toot.wales is one of the many independent Mastodon servers you can use to participate in the fediverse.
We are the Mastodon social network for Wales and the Welsh, at home and abroad! Y rhwydwaith cymdeithasol annibynnol i Gymru, wedi'i bweru gan Mastodon!

Administered by:

Server stats:

680
active users

#blueteam

5 posts5 participants0 posts today

Day 1 of posting to social media until I get an offensive security research job

First, I’m going to start with what I know – Windows. I need to recreate what I had access to at Microsoft, so that starts by setting up a dev environment and finding a copy of Windows System Internals, perhaps the greatest resource for learning Windows out there. My expertise is in Windows and virtualization, so I’m going to make sure I master those areas.

Next, I don’t think I want to grind coding exercises, but I do need to shake the rust off my coding skills. I think I’m going to start with some HackTheBox challenges and find some CTFs to participate in.

Finally, my long overdue goal: learn Rust. I’m not sure if this will help immediately, as I could choose to improve my knowledge of Python. But Rust was getting more and more popular in the areas of Windows I was tasked with protecting, so I need to learn what all the fuss is about with regards to memory safety.

If anyone is on a similar journey, let’s hold each other accountable in the comments! I will be sure to document any write-ups at blog.maxrenke.com (work in progress).

Mini Digital Forensic Diaries story: got sent to a university in London to investigate a case where a student, who bragged of hacker prowess openly, was suspected of introducing malware to a machine and stealing a lecturers password.

“We don’t know how, but we know they logged into the account, and sent emails - and this is the only machine the lecturer uses,” came the brief.

Imaged the machine suspected of being targeted.

While giving the lecturer their laptop back post imaging I observed, via projector, the lecturer entering in their password to the username field on the login screen.

“Whoops, I’m always doing that - at least this time it wasn’t in front of the students,” they said.

Sure enough, there was no evidence of anything untoward on the laptop, but I had a good theory as to what may have occurred.

Check out more, less mini, stories like this at infosecdiaries.com.

Infosec DiariesInfosec DiariesLearn Pen Testing, Blue Teaming and Digital Forensics

New Open-Source Tool Spotlight 🚨🚨🚨

Living Off the Land (LOL) techniques exploit legitimate tools for malicious purposes. This GitHub repo curates an impressive list of methods and resources attackers use across endpoints, cloud services, and more. Great for defenders seeking to enhance detection strategies. #Cybersecurity #Infosec

🔗 Project link on #GitHub 👉 github.com/danzek/awesome-lol-

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

New Open-Source Tool Spotlight 🚨🚨🚨

CVEMap by ProjectDiscovery simplifies vulnerability intelligence with a CLI tool that maps CVEs to EPSS, KEV, CPE, GitHub PoCs, and more. Customizable filters, JSON output, and integration-ready. Requires Go 1.21. #cybersecurity #opensource

🔗 Project link on #GitHub 👉 github.com/projectdiscovery/cv

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

"Analysis of command-line activity reveals the threat actor’s use of specific PowerShell cmdlets for discovering and interacting with virtual machines. They initiated powershell.exe with the -ExecutionPolicy Bypass flag to execute sequences such as Get-VM for VM enumeration, followed by Get-VHD to identify associated virtual disk files.

The pipeline further extended to Get-DiskImage -ImagePath $_.Path and Dismount-DiskImage, suggesting a process of accessing and then unlinking VHD contents. Commands to halt virtual machine operations (Get-VM | Stop-VM) were also noted as."

Report: thedfirreport.com/2025/05/19/a

Interested in receiving private reports similar to this report? Contact us for pricing - thedfirreport.com/contact/

#cti#dfir#BlueTeam

New Open-Source Tool Spotlight 🚨🚨🚨

Loading PowerShell scripts from C# while bypassing AMSI, ETW, and logging? Meet Stracciatella. Think SharpPick but designed for evasion—with Constrained Language Mode & defenses disabled on startup using .NET runspaces. Intricate yet efficient. #CSharp #RedTeam

🔗 Project link on #GitHub 👉 github.com/mgeeky/Stracciatella

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

The Extended Vulnerability Community is a Discord where a number of people from all walks of the vulnerability life have gathered together to share information, resources, and provide guidance to one another.

Come join us if you are involved in discovery, reporting, triaging, managing, remediating, or fighting the vulnerability life!

discord.gg/gSCrXxMuPx

DiscordJoin the Extended Vulnerability Community Discord Server!Check out the Extended Vulnerability Community community on Discord - hang out with 712 other members and enjoy free voice and text chat.

What happens when a single Go module can wipe your entire Linux system? 🧨💻

Researchers have uncovered three malicious Go packages that, once installed, can render a Linux machine completely unbootable. These modules—`prototransform`, `go-mcp`, and `tlsproxy`—were hosted on GitHub and disguised as legitimate open-source tools. What sets them apart isn’t just the malware, but how it’s delivered: hidden in obfuscated code that quietly checks if the OS is Linux, then downloads a shell script using `wget`. That script doesn’t just corrupt the system—it zeroes out `/dev/sda`, the primary disk, erasing all data beyond recovery.

These aren't isolated incidents. A parallel wave of threats has hit JavaScript and Python ecosystems too. Several npm packages—such as `crypto-encrypt-ts` and `userbridge-paypal`—were found stealing cryptocurrency wallet seed phrases and exfiltrating private keys. Meanwhile, other PyPI packages like `web3x` and `herewalletbot` targeted similar data and have already been downloaded over 6,800 times.

More concerning, another group of seven PyPI packages communicated through Gmail’s SMTP servers and WebSockets to exfiltrate data and enable remote command execution. Using hardcoded Gmail credentials, they sent success notifications back to attackers and opened persistent channels for control. Since Gmail traffic often bypasses scrutiny from corporate firewalls and endpoint protection systems, these packages operated with minimal detection.

The recurring theme here is trust—developers importing open-source packages assume some degree of safety if a library has been around or appears well-maintained. But attackers are exploiting that assumption, embedding silent functionality behind familiar names and benign-looking codebases.

Defensive practices matter. Teams should scrutinize dependency trees, validate GitHub sources, monitor for unusual outbound connections—including SMTP—and treat every third-party library as a potential threat vector, regardless of its age or download count. Ignoring this risk is no longer viable.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

Heard of bulletproof hosting? This refers to service providers who will host any and all kinds of malicious content. You don't want to see any traffic to or from these service providers. One of the worst (and most documented) is Proton66. I highly recommend you block all of their IP address ranges.

Their IP ranges are available here:
ipinfo.io/AS198953

An article about some of their malicious hosted content courtesy of @DomainTools is available here:
dti.domaintools.com/proton66-w

ipinfo.ioAS198953 Proton66 OOO details - IPinfo.ioAS198953 autonomous system information: WHOIS details, hosted domains, peers, upstreams, downstreams, and more