Bas

Detecting WinRAR zero-day exploitation: CVE-2025–8088 Detecting CVE-2025–8088 post-exploitation attempts with Defender XDR via KQL.

Detecting WinRAR zero-day post-exploitation attempts:

bastradamus.com/detecting-wi...

GitHub - NCSC-NL/citrix-2025 Contribute to NCSC-NL/citrix-2025 development by creating an account on GitHub.

The Dutch cybersecurity agency has released a script to detect webshells typically installed by attackers exploiting the CitrixBleed2 vulnerability in Citrix NetScaler appliances

github.com/NCSC-NL/citr...

Detecting device code phishing in Google Security Operations Creating a YARA-L detection rule for device code phishing attacks.

Detecting device code phishing attacks in Google Security Operations

bastradamus.com/detecting-de...

Incident Response in Microsoft Entra ID (formerly Azure AD) Compromised user account edition.

Incident Response in Microsoft Entra ID (formerly Azure AD) bastradamus.com/incident-res...

Azure & Entra ID token manipulation Access tokens + Refresh tokens edition

Azure & Microsoft Entra ID token manipulation bastradamus.com/azure-entra-...

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US Key findings    More threat actors are using legitimate remote monitoring and management (RMM) tools as a first-stage payload in email campaigns.  RMMs can be used for

Published some new research on how RMMs are taking over as a first-stage payload www.proofpoint.com/us/blog/thre...

Confluence Exploit Leads to LockBit Ransomware Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…

It took just 3 hours:

RCE → Metasploit C2 → Anydesk for remote GUI-access → LockBit ransomware

Interestingly, we observed the threat actor using PDQ Deploy, a patch management tool.

Read the report here:

Det. Eng. Weekly #93 - Does a tangodown 3-peat count after a week off? I take a week off publishing and a ransomware operator gets arrested, coincidence?

Mentioned in #93 of the detection engineering weekly edition 🙏

www.detectionengineering.net/p/det-eng-we...

1/ Among one of the techniques to detect infections as laid out in my presentation and additional blog post "N-IOCs to Rule Them All" [1], is tracking lookups to Dynamic DNS (DynDNS) domains and providers.

Google SecOps Detection Rule Wiki Comprehensive collection of Google SecOps YARA-L detection rules for security operations.

secops.wiki is live, it let's you search and filter community detection rules for Google SecOps (formerly known as Google Chronicle). Also has a Yara-L rule builder & some additional resources. Work in progress.

Very much appreciate @techy.detectionengineering.net mentioning the 2 part series 🙏

How to create a Detection Engineering Lab — Part 1 Setting up a Lab lets you mimic real-world TTPs in a safe environment, making it easy to test, build and fine-tune detection logic.

Rather recently, I finally found time to start writing security-focused blogs. I’ll try sharing content regularly, let’s start with my two part series on creating a Detection engineering testing environment:

1. medium.com/@bastradamus...

2. medium.com/@bastradamus...