Bas
@bastradamus.bsky.social
Passionate about Security operations, Cloud & Detection Engineering.
Reposted by Bas
The Dutch cybersecurity agency has released a script to detect webshells typically installed by attackers exploiting the CitrixBleed2 vulnerability in Citrix NetScaler appliances
github.com/NCSC-NL/citr...
github.com/NCSC-NL/citr...
GitHub - NCSC-NL/citrix-2025
Contribute to NCSC-NL/citrix-2025 development by creating an account on GitHub.
github.com
July 27, 2025 at 2:18 PM
The Dutch cybersecurity agency has released a script to detect webshells typically installed by attackers exploiting the CitrixBleed2 vulnerability in Citrix NetScaler appliances
github.com/NCSC-NL/citr...
github.com/NCSC-NL/citr...
Incident Response in Microsoft Entra ID (formerly Azure AD) bastradamus.com/incident-res...
Incident Response in Microsoft Entra ID (formerly Azure AD)
Compromised user account edition.
bastradamus.com
May 8, 2025 at 7:38 PM
Incident Response in Microsoft Entra ID (formerly Azure AD) bastradamus.com/incident-res...
Azure & Microsoft Entra ID token manipulation bastradamus.com/azure-entra-...
Azure & Entra ID token manipulation
Access tokens + Refresh tokens edition
bastradamus.com
March 31, 2025 at 5:32 PM
Azure & Microsoft Entra ID token manipulation bastradamus.com/azure-entra-...
Reposted by Bas
Published some new research on how RMMs are taking over as a first-stage payload www.proofpoint.com/us/blog/thre...
Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US
Key findings More threat actors are using legitimate remote monitoring and management (RMM) tools as a first-stage payload in email campaigns. RMMs can be used for
www.proofpoint.com
March 11, 2025 at 3:24 PM
Published some new research on how RMMs are taking over as a first-stage payload www.proofpoint.com/us/blog/thre...
Reposted by Bas
It took just 3 hours:
RCE → Metasploit C2 → Anydesk for remote GUI-access → LockBit ransomware
Interestingly, we observed the threat actor using PDQ Deploy, a patch management tool.
Read the report here:
RCE → Metasploit C2 → Anydesk for remote GUI-access → LockBit ransomware
Interestingly, we observed the threat actor using PDQ Deploy, a patch management tool.
Read the report here:
Confluence Exploit Leads to LockBit Ransomware
Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…
thedfirreport.com
February 24, 2025 at 3:25 PM
It took just 3 hours:
RCE → Metasploit C2 → Anydesk for remote GUI-access → LockBit ransomware
Interestingly, we observed the threat actor using PDQ Deploy, a patch management tool.
Read the report here:
RCE → Metasploit C2 → Anydesk for remote GUI-access → LockBit ransomware
Interestingly, we observed the threat actor using PDQ Deploy, a patch management tool.
Read the report here:
Reposted by Bas
1/ Among one of the techniques to detect infections as laid out in my presentation and additional blog post "N-IOCs to Rule Them All" [1], is tracking lookups to Dynamic DNS (DynDNS) domains and providers.
February 28, 2025 at 7:27 AM
1/ Among one of the techniques to detect infections as laid out in my presentation and additional blog post "N-IOCs to Rule Them All" [1], is tracking lookups to Dynamic DNS (DynDNS) domains and providers.
secops.wiki is live, it let's you search and filter community detection rules for Google SecOps (formerly known as Google Chronicle). Also has a Yara-L rule builder & some additional resources. Work in progress.
Google SecOps Detection Rule Wiki
Comprehensive collection of Google SecOps YARA-L detection rules for security operations.
secops.wiki
February 28, 2025 at 9:43 PM
secops.wiki is live, it let's you search and filter community detection rules for Google SecOps (formerly known as Google Chronicle). Also has a Yara-L rule builder & some additional resources. Work in progress.
Very much appreciate @techy.detectionengineering.net mentioning the 2 part series 🙏
* Bastradamus 2 part series on creating a detection engineering lab
* Manuel Arrieta masterclass on hunting in VTI for malicious LNK files to detection opportunities
* JPCERT/CC's Shusei Tomonaga on Windows ETW internals
* Manuel Arrieta masterclass on hunting in VTI for malicious LNK files to detection opportunities
* JPCERT/CC's Shusei Tomonaga on Windows ETW internals
February 28, 2025 at 9:25 PM
Very much appreciate @techy.detectionengineering.net mentioning the 2 part series 🙏
Rather recently, I finally found time to start writing security-focused blogs. I’ll try sharing content regularly, let’s start with my two part series on creating a Detection engineering testing environment:
1. medium.com/@bastradamus...
2. medium.com/@bastradamus...
1. medium.com/@bastradamus...
2. medium.com/@bastradamus...
How to create a Detection Engineering Lab — Part 1
Setting up a Lab lets you mimic real-world TTPs in a safe environment, making it easy to test, build and fine-tune detection logic.
medium.com
February 28, 2025 at 9:14 PM
Rather recently, I finally found time to start writing security-focused blogs. I’ll try sharing content regularly, let’s start with my two part series on creating a Detection engineering testing environment:
1. medium.com/@bastradamus...
2. medium.com/@bastradamus...
1. medium.com/@bastradamus...
2. medium.com/@bastradamus...