Agentic AI and the Future of Autonomous Cyber Defense
https://youtu.be/pqkeYSfG1nc #cybersecurity #AIinSecurity #AgenticAI #AutonomousSecurity #AIThreatDetection #CyberDefense #SecurityAutomation #AIvsCybercrime #Infosec #AITools #ThreatHunting

Okay, so I wanted to share a little incident from a few months back that really hammered home the power of knowing your Linux internals when things go sideways. I got a frantic call, "something weird is going on with our build server, it's acting sluggish and our monitoring is throwing odd network alerts." No fancy EDR on this particular box, just the usual ssh and bash. My heart always sinks a little when it's a Linux box with vague symptoms, because you know it's time to get your hands dirty.

First thing I did, even before reaching for any specific logs, was to get a quick snapshot of the network. Instead of netstat, which honestly feels a bit dated now, I immediately hit ss -tunap. That p is crucial cause it shows you the process and user ID for each connection. What immediately jumped out was an outbound TCP connection on a high port to a sketchy-looking IP, and it was tied to a process that definitely shouldn't have been making external calls. My gut tightened. I quickly followed up with lsof -i just to be super sure no deleted binaries were clinging on to network connections.

With that IP and PID in hand, I moved to process investigation. pstree -ap was my next stop. It showed the suspicious process, and more importantly, its parent. It wasn't a child of systemd or a normal service. It was spawned by a build script that shouldn't have been executing anything like this. That hierarchical view was key. Then, to really understand what this thing was doing, I dared to strace -p <PID>. Watching the system calls unfurl was like watching a movie of its malicious intent: it was reading from /etc/passwd, making connect() calls, and trying to write to some odd /tmp directories. Simultaneously, I checked ls -l /proc/<PID>/exe to confirm the actual binary path (it was indeed in /tmp) and /proc/<PID>/cwd to see its working directory. No doubt, this was a rogue process.

Knowing it was a fresh infection, I immediately shifted to the filesystem. My go-to is always find / -type f -newermt '2 days ago' -print0 | xargs -0 ls -latr. This quickly pulls up any files modified in the last 48 hours, sorted by modification time. It's often where you find dropped payloads, modified configuration files, or suspicious scripts. Sure enough, there were a few more binaries in /tmp and even a suspicious .sh script in a developer's home directory. I also scanned for SUID/SGID binaries with find / -perm /6000 just in case they'd dropped something for privilege escalation. And while stat's timestamps can be tampered with, I always glance at atime, mtime, and ctime on suspicious files; sometimes, a subtle mismatch offers a tiny clue if the attacker wasn't meticulous.

The final piece of the puzzle, and often the trickiest, is persistence. I checked the usual suspects: crontab -l for root and every other user account I could find. Then I cast a wider net with grep -r "suspect_domain_or_ip" /etc/cron.* /etc/systemd/system/ /etc/rc.d/ and similar common boot directories. Sure enough, a new systemd timer unit had been added that was scheduled to execute the /tmp binary periodically. Finally, I didn't forget the user dotfiles (~/.bashrc, ~/.profile, etc.). It’s surprising how often an attacker will drop a malicious alias or command in there, assuming you won't dig deep into a developer's setup.

Long story short, we quickly identified the ingress vector, isolated the compromise, and cleaned up the persistence. But what really stuck with me is how quickly you can triage and understand an incident if you're comfortable with these fundamental Linux commands. There's no substitute for getting your hands dirty and really understanding what strace is showing you or why ss is superior to netstat in a high-pressure situation. These tools are your best friends in a firefight.

Is anyone familiar with this kind of file name? Looks like it's generated from some sort of C2 framework but I'm not sure what. #threathunting

Who loves YARAify? We do! And now there’s even more to love with the latest cool features making threat hunting easier. Now you can...

Auto-delete files after scanning! If enabled, YARAify now deletes raw files after 7 days - while keeping scan results and metadata available. Want to keep those juicy files private? You can still disable file sharing

Trigger a file rescan for a previously uploaded sample! Also accessible via the API. Bonus: Grab Python 3 script from our GitHub repo: https://github.com/abusech/YARAify

Deploy YARA rules directly via the API! And, yes, there’s a sample script on GitHub for that too!

Want a walkthrough? Jump to 11:08 in this demo to see these updates in action:
https://www.youtube.com/live/xobmSNfZ-sk

FWIW, 100% of #ClickFix attacks I've seen have added some kind of inline comment at the end of the command string like I am not a robot to sell the ruse. Definitely worth a threat hunt on command line history.

Threat Actors Don’t Care About Your Compliance Score
https://youtu.be/mYsSUR6z6BA . #cybersecurity #GRC #audits #documentation #threatactors #vulnerabilities #threathunting #riskmanagent #compliance #NIST #CMMC

The DEATHCon 2025 Call for Workshops is now open!
If you have a great idea for teaching people how to do #detectionengineering or #threathunting or an adjacent skill through hands-on experience in our lab, we'd love to hear it! https://deathcon.io/cfp.html Submit before June 1

Attention Thrunters!

Part 3 of the DEATHCon thrunting workshop is live! @Jotunvillur and I break down a hypothesis-driven scenario step by step. Grab your hammer and sharpen your skills!
Read now: https://dispatch.thorcollective.com/p/a-deathcon-thrunting-workshop-overview-part-3

I've had to analyze several MS Quick Assist compromises and found challenges during each one. Threat Hunting for malicious activity thru QA is not easy either.

So I wrote a blog post on what to look for: https://inversion6.com/resources/blog/january-2025/microsoft-quick-assist-an-it-security-primer

In an attempt to run Get-Content on a directory I didn't have access to, I found in my logs that a standard PowerShell engine lifecycle is logged as event_id 400 and an elevated administration prompt is logged as 403.
Neat way to find out if PowerShell gets launched with elevated privileges.

#PowerShell #threathunting #Elastic

'It's Always DNS' - and in 2025, that's truer than ever. DTI's expert analysts are tracking evolving TTPs across the threat landscape, from Charming Kitten to TrickBot.

Follow @DomainTools for the latest insights from our seasoned research team.

#cyberthreat #infosec #threathunting

https://dti.domaintools.com/?utm_source=Mastodon&utm_medium=Social&utm_campaign=DTI

Hey Hey People,

DA Here.

Do you, have a Suricata sensor in your network?

Do you, use Suricata as a part of sandbox that you run?

Have you, been hammering away at finding evil, and want to find more?

I'm doing a webinar courtesy of OISF this Thursday. 3PM UTC, which translates to 10am EST.

I'll be talking about two things during this meeting: One, is making good use of the ET INFO rule category as an early warning system.

Sure, there is a lot of noise to sift out of ET INFO, and for that reason, some choose to just cut it entirely. I'm here to show you how to grab the stuff we've seen in our sandboxes that can help to lead anomaly detection.

In the second part of this talk, I will talk about how you can convert network and system-specific artifacts into a set of Honeytoken-like IDS rules that again, can lead to anomaly detection, and perhaps even catching advanced or unidentified threats.

Here is a link to register for the meeting: https://us02web.zoom.us/webinar/register/WN_MJogFww8S4mIpEOctaTZlw#/registration

Ready to take your threat hunting & IR game to the next level? Join us this February at WWHF Mile High for Threat Hunting & Incident Response with Velociraptor!

Hands-on labs with cloud VMs
Expert-led by @eric_capuano & @shortstack
Real-world hunting skills

Available in-person & virtual! Spots are limited--register now! https://www.antisyphontraining.com/course/threat-hunting-incident-response-with-velociraptor-with-eric-capuano-whitney-champion/ #WWHF #ThreatHunting #IncidentResponse #DFIR

Introducing PowerShell-Hunter: Your New Favorite Event Log Analysis Tool!

Tired of drowning in PowerShell logs? We've got you covered:
• Smart pattern detection for malicious behaviors
• Risk scoring to prioritize threats
• Export to CSV/JSON for your workflow
• Extensible pattern matching

Perfect for:
• Incident Response
• Threat Hunting
• Forensics
• SOC Analysis

Get started: https://github.com/MHaggis/PowerShell-Hunter

openSquat - An open-source tool for detecting domain look-alikes by searching for newly registered domains that might be impersonating legit domains and brands.

https://github.com/atenreiro/opensquat

Exciting News: Kunai’s Latest Release is Here!

We’re excited to announce the newest release of Kunai, an open-source security monitoring and hunting tool for Linux systems! This version introduces many fixes and features to improve flexibility, performance, and usability.

What’s new?
Fixes: Improved process tracking ensures that even zombie processes can’t escape detection!

Enhancements: Simplified configuration and accurate process ancestorship tracking.

New Features:
- Composite Rules: Modular, reusable rules for efficiency and simplicity.
- String Templates: YAML-based templates for concise, maintainable rules.
- File Create Event Tracking and more!

Documentation is updated with all the changes at: http://why.kunai.rocks/

Dive into the release details: http://github.com/kunai-project/kunai/releases/tag/v0.4.0

From Unit 42: Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them https://unit42.paloaltonetworks.com/north-korean-it-workers/?utm_source=dlvr.it&utm_medium=mastodon ( :-{ı▓ #unit42 #threathunting #threatintel

Today training about #ThreatHunting with #Wireshark by Chris Greer was very good. Great selection of pcaps from various stages of the cyber attacks inspired us to ask questions and discuss together in depth details and anomalies hidden in the packets.
Also the private room on #Tryhackme platform works great. It is nice to see our progress during the course and receive the instant feedback.

To be humble, I do not know Chris before this training and I was not really sure what to expect from today (I originally registered for the different Threat Hunting training, which was later replaced by this one). But now I can really recommend Chris and his training to everyone interested in packet analysis and network intrusions. Good job and thank you.

#sharkfest #sf24eu @wireshark

RE: https://ioc.exchange/@wireshark/113424145382124393

Looking for a fun #CyberSecurity #Infosec project?

Want to practice your #ThreatHunting and #Detection skills?

Install the NEW #SecurityOnion 2.4.100 in a VM:
https://docs.securityonion.net/en/2.4/first-time-users.html

Then follow along with our recent quick #malware analysis posts:
https://blog.securityonion.net/search/label/quick%20malware%20analysis