ต๐—ฒ ๐—ฆ๐—ฐ๐—ผ๐—ฟ๐—ฒ! ๐Ÿšจโฃ โฃ Our first ๐—˜๐—ป๐˜๐—ฒ๐—ฟ๐—ฝ๐—ฟ๐—ถ๐˜€๐—ฒ-๐—ณ๐—ผ๐—ฐ๐˜‚๐˜€๐—ฒ๐—ฑ ๐—–๐—ง๐—™ is happening this summer, and itโ€™s ๐—ฐ๐—ผ๐—บ๐—ฝ๐—ฎ๐—ป๐˜† ๐˜ƒ๐˜€. ๐—ฐ๐—ผ๐—บ๐—ฝ๐—ฎ๐—ป๐˜† in a battle of DFIR & SecOps skills! ๐Ÿ†โฃ โฃ ๐Ÿ‘ฅ ๐—ฌ๐—ผ๐˜‚๐—ฟ ๐——๐—™๐—œ๐—ฅ ๐˜๐—ฒ๐—ฎ๐—บ ๐˜ƒ๐˜€. ๐—ฎ๐—ป๐—ผ๐˜๐—ต๐—ฒ๐—ฟ.โฃ ๐Ÿ” ๐—ฌ๐—ผ๐˜‚๐—ฟ ๐—ฆ๐—ข๐—– ๐˜๐—ฒ๐—ฎ๐—บ ๐˜ƒ๐˜€. ๐˜๐—ต๐—ฒ ๐—ฏ๐—ฒ๐˜€๐˜ ๐—ถ๐—ป ๐˜๐—ต๐—ฒ ๐—ถ๐—ป๐—ฑ๐˜‚๐˜€๐˜๐—ฟ๐˜†.โฃ ๐Ÿ’ผ ๐—ฌ๐—ผ๐˜‚๐—ฟ ... ๐Ÿ‘‡ โฃ

submitted 9 days ago โ€ข 1 comment

Tesla is projected to receive a $400 million contract from the U.S. Department of State for armored EVs (www.teslarati.com/tesla-projec...) SpaceX was awarded a supplemental federal contract totaling $38 million 2 days ago. (www.levernews.com/musk-just-sc...)

submitted 11 days ago โ€ข 1 comment

DFIR specialist Mthcht has released LOLC2, a collection of C2 frameworks that leverage legitimate services to evade detection lolc2.github.io

submitted 12 days ago โ€ข 2 comments

In our new blog, Senior Security Consultant Brandon McGrath explores how to apply Retrieval-Augmented Generation (RAG) to research capabilities. Find out how he leverages AI to enhance his ops. Read it now! trustedsec.com/blog/from-ra...

submitted 12 days ago โ€ข 0 comments

๐ŸŽ™๏ธNew episode! I've made this one based on my notes on the subject๐Ÿ™‚I'll eventually turn them into a blog post that dives a bit deeper. ๐Ÿ”—Listen to it here: creators.spotify.com... โž› Parts 1๏ธโƒฃ Case Study โ€“ thedfirreport.com/20... 2๏ธโƒฃ Attacker Mistakes+Psychology 3๏ธโƒฃ Defense Strategies

submitted 13 days ago โ€ข 0 comments

I saw this in OpenEDR's Docs (now Xcitium)... Who's gonna tell em?

submitted 13 days ago โ€ข 0 comments

Ultimate Cybersecurity Career Humble Bundle! Includes: - Incident Response for Windows - The OSINT Handbook - Effective Threat Investigation for SOC Analysts and more! Link: humblebundleinc.sjv.io/kOaeod (Partner Link) #DFIR #IncidentResponse #MalwareAnalysis #Cybersecurity #OSINT

submitted 15 days ago โ€ข 0 comments

๐Ÿšซ Wazuh is not eligible for the EDR Telemetry Project Many have asked me to add Wazuh, but after checking it out, I confirm it is NOT eligible. Wazuh is NOT an EDR! It lacks native telemetry and response actions, acting more as a log collector. Details: www.edr-telemetry.com/eligibility....

submitted 15 days ago โ€ข 0 comments

Loving the "Code Insights" from VT!! ๐Ÿ”ฅ It can save you time, but make sure to always validate by confirming the execution flow under the "Behavior" tab. I assume this is where the AI is reading the info from to create the summary, so it is less likely to make a mistake but always validate anyway๐Ÿซ 

submitted 16 days ago โ€ข 0 comments

Gemini 2.0 Flash is awesome, and the API tokens are 1/10th of the price compared to OpenAI with a lot larger context! Although, itโ€™s still failing the strawberry test ๐Ÿ˜‚

submitted 16 days ago โ€ข 1 comment

Taking a break from creating podcast episodes using AI voices to host another episode of our DFIR Discussions ๐Ÿ˜„ We had a great chat analyzing the latest report, check out the episode ๐Ÿ‘‡

submitted 18 days ago โ€ข 1 comment

Our latest report led to a fresh Sigma rule contribution to the SigmaHQ repo โ€“ straight from our private Sigma rule repository! ๐Ÿ” Built from our private intrusion cases โšก Actionable, high-fidelity detection Rule: github.com/SigmaHQ/sigm... Services: thedfirreport.com/services/

submitted 19 days ago โ€ข 0 comments

This is just unreal from an information security perspective ๐Ÿ˜ฑ Imagine the consequences of unauthorized access by incompetent graduates who Musk appointed to review. I canโ€™t comprehend how you Americans can allow someone like that to interfere with your nation as if it were his personal business.

submitted 22 days ago โ€ข 2 comments

๐Ÿš€ EDR-Telemetry Update! Quality-of-life improvements for better usability & transparency. Plus, Cylance EDR is now in the Windows Telemetry comparison! ๐Ÿ”— Click & copy sections for easy nav โš ๏ธ Clearer disclaimers on ineligible products โœ… Added Cylance EDR! ๐Ÿ” www.edr-telemetry.com

submitted 22 days ago โ€ข 0 comments

I tried running deepseek 70B model and my M2 Mac started crying ๐Ÿ˜‚ ๐Ÿ˜‚ ๐Ÿ˜ญ

submitted 23 days ago โ€ข 1 comment

New research from Unit42 with some interesting TTPs: - Data exfil and data recon from SQL DBs - PlugX doing PlugX things with the usual side loading techniques - Defense evasion mixed with loud exec TTPsโ€”plenty of detection opportunities! Great report:

submitted 23 days ago โ€ข 0 comments

Sam Altman: โ€œWhen I scrape all the data without asking questions is fine. When others do it to OpenAI, itโ€™s a crime.โ€ ๐Ÿคฎ๐Ÿคฎ And why tf are we still calling it OpenAI when itโ€™s been a long time since it was open sourced? They should change the name to something like ClosedAI or something.

submitted 25 days ago โ€ข 1 comment

I have started a bsky list to compile all reputable journalism outlets. So far, I just have @404media.co in the list. What others sources do you suggest I include?

submitted 26 days ago โ€ข 2 comments

#LOLBAS project update: Entries now have placeholders for paths, URLs, and more. This makes it easier to visually see what parts are "variable", and for LOLBAS API users (lolbas-project.github.io/api/) it'll be easier to use with automation. Check it out: โญ lolbas-project.github.io

submitted 26 days ago โ€ข 0 comments

I found out that, by default, only people you follow can message you. I've changed it to "everyone.", DMs are open! I hope I don't get as many bots messaging me as I did on Twitter tho ๐Ÿซฃ

submitted 26 days ago โ€ข 0 comments