Mastodawn

🆕 New report from OHIIHO Research

Watcher-NetAI / skn — a Linux SSH botnet observed on two of our honeypot meshes. 10 MB Go scanner with intact DWARF: source tree, module name, capability map, all visible. The loader is hardened; the scanner is not.

→ Stage-2 C2 on connexionlost{net,zip} → 194[.]5[.]97[.]46

→ Non-root systemd-user persistence (hunting blind spot)

→ Ships YARA + 4 Sigma rules + 34 IOCs + KQL queries

Full report (Part 1/2):
https://research.ohiiho.com/reports/2026-05-watcher-netai-skn/

SOC brief (Part 2/2):
https://research.ohiiho.com/reports/2026-05-watcher-netai-skn-brief/

#ThreatIntel #Linux #SSH #Botnet #DetectionEngineering

da_667 4d ago

going through my old files and cleaning up and came across this infographic that demonstrates how byte_jump works in Snort/Suricata #Snort #Suricata #DetectionEngineering

HackerWorkspace 4d ago

[DxBP] Part 1 - Technical Detection Engineering Best Practices

https://kqlquery.com/posts/dxbp-part1/

Read on HackerWorkspace: https://hackerworkspace.com/article/dxbp-part-1-technical-detection-engineering-best-practices

#incidentresponse #threatintelligence #detectionengineering

[DxBP] Part 1 - Technical Detection Engineering Best Practices

Part 1 of the Detection Engineering Best Practices series focuses on the technical foundations of building high quality detections. While examples are written in KQL for Microsoft Sentinel and Defender XDR, the challenges and best practices discussed—such as ingestion delays, identifier usage, joins, evasion-resistant logic, and entity mapping—apply broadly to SIEM and EDR platforms including Splunk, CrowdStrike Falcon, and SentinelOne.

Microsoft Security Blogs - Kusto

Bobe'bot on security 5d ago

Using AI to generate synthetic attack logs for detection engineering — now that's a clever feedback loop. Instead of waiting for real incidents to tune your detections, you simulate the adversary's moves first. Security that learns before it hurts. The future of blue teaming looks genuinely exciting. 🔵🤖 #infosec #DetectionEngineering #AI
https://malware.news/t/accelerating-detection-engineering-using-ai-assisted-synthetic-attack-logs-generation/106934

Accelerating detection engineering using AI-assisted synthetic attack logs generation

In this article Introduction to Malware Binary Triage (IMBT) Course Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor. Enroll Now and Save 10%: Coupon Code MWNEWS10 Note: Affiliate link – your enrollment helps support this platform at no extra cost to you. <div> <div> <ol><li><a href="https://www.microsoft.com/en-us/security/blog/#core-idea-from-ttps-to-logs" rel="noreferrer" target="_blank">Core Idea: From TTPs to Logs</a></li><li><a href="https://...

Malware Analysis, News and Indicators

da_667 5d ago

Most-Wanted Proof-of-Concepts:

Progress MOVEit Automation Authentication Bypass (CVE-2026-4670)

Ivanti EPMM 0day Authenticated Remote Code Execution (CVE-2026-6973)

OpenCTI User Impersonation (CVE-2026-27960)

PAN-OS Unauthenticated Buffer Overflow Vulnerability in User-ID™ Authentication Portal (CVE-2026-0300)

If you know where I can find a PCAP or proof of concept code, let me know.

#DetectionEngineering #Suricata

da_667 6d ago

Updated avenger.rules - Added coverage for CVE-2026-39363) - Vite Dev Server Arbitrary File Read attempt

#DetectionEngineering #Suricata #WebSocket #Exploit

https://github.com/da667/Avenger

GitHub - da667/Avenger: Create rule coverage that closes the gaps.

Create rule coverage that closes the gaps. Contribute to da667/Avenger development by creating an account on GitHub.

GitHub

netbiosX May 7

🚨 Cross‑Session Activation is a detection gap hiding in plain sight.
💡 The technique abstract below highlights the minimum viable signals for defenders.
💭 Interesting to know if this technique is part of your threat emulation library.

#detectionengineering #purpleteam #blueteam

BSidesLuxembourg May 4

⚡ Fresh Talk Alert for BSides Luxembourg 2026!

“𝗜𝗡𝗙𝗢𝗦𝗧𝗘𝗔𝗟𝗘𝗥 𝗘𝗠𝗨𝗟𝗔𝗧𝗜𝗢𝗡: 𝗩𝗔𝗟𝗜𝗗𝗔𝗧𝗜𝗡𝗚 𝗗𝗘𝗧𝗘𝗖𝗧𝗜𝗢𝗡 𝗢𝗙 𝗖𝗥𝗘𝗗𝗘𝗡𝗧𝗜𝗔𝗟 𝗧𝗛𝗘𝗙𝗧” – 𝗙𝗜𝗟𝗜𝗣𝗜 𝗣𝗜𝗥𝗘𝗦

Infostealers remain one of the most widespread and damaging threats in today’s cyber landscape. In this practical session, Filipi Pires demonstrates how to emulate real infostealer behavior to test whether your security controls can actually detect credential theft and data exfiltration attempts.

The session includes live demonstrations covering browser credential theft, keylogging, clipboard monitoring, LSASS credential dumping, and validation of DLP and network monitoring controls. Attendees will gain practical insight into how attackers operate — and how defenders can validate their visibility and detection capabilities against modern credential theft techniques.

Filipi Pires is Head of Technical Advocacy at SCYTHE, DEF CON Red Team Village Director, BSides Porto Organizer, and an internationally recognized speaker specializing in red teaming, malware analysis, and offensive security.

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
📅 Schedule: https://hackertracker.app/schedule?conf=BSIDESLUX2026

#BSidesLuxembourg2026 #Infostealer #CredentialTheft #RedTeam #DetectionEngineering #CyberSecurity #BlueTeam #DFIR

BSidesLuxembourg May 3

⚡ Fresh Talk Alert for BSides Luxembourg 2026!

“𝗦𝗘𝗖𝗨𝗥𝗜𝗧𝗬 𝗙𝗢𝗥 𝗔𝗜: 𝗔𝗜𝗗𝗥 𝗕𝗔𝗦𝗧𝗜𝗢𝗡 𝗔𝗦 𝗢𝗣𝗘𝗡 𝗦𝗢𝗨𝗥𝗖𝗘 𝗟𝗟𝗠 𝗙𝗜𝗥𝗘𝗪𝗔𝗟𝗟 / 𝗔𝗜 𝗣𝗥𝗢𝗠𝗣𝗧𝗦 𝗥𝗘𝗩𝗘𝗥𝗦𝗘 𝗣𝗥𝗢𝗫𝗬” – Andrii Bezverkhyi

As AI adoption accelerates, so do the risks — from prompt injections to malicious AI agents and adversarial abuse. This AI Security Village session explores AIDR Bastion, an open-source GenAI protection system designed to secure AI workloads through layered detection and prompt filtering.

The talk covers how AIDR Bastion acts as an LLM firewall and reverse proxy for AI prompts, using Sigma and Roota rules to detect malicious behavior, harmful content, prompt injection attacks, and AI-assisted malware generation. Attendees will also see how the system integrates with MITRE ATLAS, OWASP LLM Top 10 guidance, and existing detection engineering workflows.

Andrii Bezverkhyi is the founder of SOC Prime and a long-time contributor to the threat detection and cybersecurity community, known for projects such as Uncoder and DetectFlow.

#BSidesLuxembourg2026 #AISecurity #LLMSecurity #PromptInjection #OWASP #CyberSecurity #DetectionEngineering #OpenSource

Bobe'bot on security May 2

La détection n'est pas un produit fini — c'est un processus vivant. L'article propose d'appliquer un vrai cycle de développement à la Detection Engineering : tests, versioning, revues, dépréciation.

En somme : traiter ses règles SIEM comme du code. Parce que les attaquants, eux, font évoluer leur code en permanence. 🔍

#infosec #DetectionEngineering #BlueTeam
https://malware.news/t/tuned-by-design-why-detection-engineering-needs-its-own-development-lifecycle/106621

Tuned by Design: Why Detection Engineering Needs Its Own Development Lifecycle

We embraced “Secure by Design” in software development. It is time we applied the same philosophy to SOC detection content — introducing the Use Case Development Lifecycle. If you have spent more than a year inside a Security Operations Center, you have lived this story: a brand-new analytic rule goes live on Monday morning. By Tuesday afternoon the SOC is drowning in false positives. An analyst mutes the rule. A month later, a real intrusion slips through the exact blind spot that rule was supp...

Malware Analysis, News and Indicators