DEATHCon CFP open until June. Great conference with great content.

https://deathcon.io/cfp.html

#deathcon #cfp #threathunting #detectionengineering

📢 New Article: Lateral Movement via Microsoft Speech
🎙️ Microsoft Speech Platform is built-in in Windows environments to enable Speech recognition, Voice input, Text-to-Speech & Speech features in Windows, Edge & Office
🦄 Deep‑dive playbook on how Microsoft Speech can be abused for lateral movement and how defenders can perform detection.
📖 1x Playbook
💡 Detection Opportunities
🏹 1x MDE Query

𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐨𝐧 - 𝐄𝐯𝐞𝐧𝐭 𝐈𝐃'𝐬
✅️ 4657 & 4663 - {655D9BF9-3876-43D0-B6E8-C83C1224154C}
✅️ 4688 - SpeechRuntime.exe
✅️ 7040 & 7036 - RemoteRegistry Service

✒️ https://ipurple.team/2026/04/07/microsoft-speech/ #purpleteam #blueteam #detectionengineering

BSides Luxembourg talk announcement!

🐧🚨 𝗡𝗢𝗧 𝗦𝗢 𝗛𝗔𝗥𝗠𝗟𝗘𝗦𝗦: 𝗧𝗛𝗘 𝗛𝗜𝗗𝗗𝗘𝗡 𝗪𝗢𝗥𝗟𝗗 𝗢𝗙 𝗟𝗜𝗡𝗨𝗫 𝗣𝗔𝗖𝗞𝗘𝗥𝗦 𝗔𝗡𝗗 𝗗𝗘𝗧𝗘𝗖𝗧𝗜𝗢𝗡 𝗖𝗛𝗔𝗟𝗟𝗘𝗡𝗚𝗘𝗦 - 𝗠𝗔𝗦𝗦𝗜𝗠𝗢 𝗕𝗘𝗥𝗧𝗢𝗖𝗖𝗛𝗜 🛡️🔍

Linux packers and loaders are a sneaky blind spot in cybersecurity. They hide code with encryption and obfuscation, then run it straight from memory to dodge detection. This talk dives into the “hARMless” ARM64 packer, showing off tricks like layered encryption and direct syscalls, while exposing a harsh truth: many defenses on Linux barely see it coming.

Massimo Bertocchi https://pretalx.com/bsidesluxembourg-2026/speaker/SU38N8/ Massimo Bertocchi is a Zürich-based Threat Hunter and Detection Engineer with dual Master’s degrees from KTH Royal Institute of Technology and Aalto University, recognized for his award-winning research uncovering covert C2 channels in Microsoft Teams that enable high-speed data exfiltration and expose critical gaps in enterprise security monitoring.

📅 Conference dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
📅 Schedule Link: https://pretalx.com/bsidesluxembourg-2026/schedule/
#BSidesLuxembourg2026 #CyberSecurity #ThreatHunting #MalwareAnalysis #CloudSecurity #DetectionEngineering

Has anyone been able to successfully replicate copying and pasting ClickFix/TerminalFix/*Fix commands into macOS Terminal to trigger this new-fangled malware warning? I have attempted numerous commands, from base64-encoded content to osascripts mimicking macOS infostealer prompts to cURL commands downloading remote content. I even replicated the command documented in the Toms Guide article using the same tool in the same browser and it ran flawlessly in Terminal with no popup. And yes, I’m running Tahoe 26.4 on an M3. I’d like to think this would be a useful ‘stop-and-think’ mitigation but I can’t even consistently trigger it. And, per usual, Apple is tight-lipped on HOW they are detecting malicious commands so it’s likely to remain a black box mitigation. And yeah, I get it, the end user can just click right through the warning via a sneaky social engineering prompt. My goal was to try and build out detection logic to ID when a user gets hit with a prompt so I can at least investigate what the user tried to do and dig deeper into the threat. Since theoretically the user won’t run the command, it won’t get logged in SIEM/EDR tools. I need to rely on other mechanisms for detecting the paste event.

https://www.tomsguide.com/computing/online-security/i-tried-apples-new-security-feature-in-macos-that-warns-you-about-potential-clickfix-attacks-and-windows-should-take-note?utm_source=flipboard&utm_medium=activitypub

#macos #clickfix #terminalfix #threatintel #pastejacking #detectionengineering #threathunting

📢 New Article Drop: Weaponizing Windows Toast Notifications for Social Engineering
🧠 Windows Toast Notifications are everywhere: policy updates, VPN reminders, password expiry alerts. Because these are legitimate applications that users trust, they can become a high‑impact social‑engineering surface.
🦄 I just published a deep‑dive playbook on how Toast Notifications can be abused for credential harvesting, lateral movement, user manipulation etc. and how defenders can perform detection.
📖 1x Playbook
💡 Detection Opportunities
🎯 1x MDE Query
🚨 1x SIGMA Rule

𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐨𝐧 - 𝐄𝐯𝐞𝐧𝐭 𝐈𝐃'𝐬
✅ 7 & 13 (Sysmon)
✅ DLL Monitoring: wpnapps.dll & msxml6.dll from unexpected processes
✒️ https://ipurple.team/2026/03/25/toast-notifications/
#purpleteam #detectionengineering #blueteam #threathunting

Microsoft warned about OAuth redirect abuse on March 2, 2026. This isn't credential theft or classic token theft by itself. It weaponizes Entra ID error handling.

An attacker registers an OAuth app with a malicious redirect URI, sends a crafted login.microsoftonline.com link designed to fail, and Entra ID's 302 redirect lands the victim on a phishing page or malware dropper. The sign-in fails and the attacker still wins.

I built a detection and hardening kit you can deploy to an existing Sentinel workspace:

• 4 analytics rules: consent after risky sign-in, suspicious redirect URIs, OAuth error clustering, bulk consent

• 5 hunting queries: permissions baseline, non-corporate IP auth, high-privilege apps, URI inventory, token replay

• 1 workbook: OAuth Security Dashboard
Entra hardening: verified-publisher consent restriction, MFA policy for risky OAuth sign-ins

• OAuth app audit: flags suspicious redirect URIs and overprivileged permissions across app registrations

Blog post: https://nineliveszerotrust.com/blog/oauth-redirect-abuse-sentinel/

Companion lab on GitHub: https://github.com/j-dahl7/oauth-redirect-abuse-sentinel

#MicrosoftSentinel #EntraID #DetectionEngineering #OAuth #IdentitySecurity #BlueTeam

CVE-2026-21902 represents a high-impact infrastructure exposure.

Affected platform: Junos OS Evolved on PTX series routers.

Attack vector: Unauthenticated network access.
Privilege level: Root execution.
Service: On-Box Anomaly Detection, enabled by default.

Strategic risk:
• Traffic interception capability
• Policy manipulation
• Controller redirection
• Lateral pivoting
• Long-term foothold persistence
Although no exploitation has been observed, historically, high-performance routing infrastructure is a prime target due to its control-plane visibility and network centrality.

Recommended actions:
– Immediate patch validation
– Control-plane traffic monitoring
– Service exposure review
– Network segmentation validation
– Threat hunting for anomalous routing behavior
Are infrastructure devices integrated into your continuous detection engineering pipeline?

Source: https://www.securityweek.com/juniper-networks-ptx-routers-affected-by-critical-vulnerability/

Engage below.
Follow TechNadu for high-signal vulnerability intelligence.
Repost to strengthen security awareness.

#Infosec #CVE2026 #Juniper #RouterSecurity #CriticalInfrastructure #ThreatModeling #DetectionEngineering #NetworkDefense #ZeroTrustArchitecture #CyberRisk #SecurityOperations #VulnerabilityManagement

APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

Identity compromise continues to dominate intrusion chains.
From the Sophos Active Adversary Report 2026:
• 67% of initial access attributed to identity abuse
• 3.4-hour median to Active Directory pivot
• 3-day median dwell time
• 88% ransomware deployment off-hours
• 79% data exfiltration off-hours
Directory services remain high-value assets — authentication, authorization, policy control, privilege mapping.
The compressed timeline from credential misuse to directory-level access underscores the need for:
– Continuous identity monitoring
– Behavioral analytics
– After-hours SOC coverage
– Conditional access enforcement
– Least-privilege architecture
Generative AI is functioning as a force multiplier — improving phishing quality and campaign scale - not yet delivering autonomous attack chains.

Is identity governance keeping pace with adversary dwell time compression?
Engage below.

Source: https://www.sophos.com/en-us/press/press-releases/sophos-active-adversary-report-2026-identity-attacks-dominate-as-threat-groups-proliferate

Follow TechNadu for high-signal infosec analysis.

Repost to strengthen industry awareness.

#Infosec #IdentityThreats #RansomwareDefense #ActiveDirectorySecurity #ThreatModeling #GenAI #SecurityOperations #CyberRisk #ZeroTrustArchitecture #DetectionEngineering #EnterpriseSecurity #ThreatHunting