KoifSec's Avatar

KoifSec

@koifsec.bsky.social

Detection engineer, also writing for https://detect.fyi. Base64 Enjoyer. Clippy is a threat actor.

17 Followers  |  105 Following  |  9 Posts  |  Joined: 20.11.2024  |  1.6998

Latest posts by koifsec.bsky.social on Bluesky

Preview
Deconstructing โ€œWmiexec-Proโ€ I recently ran a Kali VM against a Windows test host and instrumented the target with Procmon and WMI/Windows logs to see how a newโ€ฆ

New post out! "Deconstructing Wmiexec-pro"

Technical deep dive into a new post-exploitation framework based on Impacket's wmiexec, including a bunch of new telemetry and detections. Check it out > koifsec.medium.com/deconstructi...

23.10.2025 15:30 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

๐—ฆ๐—ฒ๐—ฒ๐—ถ๐—ป๐—ด ๐˜€๐—ผ๐—บ๐—ฒ ๐˜€๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐˜€๐—ฑ๐˜‚๐—บ๐—ฝ ๐—ฎ๐—ฐ๐˜๐—ถ๐˜ƒ๐—ถ๐˜๐˜† ๐—ถ๐—ป ๐˜๐—ต๐—ฒ ๐˜„๐—ถ๐—น๐—ฑ ๐—น๐—ฎ๐˜๐—ฒ๐—น๐˜†, ๐—ฎ๐—ป๐—ฑ ๐—ถ๐˜โ€™๐˜€ ๐˜๐—ฟ๐—ถ๐—ฐ๐—ธ๐˜† ๐˜๐—ผ ๐—ฐ๐—ฎ๐˜๐—ฐ๐—ต ๐—ฏ๐—ฒ๐—ฐ๐—ฎ๐˜‚๐˜€๐—ฒ ๐—ผ๐—ณ ๐—ฎ๐—น๐—น ๐˜๐—ต๐—ฒ ๐—ณ๐—ฎ๐—น๐˜€๐—ฒ ๐—ฝ๐—ผ๐˜€๐—ถ๐˜๐—ถ๐˜ƒ๐—ฒ๐˜€.

The recent NetExec update (codename SmoothOperator) pushed me to share this one ๐Ÿ‘‡
๐Ÿ”— www.netexec.wiki/news/v1.4.0-...

๐—™๐—ถ๐—ฟ๐˜€๐˜ ๐—ฒ๐˜ƒ๐—ฒ๐—ป๐˜ (๐Ÿฐ๐Ÿฒ๐Ÿณ๐Ÿฎ)
Special privileges assigned to new logon:

22.10.2025 04:36 โ€” ๐Ÿ‘ 4    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
Detecting Abuse of OpenEDRโ€™s Permissive EDR Trial: A Security Researcherโ€™s Perspective 1. Introduction

๐—ฅ๐—ฒ๐—ฎ๐—ฑ ๐˜๐—ต๐—ฒ ๐—ณ๐˜‚๐—น๐—น ๐—ฎ๐—ฟ๐˜๐—ถ๐—ฐ๐—น๐—ฒ: kostas-ts.medium.com/detecting-ab...

๐—ฆ๐—ถ๐—ด๐—บ๐—ฎ ๐—ฃ๐—ฅ: github.com/SigmaHQ/sigm...

๐—œ'๐—ฑ ๐—น๐—ผ๐˜ƒ๐—ฒ ๐˜๐—ผ ๐—ต๐—ฒ๐—ฎ๐—ฟ ๐˜†๐—ผ๐˜‚๐—ฟ ๐˜๐—ต๐—ผ๐˜‚๐—ด๐—ต๐˜๐˜€:
โ€ข Have you encountered similar permissive trial access in other security platforms? We need to document things before it's too late.

Hope you enjoy reading the post!

22.10.2025 14:33 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

1/
In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1]

The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.

27.09.2025 07:42 โ€” ๐Ÿ‘ 4    ๐Ÿ” 2    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
Inboxfuscation: Because Rules Are Meant to Be Broken Permiso launches Inboxfuscation, an open-source tool enabling organizations to detect Unicode-obfuscated Microsoft Exchange inbox rules and secure Microsoft 365.

permiso.io/blog/inboxfu...

12.09.2025 09:18 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Process Hunting with PSTree | Splunk This tutorial shows how to use the pstree command & app to help you look through all the processes you have to investigate.

www.splunk.com/en_us/blog/s...

10.09.2025 14:38 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Thoughts on the recent Ethereum smart contracts C2 abuse Hello all! ๐Ÿ‘‹ Itโ€™s been a while since my last post. I wasnโ€™t finding anything exciting to write aboutโ€Šโ€”โ€Šuntil this story caught myโ€ฆ

New blog out!
medium.com/@koifsec/tho...

06.09.2025 15:53 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
PDF.pdf

Sharing the slides from our latest "2025 State of Detection Workshop" !
drive.google.com/file/d/18Q-E...

22.08.2025 13:47 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Lateral Movement โ€“ BitLocker BitLocker is a full disk encryption feature which was designed to protect data by providing encryption to entire volumes. In Windows endpoints (workstations, laptop devices etc.), BitLocker is typiโ€ฆ

ipurple.team/2025/08/04/l...

05.08.2025 07:14 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

A rather interesting choice of technique to use a renamed legitimate schtasks. Quite easy to detect by writing a rule that searcher "/create " + "/tn " + "/sc " + "/tr " !

28.07.2025 05:02 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Detection Pitfalls You Might Be Sleeping On Detection engineering isnโ€™t just about finding bad behavior. Itโ€™s about understanding how attackers appear normalโ€Šโ€”โ€Šon accident or byโ€ฆ

medium.com/detect-fyi/d...

26.07.2025 06:49 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
โ€œInvoke-Shadowโ€โ€Šโ€”โ€ŠApplying Jungian Psychology to Detection Engineering โ€œUntil you make the unconscious conscious, it will direct your lifeโ€Šโ€”โ€Šand you will call it fate.โ€โ€Šโ€”โ€ŠCarl Jung

detect.fyi/invoke-shado...

25.07.2025 06:08 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

@koifsec is following 20 prominent accounts