SaltmyhashDEATHCon CFP open until June. Great conference with great content.
netbiosXπ’ New Article: Lateral Movement via Microsoft Speech
ποΈ Microsoft Speech Platform is built-in in Windows environments to enable Speech recognition, Voice input, Text-to-Speech & Speech features in Windows, Edge & Office
π¦ Deepβdive playbook on how Microsoft Speech can be abused for lateral movement and how defenders can perform detection.
π 1x Playbook
π‘ Detection Opportunities
πΉ 1x MDE Query
πππππππ’π¨π§ - ππ―ππ§π ππ'π¬
β
οΈ 4657 & 4663 - {655D9BF9-3876-43D0-B6E8-C83C1224154C}
β
οΈ 4688 - SpeechRuntime.exe
β
οΈ 7040 & 7036 - RemoteRegistry Service
βοΈ https://ipurple.team/2026/04/07/microsoft-speech/ #purpleteam #blueteam #detectionengineering
BSidesLuxembourgBSides Luxembourg talk announcement!
π§π¨ π‘π’π§ π¦π’ πππ₯π πππ¦π¦: π§ππ ππππππ‘ πͺπ’π₯ππ π’π πππ‘π¨π« π£πππππ₯π¦ ππ‘π πππ§πππ§ππ’π‘ πππππππ‘πππ¦ - π ππ¦π¦ππ π’ πππ₯π§π’ππππ π‘οΈπ
Linux packers and loaders are a sneaky blind spot in cybersecurity. They hide code with encryption and obfuscation, then run it straight from memory to dodge detection. This talk dives into the βhARMlessβ ARM64 packer, showing off tricks like layered encryption and direct syscalls, while exposing a harsh truth: many defenses on Linux barely see it coming.
Massimo Bertocchi https://pretalx.com/bsidesluxembourg-2026/speaker/SU38N8/ Massimo Bertocchi is a ZΓΌrich-based Threat Hunter and Detection Engineer with dual Masterβs degrees from KTH Royal Institute of Technology and Aalto University, recognized for his award-winning research uncovering covert C2 channels in Microsoft Teams that enable high-speed data exfiltration and expose critical gaps in enterprise security monitoring.
π
Conference dates: 6β8 May 2026 | 09:00β18:00
π 14, Porte de France, Esch-sur-Alzette, Luxembourg
ποΈ Tickets: https://2026.bsides.lu/tickets/
π
Schedule Link: https://pretalx.com/bsidesluxembourg-2026/schedule/
#BSidesLuxembourg2026 #CyberSecurity #ThreatHunting #MalwareAnalysis #CloudSecurity #DetectionEngineering
Has anyone been able to successfully replicate copying and pasting ClickFix/TerminalFix/*Fix commands into macOS Terminal to trigger this new-fangled malware warning? I have attempted numerous commands, from base64-encoded content to osascripts mimicking macOS infostealer prompts to cURL commands downloading remote content. I even replicated the command documented in the Toms Guide article using the same tool in the same browser and it ran flawlessly in Terminal with no popup. And yes, Iβm running Tahoe 26.4 on an M3. Iβd like to think this would be a useful βstop-and-thinkβ mitigation but I canβt even consistently trigger it. And, per usual, Apple is tight-lipped on HOW they are detecting malicious commands so itβs likely to remain a black box mitigation. And yeah, I get it, the end user can just click right through the warning via a sneaky social engineering prompt. My goal was to try and build out detection logic to ID when a user gets hit with a prompt so I can at least investigate what the user tried to do and dig deeper into the threat. Since theoretically the user wonβt run the command, it wonβt get logged in SIEM/EDR tools. I need to rely on other mechanisms for detecting the paste event.
#macos #clickfix #terminalfix #threatintel #pastejacking #detectionengineering #threathunting
π’ New Article Drop: Weaponizing Windows Toast Notifications for Social Engineering
π§ Windows Toast Notifications are everywhere: policy updates, VPN reminders, password expiry alerts. Because these are legitimate applications that users trust, they can become a highβimpact socialβengineering surface.
π¦ I just published a deepβdive playbook on how Toast Notifications can be abused for credential harvesting, lateral movement, user manipulation etc. and how defenders can perform detection.
π 1x Playbook
π‘ Detection Opportunities
π― 1x MDE Query
π¨ 1x SIGMA Rule
πππππππ’π¨π§ - ππ―ππ§π ππ'π¬
β
7 & 13 (Sysmon)
β
DLL Monitoring: wpnapps.dll & msxml6.dll from unexpected processes
βοΈ https://ipurple.team/2026/03/25/toast-notifications/
#purpleteam #detectionengineering #blueteam #threathunting
@vickyjo @verovaleros Hi @verovaleros, are you a #detectionengineering specialist operating at the cutting edge of whats possible here today?
Or doing something with Agentic SOC?
If yes, then we're trying to build panels on these topics at BSidesLuxembourg.
#BSidesLuxembourg2026
#DetectionengineeringVillage
#AgenticSOCvillage
Jerrad DahlagerMicrosoft warned about OAuth redirect abuse on March 2, 2026. This isn't credential theft or classic token theft by itself. It weaponizes Entra ID error handling.
An attacker registers an OAuth app with a malicious redirect URI, sends a crafted login.microsoftonline.com link designed to fail, and Entra ID's 302 redirect lands the victim on a phishing page or malware dropper. The sign-in fails and the attacker still wins.
I built a detection and hardening kit you can deploy to an existing Sentinel workspace:
β’ 4 analytics rules: consent after risky sign-in, suspicious redirect URIs, OAuth error clustering, bulk consent
β’ 5 hunting queries: permissions baseline, non-corporate IP auth, high-privilege apps, URI inventory, token replay
β’ 1 workbook: OAuth Security Dashboard
Entra hardening: verified-publisher consent restriction, MFA policy for risky OAuth sign-ins
β’ OAuth app audit: flags suspicious redirect URIs and overprivileged permissions across app registrations
Blog post: https://nineliveszerotrust.com/blog/oauth-redirect-abuse-sentinel/
Companion lab on GitHub: https://github.com/j-dahl7/oauth-redirect-abuse-sentinel
#MicrosoftSentinel #EntraID #DetectionEngineering #OAuth #IdentitySecurity #BlueTeam
Detecting OAuth Redirect Abuse with Microsoft Sentinel and Entra ID
Microsoft warned about OAuth redirect abuse enabling phishing and malware delivery. Build Sentinel analytics rules, hunting queries, a security workbook, and Entra ID hardening policies to detect and prevent this technique in your tenant.
TechNaduCVE-2026-21902 represents a high-impact infrastructure exposure.
Affected platform: Junos OS Evolved on PTX series routers.
Attack vector: Unauthenticated network access.
Privilege level: Root execution.
Service: On-Box Anomaly Detection, enabled by default.
Strategic risk:
β’ Traffic interception capability
β’ Policy manipulation
β’ Controller redirection
β’ Lateral pivoting
β’ Long-term foothold persistence
Although no exploitation has been observed, historically, high-performance routing infrastructure is a prime target due to its control-plane visibility and network centrality.
Recommended actions:
β Immediate patch validation
β Control-plane traffic monitoring
β Service exposure review
β Network segmentation validation
β Threat hunting for anomalous routing behavior
Are infrastructure devices integrated into your continuous detection engineering pipeline?
Source: https://www.securityweek.com/juniper-networks-ptx-routers-affected-by-critical-vulnerability/
Engage below.
Follow TechNadu for high-signal vulnerability intelligence.
Repost to strengthen security awareness.
#Infosec #CVE2026 #Juniper #RouterSecurity #CriticalInfrastructure #ThreatModeling #DetectionEngineering #NetworkDefense #ZeroTrustArchitecture #CyberRisk #SecurityOperations #VulnerabilityManagement
APT37βs Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.
Observed tradecraft includes:
β’ LNK-based initial execution
β’ Embedded PowerShell payload extraction
β’ Ruby interpreter abuse (v3.3.0)
β’ Scheduled task persistence (5-minute interval)
β’ USB-based covert bidirectional C2
β’ Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.
The removable media relay model enables:
β Command staging offline
β Data exfiltration without internet access
β Lateral spread across isolated systems
β Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection β including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.
Are critical infrastructure operators prepared for USB-mediated C2 relays?
Engage below.
Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.
#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture
Identity compromise continues to dominate intrusion chains.
From the Sophos Active Adversary Report 2026:
β’ 67% of initial access attributed to identity abuse
β’ 3.4-hour median to Active Directory pivot
β’ 3-day median dwell time
β’ 88% ransomware deployment off-hours
β’ 79% data exfiltration off-hours
Directory services remain high-value assets β authentication, authorization, policy control, privilege mapping.
The compressed timeline from credential misuse to directory-level access underscores the need for:
β Continuous identity monitoring
β Behavioral analytics
β After-hours SOC coverage
β Conditional access enforcement
β Least-privilege architecture
Generative AI is functioning as a force multiplier β improving phishing quality and campaign scale - not yet delivering autonomous attack chains.
Is identity governance keeping pace with adversary dwell time compression?
Engage below.
Follow TechNadu for high-signal infosec analysis.
Repost to strengthen industry awareness.
#Infosec #IdentityThreats #RansomwareDefense #ActiveDirectorySecurity #ThreatModeling #GenAI #SecurityOperations #CyberRisk #ZeroTrustArchitecture #DetectionEngineering #EnterpriseSecurity #ThreatHunting
