Malum
@pertinaxmalum.bsky.social
Senior SOC engineer. Former intel. Interested in cloud, PowerShell, detection engineering and threat hunting. Owner of the Black Hat Labs.
Reposted by Malum
I made a Fjällräven backpack from an IKEA bag! And you know I don't gatekeep-- the pattern is FREE and the most glorious sewing instructions I've ever created. You can use regular canvas, too. #ikea #Fjällräven
beckystern.com/2025/05/25/s...
beckystern.com/2025/05/25/s...
August 17, 2025 at 2:40 PM
I made a Fjällräven backpack from an IKEA bag! And you know I don't gatekeep-- the pattern is FREE and the most glorious sewing instructions I've ever created. You can use regular canvas, too. #ikea #Fjällräven
beckystern.com/2025/05/25/s...
beckystern.com/2025/05/25/s...
Reposted by Malum
The only thing ChatGPT ever does.
August 14, 2025 at 7:35 PM
The only thing ChatGPT ever does.
Reposted by Malum
This is a particularly gnarly backdoor: www.nextron-systems....
August 4, 2025 at 4:10 PM
This is a particularly gnarly backdoor: www.nextron-systems....
Reposted by Malum
Slides from my "Using PowerShell to Explore Windows" workshop at @steelcon.info 2025
files.speakerdeck.com/presentation...
files.speakerdeck.com/presentation...
files.speakerdeck.com
July 14, 2025 at 3:21 PM
Slides from my "Using PowerShell to Explore Windows" workshop at @steelcon.info 2025
files.speakerdeck.com/presentation...
files.speakerdeck.com/presentation...
Reposted by Malum
Reposted by Malum
I'm so excited to announce that Datadog Security Research is launching a FREE, fully-online, Detection Engineering focused conference called Datadog Detect!
bit.ly/datadog-detect
Our lineup is incredible with experts in the field of detection, response and threat intelligence.
bit.ly/datadog-detect
Our lineup is incredible with experts in the field of detection, response and threat intelligence.
Datadog Detect: Scale your Security Operations with Detection Engineering | Datadog
See metrics from all of your apps, tools & services in one place with Datadog's cloud monitoring as a service solution. Try it for free.
bit.ly
May 10, 2025 at 6:14 PM
I'm so excited to announce that Datadog Security Research is launching a FREE, fully-online, Detection Engineering focused conference called Datadog Detect!
bit.ly/datadog-detect
Our lineup is incredible with experts in the field of detection, response and threat intelligence.
bit.ly/datadog-detect
Our lineup is incredible with experts in the field of detection, response and threat intelligence.
Reposted by Malum
1/
Absolutely love this resource 💙
Just came across this gem from JPCERT
👉 jpcertcc.github.io/ToolAnalysis...
It maps forensic artifacts left behind by tools used for lateral movement or credential dumping. Super detailed.
Absolutely love this resource 💙
Just came across this gem from JPCERT
👉 jpcertcc.github.io/ToolAnalysis...
It maps forensic artifacts left behind by tools used for lateral movement or credential dumping. Super detailed.
Tool Analysis Result Sheet
jpcertcc.github.io
May 13, 2025 at 6:00 PM
1/
Absolutely love this resource 💙
Just came across this gem from JPCERT
👉 jpcertcc.github.io/ToolAnalysis...
It maps forensic artifacts left behind by tools used for lateral movement or credential dumping. Super detailed.
Absolutely love this resource 💙
Just came across this gem from JPCERT
👉 jpcertcc.github.io/ToolAnalysis...
It maps forensic artifacts left behind by tools used for lateral movement or credential dumping. Super detailed.
Reposted by Malum
LLMs hallucinating nonexistent software packages with plausible names leads to a new malware vulnerability: "slopsquatting."
LLMs can't stop making up software dependencies and sabotaging everything
: Hallucinated package names fuel 'slopsquatting'
www.theregister.com
April 12, 2025 at 10:31 PM
LLMs hallucinating nonexistent software packages with plausible names leads to a new malware vulnerability: "slopsquatting."
Reposted by Malum
To check for existing bypass configurations, try:
Connect-ExchangeOnline
Get-MailboxAuditBypassAssociation -ResultSize Unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
To alert, try:
CloudAppEvents
| where ActionType == @"Set-MailboxAuditBypassAssociation"
Connect-ExchangeOnline
Get-MailboxAuditBypassAssociation -ResultSize Unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
To alert, try:
CloudAppEvents
| where ActionType == @"Set-MailboxAuditBypassAssociation"
April 8, 2025 at 5:24 AM
To check for existing bypass configurations, try:
Connect-ExchangeOnline
Get-MailboxAuditBypassAssociation -ResultSize Unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
To alert, try:
CloudAppEvents
| where ActionType == @"Set-MailboxAuditBypassAssociation"
Connect-ExchangeOnline
Get-MailboxAuditBypassAssociation -ResultSize Unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
To alert, try:
CloudAppEvents
| where ActionType == @"Set-MailboxAuditBypassAssociation"
Reposted by Malum
A critical infra supplier in Massachusetts got a genuine call from the FBI warning of a Volt Typhoon intrusion. A manager said "Go f-yourself" after the agent tried to get him to click a link in an email. Great story by @jessicalyons.bsky.social. #infosec www.theregister.com/2025/03/12/v...
This is the FBI. China's Volt Typhoon is on your network
: Power utility GM talks to El Reg about getting that call and what happened next
www.theregister.com
March 13, 2025 at 6:56 AM
A critical infra supplier in Massachusetts got a genuine call from the FBI warning of a Volt Typhoon intrusion. A manager said "Go f-yourself" after the agent tried to get him to click a link in an email. Great story by @jessicalyons.bsky.social. #infosec www.theregister.com/2025/03/12/v...
Reposted by Malum
Microsoft Threat Intelligence identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Silk Typhoon targeting IT supply chain | Microsoft Security Blog
Silk Typhoon is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world. In recent months, Silk Typhoon has shifted to performing I...
www.microsoft.com
March 5, 2025 at 12:28 PM
Microsoft Threat Intelligence identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Reposted by Malum
March 2, 2025 at 1:38 AM
Reposted by Malum
About 2 weeks after I wrote a blog post and warned about device code usage. agderinthe.cloud/2025/01/31/i...
February 17, 2025 at 7:37 AM
About 2 weeks after I wrote a blog post and warned about device code usage. agderinthe.cloud/2025/01/31/i...
Reposted by Malum
IT Admins have you already enabled the CA policy to limit device code in your organization? If you were waiting for a reason to prioritize doing it this might help.
www.microsoft.com/en-us/securi...
#security #microsoft #entra #identity
#
www.microsoft.com/en-us/securi...
#security #microsoft #entra #identity
#
Storm-2372 conducts device code phishing campaign | Microsoft Security Blog
Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign ...
www.microsoft.com
February 14, 2025 at 3:05 AM
IT Admins have you already enabled the CA policy to limit device code in your organization? If you were waiting for a reason to prioritize doing it this might help.
www.microsoft.com/en-us/securi...
#security #microsoft #entra #identity
#
www.microsoft.com/en-us/securi...
#security #microsoft #entra #identity
#
Reposted by Malum
Forgive your Entra ID admins, for they know not what they do. In most orgs, IAM is not owned by security. Therefore, security must inform IAM.
You MUST defend against modern cloud phishing techniques for INITIAL ACCCESS. Here are 4 of the top vectors when MFA is enforced:
You MUST defend against modern cloud phishing techniques for INITIAL ACCCESS. Here are 4 of the top vectors when MFA is enforced:
February 10, 2025 at 12:51 PM
Forgive your Entra ID admins, for they know not what they do. In most orgs, IAM is not owned by security. Therefore, security must inform IAM.
You MUST defend against modern cloud phishing techniques for INITIAL ACCCESS. Here are 4 of the top vectors when MFA is enforced:
You MUST defend against modern cloud phishing techniques for INITIAL ACCCESS. Here are 4 of the top vectors when MFA is enforced:
Reposted by Malum
A new fun way to set shadow credentials
posts.specterops.io/attacking-en...
posts.specterops.io/attacking-en...
Attacking Entra Metaverse: Part 1
This is part one in a two (maybe three…) part series regarding attacker tradecraft around the syncing mechanics between Active Directory…
posts.specterops.io
December 13, 2024 at 4:48 PM
A new fun way to set shadow credentials
posts.specterops.io/attacking-en...
posts.specterops.io/attacking-en...
Reposted by Malum
In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...
Intune Attack Paths — Part 1
Intune is an attractive system for adversaries to target…
posts.specterops.io
January 15, 2025 at 5:33 PM
In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...
Reposted by Malum
CISA has formally brought its KEV database to GitHub, allowing easier access to the data without having to scrape the official website every few hours
github.com/cisagov/kev-...
Via Socket: socket.dev/blog/cisa-br...
github.com/cisagov/kev-...
Via Socket: socket.dev/blog/cisa-br...
GitHub - cisagov/kev-data: Mirror of cisa.gov/kev data files
Mirror of cisa.gov/kev data files. Contribute to cisagov/kev-data development by creating an account on GitHub.
github.com
January 30, 2025 at 9:45 AM
CISA has formally brought its KEV database to GitHub, allowing easier access to the data without having to scrape the official website every few hours
github.com/cisagov/kev-...
Via Socket: socket.dev/blog/cisa-br...
github.com/cisagov/kev-...
Via Socket: socket.dev/blog/cisa-br...
Reposted by Malum
🧵 How bad were ransomware attacks against healthcare in 2024? Bad.
As of right now, there were 372 *publicly reported* ransomware attacks against healthcare providers in 2024. Currently down from 2023 (377). BUT there can be a 1-2 month delay in reporting, so the final number will increase.
As of right now, there were 372 *publicly reported* ransomware attacks against healthcare providers in 2024. Currently down from 2023 (377). BUT there can be a 1-2 month delay in reporting, so the final number will increase.
January 26, 2025 at 10:32 AM
🧵 How bad were ransomware attacks against healthcare in 2024? Bad.
As of right now, there were 372 *publicly reported* ransomware attacks against healthcare providers in 2024. Currently down from 2023 (377). BUT there can be a 1-2 month delay in reporting, so the final number will increase.
As of right now, there were 372 *publicly reported* ransomware attacks against healthcare providers in 2024. Currently down from 2023 (377). BUT there can be a 1-2 month delay in reporting, so the final number will increase.
Reposted by Malum
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
Process Hollowing on Windows 11 24H2
Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…
hshrzd.wordpress.com
January 26, 2025 at 11:55 PM
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
Reposted by Malum
If your company runs Exchange Online and/or Microsoft 365 have a look at CISA's latest publication: Microsoft Expanded Cloud Logs Implementation Playbook.
The report includes KQL, SPL and Powershell code to perform incident response.
www.cisa.gov/resources-to...
The report includes KQL, SPL and Powershell code to perform incident response.
www.cisa.gov/resources-to...
Microsoft Expanded Cloud Logs Implementation Playbook | CISA
www.cisa.gov
January 20, 2025 at 7:07 PM
If your company runs Exchange Online and/or Microsoft 365 have a look at CISA's latest publication: Microsoft Expanded Cloud Logs Implementation Playbook.
The report includes KQL, SPL and Powershell code to perform incident response.
www.cisa.gov/resources-to...
The report includes KQL, SPL and Powershell code to perform incident response.
www.cisa.gov/resources-to...
Reposted by Malum
Using PowerShell with Microsoft Graph – Yet Another Security Blog garybushey.com/2025/...
#MicrosoftSentinel #Cybersecurity #MicrosoftSecurity #Security #DefenderXDR
#MicrosoftSentinel #Cybersecurity #MicrosoftSecurity #Security #DefenderXDR
January 15, 2025 at 4:30 PM
Using PowerShell with Microsoft Graph – Yet Another Security Blog garybushey.com/2025/...
#MicrosoftSentinel #Cybersecurity #MicrosoftSecurity #Security #DefenderXDR
#MicrosoftSentinel #Cybersecurity #MicrosoftSecurity #Security #DefenderXDR
Reposted by Malum
I just finished editing the next episode of the "InfoSec Deep Dive" podcast. It's likely one of the best ones I've ever made!
It'll be on malware analysis. It covers everything you need to know to get started and even some advanced topics!
🔗Follow here so you don't miss it:
It'll be on malware analysis. It covers everything you need to know to get started and even some advanced topics!
🔗Follow here so you don't miss it:
InfoSec Deep Dive • A podcast on Spotify for Creators
InfoSec DeepDive simplifies information security, turning complex topics into digestible discussions. Powered by NoteBookLM, episodes are scripted from curated sources and notes to deliver accurate,…
buff.ly
January 17, 2025 at 1:30 AM
I just finished editing the next episode of the "InfoSec Deep Dive" podcast. It's likely one of the best ones I've ever made!
It'll be on malware analysis. It covers everything you need to know to get started and even some advanced topics!
🔗Follow here so you don't miss it:
It'll be on malware analysis. It covers everything you need to know to get started and even some advanced topics!
🔗Follow here so you don't miss it: