Kostas
LightNews LightNews
kostastsale.bsky.social
Kostas
@kostastsale.bsky.social
1.4K followers 130 following 340 posts
https://kostas.page | Opinions are mine only! 🇬🇷🇨🇦
kostas.page
Posts Media Videos Starter Packs
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 23m
👉 𝗧𝗵𝗲 𝗘𝗗𝗥 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗣𝗿𝗼𝗷𝗲𝗰𝘁 maps which vendors expose some of these event types:

✅ File share (File Open) activity – 5140
✅ Service modifications – 7040
✅ Registry writes – Sysmon 13
✅ Image loads – Sysmon 7

Check your vendor. If these aren’t surfaced or correlated, this will slide right past you!
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 23m

➡️ Even better, use a correlation rule to chain the events together (priv logon → IPC$ → SCM op → service mod → registry write → cleanup).

When Sigma adds proper correlation support, we can make a clean shared rule for it.
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 23m

Enable, dump, disable. All within one second.

Now, detection-wise… yeah, this one hurts. Tons of noise.

𝗔 𝗴𝗼𝗼𝗱 𝘀𝘁𝗮𝗿𝘁:
➡️ Detect the 𝗦𝗲𝗕𝗮𝗰𝗸𝘂𝗽𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲 logon combined with RemoteRegistry Start=3 → Start=4 𝘄𝗶𝘁𝗵𝗶𝗻 𝗮 𝘀𝗵𝗼𝗿𝘁 𝘄𝗶𝗻𝗱𝗼𝘄!
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 23m
  • 7040 Service Modification – RemoteRegistry start type flipped to demand start (Start=3)
  • Sysmon 13 Registry Mod– Start=3 written
  • Sysmon 7 Image Load – svchost.exe loading regsvc.dll
  • Sysmon 13 Registry Mod (cleanup) – Start=4 (service re-disabled)
This is related to the 𝗿𝗲𝗺𝗼𝘁𝗲 𝗦𝗔𝗠 𝗱𝘂𝗺𝗽
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 23m
→ 𝗦𝗲𝗕𝗮𝗰𝗸𝘂𝗽𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲 ⇤ That 𝗦𝗲𝗕𝗮𝗰𝗸𝘂𝗽𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲 is important; it tells you this session can read the SAM/SECURITY/SYSTEM hives.

Then you have the below flow of events in that order:
  • 5140 File Share Access – IPC$ connection
  • 4674 Sensitive Privilege Use – SC Manager with SeTakeOwnershipPrivilege
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 23m
𝗦𝗲𝗲𝗶𝗻𝗴 𝘀𝗼𝗺𝗲 𝘀𝗲𝗰𝗿𝗲𝘁𝘀𝗱𝘂𝗺𝗽 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗶𝗻 𝘁𝗵𝗲 𝘄𝗶𝗹𝗱 𝗹𝗮𝘁𝗲𝗹𝘆, 𝗮𝗻𝗱 𝗶𝘁’𝘀 𝘁𝗿𝗶𝗰𝗸𝘆 𝘁𝗼 𝗰𝗮𝘁𝗰𝗵 𝗯𝗲𝗰𝗮𝘂𝘀𝗲 𝗼𝗳 𝗮𝗹𝗹 𝘁𝗵𝗲 𝗳𝗮𝗹𝘀𝗲 𝗽𝗼𝘀𝗶𝘁𝗶𝘃𝗲𝘀.

The recent NetExec update (codename SmoothOperator) pushed me to share this one 👇
🔗 www.netexec.wiki/news/v1.4.0-...

𝗙𝗶𝗿𝘀𝘁 𝗲𝘃𝗲𝗻𝘁 (𝟰𝟲𝟳𝟮)
Special privileges assigned to new logon:
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 5d
With F5’s history of fumbles, this erodes confidence even more. My condolences to the orgs that are using them. Brace for the zero days that are coming your way… 😞

Their disclosure here: my.f5.com/manage/s/art...
myF5
my.f5.com
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 5d
And don’t get me started on helping the industry with IOCs or any other technical details, they didn’t even put anything out until a day after their admission and even that was only shared across external reports, partners, and locked support tickets.

3/
1 2
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 5d
Their disclosure is shocking… It’s full of corporate jargon while admitting some quite bad stuff while playing it cool like the fact that they knew about it since August but they only decided to tell their customers now 🤦‍♂️ No specifics on what was taken, the exact impact etc.

2/
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 5d
Here we go again… F5 disclosed a serious intrusion by a sophisticated nation-state threat actor who gained long-term access and stole files from their development and knowledge systems. Likely potential source code and undisclosed ready to exploit.

1/
myF5
my.f5.com
1 1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 6d
𝗣𝗮𝗱𝘃𝗶𝘀𝗵 𝗘𝗗𝗥 𝗯𝗲𝗰𝗼𝗺𝗲𝘀 𝘁𝗵𝗲 21𝘀𝘁 𝗮𝗱𝗱𝗶𝘁𝗶𝗼𝗻 𝘁𝗼 𝘁𝗵𝗲 𝗘𝗗𝗥 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 🔥

Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters.

𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 like this helps move the whole industry forward.

Results: www.edr-telemetry.com/windows
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 7d
You can now quickly reference a specific rule in discussions, share the rule with others, or download the rules you are filtering through the UI.

Check it out: detectionstream.com

Next up:

• 𝗚𝗮𝗺𝗶𝗳𝗶𝗲𝗱 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 (interactive learning)
• 𝗦𝗶𝗴𝗺𝗮 𝗔𝘁𝘁𝗮𝗰𝗸 𝗣𝗮𝘁𝗵 𝗩𝗶𝘀𝘂𝗮𝗹𝗶𝘇𝗮𝘁𝗶𝗼𝗻 (detection flow mapping)
2
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 7d
4. AI rule is generated 𝐮𝐬𝐢𝐧𝐠 s𝐲𝐬𝐭𝐞𝐦 𝐩𝐫𝐨𝐦𝐩𝐭𝐬 that I personally curated for creating high-quality rules and 𝐍𝐎𝐓 AI slop.
5. AI generation will remain free at my own expense. 𝐄𝐧𝐣𝐨𝐲!

... continue 👇
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 7d
𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗦𝘁𝗿𝗲𝗮𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: Two highly requested features just went live 🚀

1. 𝗗𝗲𝗲𝗽 𝗟𝗶𝗻𝗸𝘀: share specific rules via hashtag#rule_id or full YAML
2. 𝗗𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝗥𝘂𝗹𝗲𝘀: export all rules matching your filters (gzip)
3. 𝗔𝗱𝗱𝗲𝗱 "𝘊𝘳𝘦𝘢𝘵𝘦 𝘳𝘶𝘭𝘦𝘴 𝘸𝘪𝘵𝘩 𝘈𝘐" functionality for both 𝗬𝗮𝗿𝗮 and 𝗡𝗼𝘃𝗮 frameworks ... continue👇
1 3
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 14d
They ate Portland’s national guard.
4
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 21d
If this helped you, consider buying me one here: buymeacoffee.com/kostas.t . Every bit keeps the lights on.

• Check it out here: detectionstream.com
• Get your OpenRouter Key by registering here: openrouter.ai
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 21d
Although this is a free service for the community, there is a material cost to me. Because servers don’t run on coffee alone (like I do), If this helped you, consider buying me one here: buymeacoffee.com/kostas.t .Every bit helps to keep the lights on, and please add a note to say how it helped you!
Kostas is EDR Telemetry & Comparison Projects, DFIR Labs, DetectionStream + more
Hey, I’m Kostas. I spend a lot of time building tools, creating training, and sharing infosec tips. If any of that’s helped you, a coffee and a nice message go a long way. 🙏
buymeacoffee.com
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 21d


𝗦𝗶𝗴𝗺𝗮 𝗣𝗹𝗮𝘆𝗴𝗿𝗼𝘂𝗻𝗱 ➡️ create or tweak a detection rule, load your JSON logs, and see detections fire. Perfect for understanding how Sigma works in practice.

𝗡𝗼𝘃𝗮 𝗣𝗹𝗮𝘆𝗴𝗿𝗼𝘂𝗻𝗱 ➡️ build AI-native detections, validate with prompts, and test adversarial scenarios. A new way to think about monitoring LLMs.
1
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 21d
I built this tool for myself. Shared a preview here a few days ago… and wow. Didn’t expect such a strong response. Thanks everyone who reached out 🙏

Because of that energy, I pushed harder and:
➡️ Polished the Sigma experience, now with Nova integrated
➡️ Built two playgrounds for hands-on learning
1 2
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 25d
Feel free to comment below 👇

** The AI generation is happening on the client-side. You simply bring your own OpenRouter key, and you are responsible for billing etc.
**I have special prompts for minimizing AI-generated garbage/slop output.
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 25d
I've built this platform for myself to quickly search and create detection rules. Considering that we(the DE community) have amazing platforms like Sigconverter (sigconverter.io ) and (detection fyi) detection.fyi, would anyone find value in having FREE access to this all-in-one platform?
2 6
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 26d
The EDR Telemetry Project revealed what EDRs can see.

➛ Now, we show how they compare.

Coming soon!
1 4
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 27d
As long as Tara keeps exploring, I’ll watch! Lol
1 2
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 28d
Omg this is the perfect music over! 😂

I’ve got no idea who Tara is but she’s exploring alright 😆 From CB to Striker in one breath lol 👏
1 3
kostastsale.bsky.social
Kostas @kostastsale.bsky.social · 28d
There is still time to register: dfirlabs.thedfirreport.com/dfirchallenge
1