KoifSec
@koifsec.bsky.social
Detection engineer, also writing for https://detect.fyi.
Base64 Enjoyer. Clippy is a threat actor.
Base64 Enjoyer. Clippy is a threat actor.
New post out! "Deconstructing Wmiexec-pro"
Technical deep dive into a new post-exploitation framework based on Impacket's wmiexec, including a bunch of new telemetry and detections. Check it out > koifsec.medium.com/deconstructi...
Technical deep dive into a new post-exploitation framework based on Impacket's wmiexec, including a bunch of new telemetry and detections. Check it out > koifsec.medium.com/deconstructi...
Deconstructing “Wmiexec-Pro”
I recently ran a Kali VM against a Windows test host and instrumented the target with Procmon and WMI/Windows logs to see how a new…
koifsec.medium.com
October 23, 2025 at 3:30 PM
New post out! "Deconstructing Wmiexec-pro"
Technical deep dive into a new post-exploitation framework based on Impacket's wmiexec, including a bunch of new telemetry and detections. Check it out > koifsec.medium.com/deconstructi...
Technical deep dive into a new post-exploitation framework based on Impacket's wmiexec, including a bunch of new telemetry and detections. Check it out > koifsec.medium.com/deconstructi...
Reposted by KoifSec
𝗦𝗲𝗲𝗶𝗻𝗴 𝘀𝗼𝗺𝗲 𝘀𝗲𝗰𝗿𝗲𝘁𝘀𝗱𝘂𝗺𝗽 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗶𝗻 𝘁𝗵𝗲 𝘄𝗶𝗹𝗱 𝗹𝗮𝘁𝗲𝗹𝘆, 𝗮𝗻𝗱 𝗶𝘁’𝘀 𝘁𝗿𝗶𝗰𝗸𝘆 𝘁𝗼 𝗰𝗮𝘁𝗰𝗵 𝗯𝗲𝗰𝗮𝘂𝘀𝗲 𝗼𝗳 𝗮𝗹𝗹 𝘁𝗵𝗲 𝗳𝗮𝗹𝘀𝗲 𝗽𝗼𝘀𝗶𝘁𝗶𝘃𝗲𝘀.
The recent NetExec update (codename SmoothOperator) pushed me to share this one 👇
🔗 www.netexec.wiki/news/v1.4.0-...
𝗙𝗶𝗿𝘀𝘁 𝗲𝘃𝗲𝗻𝘁 (𝟰𝟲𝟳𝟮)
Special privileges assigned to new logon:
The recent NetExec update (codename SmoothOperator) pushed me to share this one 👇
🔗 www.netexec.wiki/news/v1.4.0-...
𝗙𝗶𝗿𝘀𝘁 𝗲𝘃𝗲𝗻𝘁 (𝟰𝟲𝟳𝟮)
Special privileges assigned to new logon:
October 22, 2025 at 4:36 AM
𝗦𝗲𝗲𝗶𝗻𝗴 𝘀𝗼𝗺𝗲 𝘀𝗲𝗰𝗿𝗲𝘁𝘀𝗱𝘂𝗺𝗽 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗶𝗻 𝘁𝗵𝗲 𝘄𝗶𝗹𝗱 𝗹𝗮𝘁𝗲𝗹𝘆, 𝗮𝗻𝗱 𝗶𝘁’𝘀 𝘁𝗿𝗶𝗰𝗸𝘆 𝘁𝗼 𝗰𝗮𝘁𝗰𝗵 𝗯𝗲𝗰𝗮𝘂𝘀𝗲 𝗼𝗳 𝗮𝗹𝗹 𝘁𝗵𝗲 𝗳𝗮𝗹𝘀𝗲 𝗽𝗼𝘀𝗶𝘁𝗶𝘃𝗲𝘀.
The recent NetExec update (codename SmoothOperator) pushed me to share this one 👇
🔗 www.netexec.wiki/news/v1.4.0-...
𝗙𝗶𝗿𝘀𝘁 𝗲𝘃𝗲𝗻𝘁 (𝟰𝟲𝟳𝟮)
Special privileges assigned to new logon:
The recent NetExec update (codename SmoothOperator) pushed me to share this one 👇
🔗 www.netexec.wiki/news/v1.4.0-...
𝗙𝗶𝗿𝘀𝘁 𝗲𝘃𝗲𝗻𝘁 (𝟰𝟲𝟳𝟮)
Special privileges assigned to new logon:
Reposted by KoifSec
𝗥𝗲𝗮𝗱 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗮𝗿𝘁𝗶𝗰𝗹𝗲: kostas-ts.medium.com/detecting-ab...
𝗦𝗶𝗴𝗺𝗮 𝗣𝗥: github.com/SigmaHQ/sigm...
𝗜'𝗱 𝗹𝗼𝘃𝗲 𝘁𝗼 𝗵𝗲𝗮𝗿 𝘆𝗼𝘂𝗿 𝘁𝗵𝗼𝘂𝗴𝗵𝘁𝘀:
• Have you encountered similar permissive trial access in other security platforms? We need to document things before it's too late.
Hope you enjoy reading the post!
𝗦𝗶𝗴𝗺𝗮 𝗣𝗥: github.com/SigmaHQ/sigm...
𝗜'𝗱 𝗹𝗼𝘃𝗲 𝘁𝗼 𝗵𝗲𝗮𝗿 𝘆𝗼𝘂𝗿 𝘁𝗵𝗼𝘂𝗴𝗵𝘁𝘀:
• Have you encountered similar permissive trial access in other security platforms? We need to document things before it's too late.
Hope you enjoy reading the post!
Detecting Abuse of OpenEDR’s Permissive EDR Trial: A Security Researcher’s Perspective
1. Introduction
kostas-ts.medium.com
October 22, 2025 at 2:33 PM
𝗥𝗲𝗮𝗱 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗮𝗿𝘁𝗶𝗰𝗹𝗲: kostas-ts.medium.com/detecting-ab...
𝗦𝗶𝗴𝗺𝗮 𝗣𝗥: github.com/SigmaHQ/sigm...
𝗜'𝗱 𝗹𝗼𝘃𝗲 𝘁𝗼 𝗵𝗲𝗮𝗿 𝘆𝗼𝘂𝗿 𝘁𝗵𝗼𝘂𝗴𝗵𝘁𝘀:
• Have you encountered similar permissive trial access in other security platforms? We need to document things before it's too late.
Hope you enjoy reading the post!
𝗦𝗶𝗴𝗺𝗮 𝗣𝗥: github.com/SigmaHQ/sigm...
𝗜'𝗱 𝗹𝗼𝘃𝗲 𝘁𝗼 𝗵𝗲𝗮𝗿 𝘆𝗼𝘂𝗿 𝘁𝗵𝗼𝘂𝗴𝗵𝘁𝘀:
• Have you encountered similar permissive trial access in other security platforms? We need to document things before it's too late.
Hope you enjoy reading the post!
Reposted by KoifSec
1/
In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1]
The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.
In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1]
The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.
September 27, 2025 at 7:43 AM
1/
In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1]
The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.
In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1]
The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.
New blog out!
medium.com/@koifsec/tho...
medium.com/@koifsec/tho...
Thoughts on the recent Ethereum smart contracts C2 abuse
Hello all! 👋 It’s been a while since my last post. I wasn’t finding anything exciting to write about — until this story caught my…
medium.com
September 6, 2025 at 3:53 PM
New blog out!
medium.com/@koifsec/tho...
medium.com/@koifsec/tho...
Sharing the slides from our latest "2025 State of Detection Workshop" !
drive.google.com/file/d/18Q-E...
drive.google.com/file/d/18Q-E...
PDF.pdf
drive.google.com
August 22, 2025 at 1:47 PM
Sharing the slides from our latest "2025 State of Detection Workshop" !
drive.google.com/file/d/18Q-E...
drive.google.com/file/d/18Q-E...
A rather interesting choice of technique to use a renamed legitimate schtasks. Quite easy to detect by writing a rule that searcher "/create " + "/tn " + "/sc " + "/tr " !
Indian APT Dropping Elephant is targeting Turkish defense contractors.
The attacks specifically target manufacturers of precision-guided missile systems.
The attacks began in June, after Türkiye intensified its military cooperation with Pakistan.
arcticwolf.com/resources/bl...
The attacks specifically target manufacturers of precision-guided missile systems.
The attacks began in June, after Türkiye intensified its military cooperation with Pakistan.
arcticwolf.com/resources/bl...
Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode - Arctic Wolf
The Arctic Wolf Labs team has uncovered a new campaign by APT group Dropping Elephant targeting major Turkish defense contractors and weapons manufacturers.
arcticwolf.com
July 28, 2025 at 5:02 AM
A rather interesting choice of technique to use a renamed legitimate schtasks. Quite easy to detect by writing a rule that searcher "/create " + "/tn " + "/sc " + "/tr " !
