Kostas
@kostastsale.bsky.social
Running ➡ http://defendpoint.ca | http://edr-telemetry.com | https://edr-comparison.com/ | http://detectionstream.com | 🇬🇷🇨🇦
As I was looking for malware (like you do on a quiet Friday afternoon 😂) I found a classic fake “your system is infected” page. After the fake scan, the Renew Now button goes straight to Avast through an affiliate link🤣🤣
TAs doing a 180, selling AV to get their commission LOL
TAs doing a 180, selling AV to get their commission LOL
November 14, 2025 at 8:40 PM
As I was looking for malware (like you do on a quiet Friday afternoon 😂) I found a classic fake “your system is infected” page. After the fake scan, the Renew Now button goes straight to Avast through an affiliate link🤣🤣
TAs doing a 180, selling AV to get their commission LOL
TAs doing a 180, selling AV to get their commission LOL
Just in: DoorDash breached…
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
November 13, 2025 at 9:22 PM
Just in: DoorDash breached…
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
This was us today, this is what I'm talking about. He always has to stop and wait for me to catchup 😂
November 10, 2025 at 12:09 AM
This was us today, this is what I'm talking about. He always has to stop and wait for me to catchup 😂
🍁🍂 Winter rides are 🔥
November 9, 2025 at 12:31 AM
🍁🍂 Winter rides are 🔥
It’s been just 1 week since launch and 150+ people have registered, shared feedback & competed on the leaderboard! Huge motivation to keep building 💪
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
November 8, 2025 at 6:50 PM
It’s been just 1 week since launch and 150+ people have registered, shared feedback & competed on the leaderboard! Huge motivation to keep building 💪
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
Linux is finally getting some love 🐧
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
November 6, 2025 at 10:18 PM
Linux is finally getting some love 🐧
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
This is the coolest coin I’ve ever received. Huge props to @Defcon604 for everything they do for the Vancouver community. Was awesome presenting to a packed room of 50+ folks, great energy and engagement all around. 🔥
November 4, 2025 at 7:43 PM
This is the coolest coin I’ve ever received. Huge props to @Defcon604 for everything they do for the Vancouver community. Was awesome presenting to a packed room of 50+ folks, great energy and engagement all around. 🔥
📢DetectionStream quick update.
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
November 1, 2025 at 12:32 AM
📢DetectionStream quick update.
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
A normal InfoSec Friday be like... 😂
November 1, 2025 at 12:01 AM
A normal InfoSec Friday be like... 😂
𝗣𝗮𝗱𝘃𝗶𝘀𝗵 𝗘𝗗𝗥 𝗯𝗲𝗰𝗼𝗺𝗲𝘀 𝘁𝗵𝗲 21𝘀𝘁 𝗮𝗱𝗱𝗶𝘁𝗶𝗼𝗻 𝘁𝗼 𝘁𝗵𝗲 𝗘𝗗𝗥 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 🔥
Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters.
𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 like this helps move the whole industry forward.
Results: www.edr-telemetry.com/windows
Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters.
𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 like this helps move the whole industry forward.
Results: www.edr-telemetry.com/windows
October 15, 2025 at 2:31 PM
𝗣𝗮𝗱𝘃𝗶𝘀𝗵 𝗘𝗗𝗥 𝗯𝗲𝗰𝗼𝗺𝗲𝘀 𝘁𝗵𝗲 21𝘀𝘁 𝗮𝗱𝗱𝗶𝘁𝗶𝗼𝗻 𝘁𝗼 𝘁𝗵𝗲 𝗘𝗗𝗥 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 🔥
Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters.
𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 like this helps move the whole industry forward.
Results: www.edr-telemetry.com/windows
Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters.
𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 like this helps move the whole industry forward.
Results: www.edr-telemetry.com/windows
𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗦𝘁𝗿𝗲𝗮𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: Two highly requested features just went live 🚀
1. 𝗗𝗲𝗲𝗽 𝗟𝗶𝗻𝗸𝘀: share specific rules via hashtag#rule_id or full YAML
2. 𝗗𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝗥𝘂𝗹𝗲𝘀: export all rules matching your filters (gzip)
3. 𝗔𝗱𝗱𝗲𝗱 "𝘊𝘳𝘦𝘢𝘵𝘦 𝘳𝘶𝘭𝘦𝘴 𝘸𝘪𝘵𝘩 𝘈𝘐" functionality for both 𝗬𝗮𝗿𝗮 and 𝗡𝗼𝘃𝗮 frameworks ... continue👇
1. 𝗗𝗲𝗲𝗽 𝗟𝗶𝗻𝗸𝘀: share specific rules via hashtag#rule_id or full YAML
2. 𝗗𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝗥𝘂𝗹𝗲𝘀: export all rules matching your filters (gzip)
3. 𝗔𝗱𝗱𝗲𝗱 "𝘊𝘳𝘦𝘢𝘵𝘦 𝘳𝘶𝘭𝘦𝘴 𝘸𝘪𝘵𝘩 𝘈𝘐" functionality for both 𝗬𝗮𝗿𝗮 and 𝗡𝗼𝘃𝗮 frameworks ... continue👇
October 14, 2025 at 6:54 PM
𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗦𝘁𝗿𝗲𝗮𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: Two highly requested features just went live 🚀
1. 𝗗𝗲𝗲𝗽 𝗟𝗶𝗻𝗸𝘀: share specific rules via hashtag#rule_id or full YAML
2. 𝗗𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝗥𝘂𝗹𝗲𝘀: export all rules matching your filters (gzip)
3. 𝗔𝗱𝗱𝗲𝗱 "𝘊𝘳𝘦𝘢𝘵𝘦 𝘳𝘶𝘭𝘦𝘴 𝘸𝘪𝘵𝘩 𝘈𝘐" functionality for both 𝗬𝗮𝗿𝗮 and 𝗡𝗼𝘃𝗮 frameworks ... continue👇
1. 𝗗𝗲𝗲𝗽 𝗟𝗶𝗻𝗸𝘀: share specific rules via hashtag#rule_id or full YAML
2. 𝗗𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝗥𝘂𝗹𝗲𝘀: export all rules matching your filters (gzip)
3. 𝗔𝗱𝗱𝗲𝗱 "𝘊𝘳𝘦𝘢𝘵𝘦 𝘳𝘶𝘭𝘦𝘴 𝘸𝘪𝘵𝘩 𝘈𝘐" functionality for both 𝗬𝗮𝗿𝗮 and 𝗡𝗼𝘃𝗮 frameworks ... continue👇
I built this tool for myself. Shared a preview here a few days ago… and wow. Didn’t expect such a strong response. Thanks everyone who reached out 🙏
Because of that energy, I pushed harder and:
➡️ Polished the Sigma experience, now with Nova integrated
➡️ Built two playgrounds for hands-on learning
Because of that energy, I pushed harder and:
➡️ Polished the Sigma experience, now with Nova integrated
➡️ Built two playgrounds for hands-on learning
September 30, 2025 at 2:31 PM
I built this tool for myself. Shared a preview here a few days ago… and wow. Didn’t expect such a strong response. Thanks everyone who reached out 🙏
Because of that energy, I pushed harder and:
➡️ Polished the Sigma experience, now with Nova integrated
➡️ Built two playgrounds for hands-on learning
Because of that energy, I pushed harder and:
➡️ Polished the Sigma experience, now with Nova integrated
➡️ Built two playgrounds for hands-on learning
I've built this platform for myself to quickly search and create detection rules. Considering that we(the DE community) have amazing platforms like Sigconverter (sigconverter.io ) and (detection fyi) detection.fyi, would anyone find value in having FREE access to this all-in-one platform?
September 27, 2025 at 12:55 AM
I've built this platform for myself to quickly search and create detection rules. Considering that we(the DE community) have amazing platforms like Sigconverter (sigconverter.io ) and (detection fyi) detection.fyi, would anyone find value in having FREE access to this all-in-one platform?
The EDR Telemetry Project revealed what EDRs can see.
➛ Now, we show how they compare.
Coming soon!
➛ Now, we show how they compare.
Coming soon!
September 25, 2025 at 5:17 PM
The EDR Telemetry Project revealed what EDRs can see.
➛ Now, we show how they compare.
Coming soon!
➛ Now, we show how they compare.
Coming soon!
There is still time to register: dfirlabs.thedfirreport.com/dfirchallenge
September 23, 2025 at 6:23 PM
There is still time to register: dfirlabs.thedfirreport.com/dfirchallenge
🆕 𝐄𝐃𝐑-𝐭𝐞𝐥𝐞𝐦𝐞𝐭𝐫𝐲 𝐏𝐫𝐨𝐣𝐞𝐜𝐭 𝐔𝐩𝐝𝐚𝐭𝐞 - 𝐖𝐢𝐧𝐝𝐨𝐰𝐬
The Windows table just got an update with 3 new sub-categories:
➡️ VSS Deletion
➡️ Win32 API Telemetry
➡️ JA3/JA3s
Coverage isn’t uniform, and some are pending response from the vendors. That’s fine. I’d rather show the uncertainty than pretend otherwise.
The Windows table just got an update with 3 new sub-categories:
➡️ VSS Deletion
➡️ Win32 API Telemetry
➡️ JA3/JA3s
Coverage isn’t uniform, and some are pending response from the vendors. That’s fine. I’d rather show the uncertainty than pretend otherwise.
September 17, 2025 at 2:31 PM
🆕 𝐄𝐃𝐑-𝐭𝐞𝐥𝐞𝐦𝐞𝐭𝐫𝐲 𝐏𝐫𝐨𝐣𝐞𝐜𝐭 𝐔𝐩𝐝𝐚𝐭𝐞 - 𝐖𝐢𝐧𝐝𝐨𝐰𝐬
The Windows table just got an update with 3 new sub-categories:
➡️ VSS Deletion
➡️ Win32 API Telemetry
➡️ JA3/JA3s
Coverage isn’t uniform, and some are pending response from the vendors. That’s fine. I’d rather show the uncertainty than pretend otherwise.
The Windows table just got an update with 3 new sub-categories:
➡️ VSS Deletion
➡️ Win32 API Telemetry
➡️ JA3/JA3s
Coverage isn’t uniform, and some are pending response from the vendors. That’s fine. I’d rather show the uncertainty than pretend otherwise.
Every pixel of this graphic is a lie. It insults the people actually fighting threats daily and rewards the companies that can’t even catch a cold. Absolute cancer for the industry… Pay up or get shoved in the ‘loser’ box. Embarrassing trash.
September 5, 2025 at 3:24 PM
Every pixel of this graphic is a lie. It insults the people actually fighting threats daily and rewards the companies that can’t even catch a cold. Absolute cancer for the industry… Pay up or get shoved in the ‘loser’ box. Embarrassing trash.
Creating Images for our next DFIR Labs has never been easier thanks to Google Gemini 😂
New Lab is dropping 🔜
New Lab is dropping 🔜
August 29, 2025 at 10:45 PM
Creating Images for our next DFIR Labs has never been easier thanks to Google Gemini 😂
New Lab is dropping 🔜
New Lab is dropping 🔜
Here is a cool Linux technique: www.trellix.com/blogs/resear...
Execution isn’t coming from a binary or a script. It’s coming from the filename itself.
𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀:
➡️ Attacker crafts a malicious filename with embedded logic.
➡️ Normal system enumeration commands (ls, cat, find) interact
Execution isn’t coming from a binary or a script. It’s coming from the filename itself.
𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀:
➡️ Attacker crafts a malicious filename with embedded logic.
➡️ Normal system enumeration commands (ls, cat, find) interact
August 26, 2025 at 2:31 PM
Here is a cool Linux technique: www.trellix.com/blogs/resear...
Execution isn’t coming from a binary or a script. It’s coming from the filename itself.
𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀:
➡️ Attacker crafts a malicious filename with embedded logic.
➡️ Normal system enumeration commands (ls, cat, find) interact
Execution isn’t coming from a binary or a script. It’s coming from the filename itself.
𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀:
➡️ Attacker crafts a malicious filename with embedded logic.
➡️ Normal system enumeration commands (ls, cat, find) interact
Imagine burning billions in AI, Copilot this and Copilot that...
But somehow, indexing Group Policy settings and adding a damn search box has been out of scope since Windows 2000...pfff
But somehow, indexing Group Policy settings and adding a damn search box has been out of scope since Windows 2000...pfff
August 22, 2025 at 2:30 PM
Imagine burning billions in AI, Copilot this and Copilot that...
But somehow, indexing Group Policy settings and adding a damn search box has been out of scope since Windows 2000...pfff
But somehow, indexing Group Policy settings and adding a damn search box has been out of scope since Windows 2000...pfff
🎉 𝐀𝐧𝐨𝐭𝐡𝐞𝐫 𝐬𝐮𝐜𝐜𝐞𝐬𝐬 𝐬𝐭𝐨𝐫𝐲 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐃𝐅𝐈𝐑 𝐑𝐞𝐩𝐨𝐫𝐭 𝐋𝐚𝐛𝐬
One of our users just crushed the HTB CDSA exam after using DFIR Labs as final prep. They’d already gone through Sherlocks, BTLO, and CyberDefenders, but called our lab the closest to the exam environment.... 👇
One of our users just crushed the HTB CDSA exam after using DFIR Labs as final prep. They’d already gone through Sherlocks, BTLO, and CyberDefenders, but called our lab the closest to the exam environment.... 👇
July 7, 2025 at 10:45 PM
🎉 𝐀𝐧𝐨𝐭𝐡𝐞𝐫 𝐬𝐮𝐜𝐜𝐞𝐬𝐬 𝐬𝐭𝐨𝐫𝐲 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐃𝐅𝐈𝐑 𝐑𝐞𝐩𝐨𝐫𝐭 𝐋𝐚𝐛𝐬
One of our users just crushed the HTB CDSA exam after using DFIR Labs as final prep. They’d already gone through Sherlocks, BTLO, and CyberDefenders, but called our lab the closest to the exam environment.... 👇
One of our users just crushed the HTB CDSA exam after using DFIR Labs as final prep. They’d already gone through Sherlocks, BTLO, and CyberDefenders, but called our lab the closest to the exam environment.... 👇
𝗔𝗜 𝘀𝗹𝗼𝗽, 𝗺𝗲𝗲𝘁 𝘁𝗵𝗲 𝘄𝗼𝗿𝗹𝗱 - 𝗪𝗼𝗿𝗹𝗱, 𝗺𝗲𝗲𝘁 𝘁𝗵𝗲 𝗔𝗜 𝘀𝗹𝗼𝗽!
Auto-generated doesn’t have to mean auto-garbage folks, PLEASE don't use rules like this PLEASE 🫠
Auto-generated doesn’t have to mean auto-garbage folks, PLEASE don't use rules like this PLEASE 🫠
June 26, 2025 at 7:34 PM
𝗔𝗜 𝘀𝗹𝗼𝗽, 𝗺𝗲𝗲𝘁 𝘁𝗵𝗲 𝘄𝗼𝗿𝗹𝗱 - 𝗪𝗼𝗿𝗹𝗱, 𝗺𝗲𝗲𝘁 𝘁𝗵𝗲 𝗔𝗜 𝘀𝗹𝗼𝗽!
Auto-generated doesn’t have to mean auto-garbage folks, PLEASE don't use rules like this PLEASE 🫠
Auto-generated doesn’t have to mean auto-garbage folks, PLEASE don't use rules like this PLEASE 🫠
Street legal. Leash optional. Both looking handsome AF 😅
June 25, 2025 at 2:47 AM
Street legal. Leash optional. Both looking handsome AF 😅