🆕 New report from OHIIHO Research

Watcher-NetAI / skn — a Linux SSH botnet observed on two of our honeypot meshes. 10 MB Go scanner with intact DWARF: source tree, module name, capability map, all visible. The loader is hardened; the scanner is not.

→ Stage-2 C2 on connexionlost{net,zip} → 194[.]5[.]97[.]46

→ Non-root systemd-user persistence (hunting blind spot)

→ Ships YARA + 4 Sigma rules + 34 IOCs + KQL queries

Full report (Part 1/2):
https://research.ohiiho.com/reports/2026-05-watcher-netai-skn/

SOC brief (Part 2/2):
https://research.ohiiho.com/reports/2026-05-watcher-netai-skn-brief/

#ThreatIntel #Linux #SSH #Botnet #DetectionEngineering

[DxBP] Part 1 - Technical Detection Engineering Best Practices

https://kqlquery.com/posts/dxbp-part1/

Read on HackerWorkspace: https://hackerworkspace.com/article/dxbp-part-1-technical-detection-engineering-best-practices

#incidentresponse #threatintelligence #detectionengineering

Most-Wanted Proof-of-Concepts:

Progress MOVEit Automation Authentication Bypass (CVE-2026-4670)

Ivanti EPMM 0day Authenticated Remote Code Execution (CVE-2026-6973)

OpenCTI User Impersonation (CVE-2026-27960)

PAN-OS Unauthenticated Buffer Overflow Vulnerability in User-ID™ Authentication Portal (CVE-2026-0300)

If you know where I can find a PCAP or proof of concept code, let me know.

#DetectionEngineering #Suricata

Updated avenger.rules - Added coverage for CVE-2026-39363) - Vite Dev Server Arbitrary File Read attempt

#DetectionEngineering #Suricata #WebSocket #Exploit

https://github.com/da667/Avenger

🚨 Cross‑Session Activation is a detection gap hiding in plain sight.
💡 The technique abstract below highlights the minimum viable signals for defenders.
💭 Interesting to know if this technique is part of your threat emulation library.

#detectionengineering #purpleteam #blueteam

⚡ Fresh Talk Alert for BSides Luxembourg 2026!

“𝗜𝗡𝗙𝗢𝗦𝗧𝗘𝗔𝗟𝗘𝗥 𝗘𝗠𝗨𝗟𝗔𝗧𝗜𝗢𝗡: 𝗩𝗔𝗟𝗜𝗗𝗔𝗧𝗜𝗡𝗚 𝗗𝗘𝗧𝗘𝗖𝗧𝗜𝗢𝗡 𝗢𝗙 𝗖𝗥𝗘𝗗𝗘𝗡𝗧𝗜𝗔𝗟 𝗧𝗛𝗘𝗙𝗧” – 𝗙𝗜𝗟𝗜𝗣𝗜 𝗣𝗜𝗥𝗘𝗦

Infostealers remain one of the most widespread and damaging threats in today’s cyber landscape. In this practical session, Filipi Pires demonstrates how to emulate real infostealer behavior to test whether your security controls can actually detect credential theft and data exfiltration attempts.

The session includes live demonstrations covering browser credential theft, keylogging, clipboard monitoring, LSASS credential dumping, and validation of DLP and network monitoring controls. Attendees will gain practical insight into how attackers operate — and how defenders can validate their visibility and detection capabilities against modern credential theft techniques.

Filipi Pires is Head of Technical Advocacy at SCYTHE, DEF CON Red Team Village Director, BSides Porto Organizer, and an internationally recognized speaker specializing in red teaming, malware analysis, and offensive security.

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
📅 Schedule: https://hackertracker.app/schedule?conf=BSIDESLUX2026

#BSidesLuxembourg2026 #Infostealer #CredentialTheft #RedTeam #DetectionEngineering #CyberSecurity #BlueTeam #DFIR

⚡ Fresh Talk Alert for BSides Luxembourg 2026!

“𝗦𝗘𝗖𝗨𝗥𝗜𝗧𝗬 𝗙𝗢𝗥 𝗔𝗜: 𝗔𝗜𝗗𝗥 𝗕𝗔𝗦𝗧𝗜𝗢𝗡 𝗔𝗦 𝗢𝗣𝗘𝗡 𝗦𝗢𝗨𝗥𝗖𝗘 𝗟𝗟𝗠 𝗙𝗜𝗥𝗘𝗪𝗔𝗟𝗟 / 𝗔𝗜 𝗣𝗥𝗢𝗠𝗣𝗧𝗦 𝗥𝗘𝗩𝗘𝗥𝗦𝗘 𝗣𝗥𝗢𝗫𝗬” – Andrii Bezverkhyi

As AI adoption accelerates, so do the risks — from prompt injections to malicious AI agents and adversarial abuse. This AI Security Village session explores AIDR Bastion, an open-source GenAI protection system designed to secure AI workloads through layered detection and prompt filtering.

The talk covers how AIDR Bastion acts as an LLM firewall and reverse proxy for AI prompts, using Sigma and Roota rules to detect malicious behavior, harmful content, prompt injection attacks, and AI-assisted malware generation. Attendees will also see how the system integrates with MITRE ATLAS, OWASP LLM Top 10 guidance, and existing detection engineering workflows.

Andrii Bezverkhyi is the founder of SOC Prime and a long-time contributor to the threat detection and cybersecurity community, known for projects such as Uncoder and DetectFlow.

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
📅 Schedule: https://hackertracker.app/schedule?conf=BSIDESLUX2026

#BSidesLuxembourg2026 #AISecurity #LLMSecurity #PromptInjection #OWASP #CyberSecurity #DetectionEngineering #OpenSource

La détection n'est pas un produit fini — c'est un processus vivant. L'article propose d'appliquer un vrai cycle de développement à la Detection Engineering : tests, versioning, revues, dépréciation.

En somme : traiter ses règles SIEM comme du code. Parce que les attaquants, eux, font évoluer leur code en permanence. 🔍

#infosec #DetectionEngineering #BlueTeam
https://malware.news/t/tuned-by-design-why-detection-engineering-needs-its-own-development-lifecycle/106621