Author | Lightnews

THIS WEBSITE HAS BEEN SEIZED

Discover domains tied to sinkhole NS servers at sinkholed.github.io

Filter by TLD or NS, export in JSON/CSV, weekly update!

Search for the known sinkhole Name Servers in DNS query logs and web access to the sinkholed domains to identify potentially compromised hosts!

sinkholed.github.io

1 5 11

mthcht @mthcht.bsky.social · Mar 4

😯 I have 652022 sinkholed domains extracted here github.com/mthcht/aweso...

mthcht @mthcht.bsky.social · Feb 17

In case you don't want to do this yourself, I just discovered that you can request access to a complete list of all existing domains across 1131 TLDs on czds.icann.org for free, including NS records! The lists are updated every month, approval is required for each TLD 🌍

mthcht @mthcht.bsky.social · Feb 9

I have a list of NS used for sinkhole domains and seized servers: raw.githubusercontent.com/mthcht/awesome…
I'm searching for the domains, on my server I can resolve a record type for ~400 million domains per day with github.com/blechschmidt/m�� 😃 Massive improvement compared to other solutions!

1 1

mthcht @mthcht.bsky.social · Mar 2

🎭 #ThreatHunting February updates 🎭
🐙 release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬 yara: github.com/mthcht/Threa...
🐾 Specific artifact lists: github.com/mthcht/aweso...

2 4

mthcht @mthcht.bsky.social · Feb 27

Of course! PRs are welcome 🙏

1

Reposted by mthcht

Mr. Bitterness @wdormann.infosec.exchange.ap.brid.gy · Feb 25

From over at the Bad Place:
There's an interesting NTFS symlink attack outlined here:
https://dfir.ru/2025/02/23/symlink-attacks-without-code-execution/

Basically, if an NTFS filesystem is corrupted in a way to provide duplicate file names, Windows will […]

[Original post on infosec.exchange]

$Powershell: after 5 "type .\5\test.txt" calls, the test.txt file is a symlink to win.ini CMD: A single "type .\6\test.txt" call results in every single file being printed, including the final win.ini symlink$

1 13 17

Reposted by mthcht

Kostas @kostastsale.bsky.social · Feb 24

It took just 3 hours:

RCE → Metasploit C2 → Anydesk for remote GUI-access → LockBit ransomware

Interestingly, we observed the threat actor using PDQ Deploy, a patch management tool.

Read the report here:

Confluence Exploit Leads to LockBit Ransomware

Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…

thedfirreport.com

1 3 9

mthcht @mthcht.bsky.social · Feb 20

A bookmark of my lists is now automatically generated after each update in my repo github.com/mthcht/aweso...
I'm also looking to automatically add my starred repos lists github.com/mthcht?tab=s... in this bookmark but there doesn’t seem to be a API endpoint for the stars lists 🤔 ?

mthcht @mthcht.bsky.social · Nov 10

📑 Detection Lists 📑

github.com/mthcht/awesome…#ThreatHuntingn#DFIRI#SOCOC

7

mthcht @mthcht.bsky.social · Feb 19

It's growing! Now at 38 services and 82 projects 🙈 What's your favorite LoLC2?

1 2

Reposted by mthcht

BertJanCyber @bertjancyber.bsky.social · Feb 17

Pushed a #KQL for: Successful device code sign-in from an unmanaged device.

Query is available for AADSignInEventsBeta and SigninLogs. Less known is the AADSignInEventsBeta filter for device code:
| where EndpointCall == "Cmsi:Cmsi"

🏹Query: github.com/Bert-JanP/Hu...

2 3 5

mthcht @mthcht.bsky.social · Feb 17

In case you don't want to do this yourself, I just discovered that you can request access to a complete list of all existing domains across 1131 TLDs on czds.icann.org for free, including NS records! The lists are updated every month, approval is required for each TLD 🌍

mthcht @mthcht.bsky.social · Feb 9

I have a list of NS used for sinkhole domains and seized servers: raw.githubusercontent.com/mthcht/awesome…
I'm searching for the domains, on my server I can resolve a record type for ~400 million domains per day with github.com/blechschmidt/m�� 😃 Massive improvement compared to other solutions!

1 3

Reposted by mthcht

Nasreddine Bencherchali @nasbench.bsky.social · Feb 15

Hey SDDL SDDL: Breaking Down Windows Security One ACE at a Time www.splunk.com/en_us/blog/s....

Thrilled to share my first blog at @splunk! @mhaggis.bsky.social and I take a deep dive into the weird & exciting world of SDDL and ACEs - what they are, how they work, and how attackers can abuse them.

Hey SDDL SDDL: Breaking Down Windows Security One ACE at a Time | Splunk

Explore SDDL in Windows security with our comprehensive guide to help enhance your defensive strategy against privilege escalation attacks.

www.splunk.com

5 12

mthcht @mthcht.bsky.social · Feb 13

Path masquerading zerosalarium.com/2025/01/path...

Interesting technique, if you're hunting for this, you can directly search the unicode characters in Splunk 🥷

2

mthcht @mthcht.bsky.social · Feb 12

Most SOCs handle hundreds to thousands of detection rules in their SIEM. Proper categorization is essential when creating a new detection, as it helps define criticality, urgency, implementation effort, and verbosity level. Keeping things structured will reducing alert fatigue!

1 5

mthcht @mthcht.bsky.social · Feb 11

I'll keep this updated, let me know if you have any projects to add! some C2 candidates: github.com/lolc2/lolc2....

Catalin Cimpanu @campuscodi.risky.biz · Feb 11

DFIR specialist Mthcht has released LOLC2, a collection of C2 frameworks that leverage legitimate services to evade detection

lolc2.github.io

1 3

Reposted by mthcht

Squiblydoo @squiblydoo.bsky.social · Feb 10

Cert Central .org is live!
We track and report abused code-signing certs.

By submitting to the website, you contribute to the DB of >800 certs—a DB you can access and view.

Want to get more involved? Check out the Training and Research pages to learn more. 1/2

1 7 14

mthcht @mthcht.bsky.social · Feb 9

Hexadecimal IP Detection:

Identifiy hexadecimal IP addresses format in command lines with a "simple" regex (some default behaviors to exclude)

1

mthcht @mthcht.bsky.social · Feb 9

Special Caracters anomaly Detection:

This query Extracts common special caracters from the process command line, counts occurrences, calculates ratio, and return commands with more than 20% specials caracters in it, could catch the quote insertions and url transformers techniques

1 2

mthcht @mthcht.bsky.social · Feb 9

#ThreatHunting ideas for detecting command-line obfuscation techniques from github.com/wietze/Invok... with Splunk!
(examples with EID 4688)

Mixed Case Randomization Detection:

This query counts uppercase/lowercase letters and return command lines with a near-equal ratio

1 1 5

mthcht @mthcht.bsky.social · Feb 9

github.com/blechschmidt...

GitHub - blechschmidt/massdns: A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)

A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration) - blechschmidt/massdns

github.com

1

mthcht @mthcht.bsky.social · Feb 9

I have a list of NS used for sinkhole domains and seized servers: raw.githubusercontent.com/mthcht/awesome…
I'm searching for the domains, on my server I can resolve a record type for ~400 million domains per day with github.com/blechschmidt/m�� 😃 Massive improvement compared to other solutions!

1 1 1