Ayush Anand @Securityinbits
Detection engineering, threat hunting, malware analysis. One defender bit at a time. securityinbits.substack.com/subscribe Join for free → Joined September 2015-
Tweets639
-
Followers2K
-
Following323
-
Likes943
Working an AnyDesk case? One line in connection_trace.txt decides whether it's persistence or a phishing victim. - Passwd / Token = unattended access. Attacker set a password to come back. (Fog, Akira) - User = someone clicked Accept. Social-engineered. Same operator, same tool. Two incidents, two remediations. Check the approval type first. 🔎
2
13
91
12K
60
View Details
@Kostastsale Yes, during testing it caught my operator's Azure public IP. Will share my findings soon on X. Thank you! 😊
Yeah, I am still researching on this , found few more interesting things. Let me collect all of them then I will create a PR for LOLRMM This is new for me : AnyDesk tries a direct P2P punch first (port 7070). The blocked attempt logs the operator's real IP as ConnectionFailed in DeviceNetworkEvents. I saw my Azure VM IP (operator) logged in this table. This will be helpful if we don't have the host forensic artifacts.
@Kostastsale Sure, will do it. I saw the LOLRMM , quiet good and detailed for Anydesk.
@SwiftOnSecurity Appreciate it 🙂 more AnyDesk forensics on the way.
Three ssh.exe -R reverse tunnels in MDE. Same binary, three different shapes. 1️⃣ -R 9090:127.0.0.1:8080: 1 IP, 1 port, 1 success, 0 failures. A fixed forward to one service. 2️⃣ -R 8888: 1 IP, 1 port, 1 success, 1 failure. SOCKS, but pointed at known hosts. 3️⃣ -R *:10400: 250 IPs, 5 ports, 6 successes, 296 failures. SOCKS proxying a subnet sweep. The scanner never touches the command line. The IP and failure counts give it away.
One host touching 50+ internal IPs across 5+ ports in under 5 minutes is not “normal admin activity.” That is how ransomware operators map your network before encryption. 👀 The best part? This detection still works when the tool is renamed, packed, or stripped of metadata. Fully tool-agnostic.
@rob_OSINT True, for legit IT scanner we need more context e.g. userid, source scanner info and others to understand if legit or not.
@Kostastsale I'm interested and happy to partner. I'm also working on similar things to generate telemetry, but currently it's all local and I'm playing both attacker and defender to generate it :) Hopefully I'll get time to push my lab to the cloud so I can collect real telemetry.
@max_deboosted Nice, thank you for verifying.
Your SSH tunnel detection probably has a gap. Hunting ssh.exe -R for reverse port forwarding? A contains "-R" filter misses the variants attackers use to background the tunnel: -NR, -fNR, -fNTR. Use regex \s-\w*R instead. It catches the -R inside all of them. Sigma rule: Port Forwarding Activity Via SSH.EXE 👇
@max_deboosted Nice, didn't know about ~C. Thanks for sharing, will try in the lab. Neat that it keeps the flag off the command line entirely, though they'd need to modify config. One more detection opportunity.
@LucyIsZombie Excalidraw diagram, real lab queries and screenshots from MDE/Elastic. Claude did the article edit and feature image😀
Ever seen ssh.exe on a workstation and ignored it? That -R flag opens a SOCKS pivot. Akira's operators used it to proxy a scanner before dropping ransomware. Your EDR sees ssh.exe. Nothing inside the tunnel. The network telemetry still leaks. Here's how to read it 👇
Thanks to the author @nas_bench Sigma rule: github.com/SigmaHQ/sigma/…
Hunt queries : github.com/Securityinbits…
@ghoullthings Thank you for sharing that - glad it resonated.
Florian Roth ⚡️ @cyb3rops
221K Followers 3K Following Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇 | vi/vim
SwiftOnSecurity @SwiftOnSecurity
411K Followers 9K Following computer security person. former helpdesk.
Ali Hadi | B!n@ry @binaryz0ne
35K Followers 570 Following DFIR and Adversary Simulation | All posts reflect the views and interests of the person behind this account only |
Karsten Hahn @struppigel
26K Followers 781 Following MalwareAnalysisForHedgehogs, Principal Malware Researcher at GDATA, he/him 🦔🌈🏳️⚧️
Matthew @embee_research
15K Followers 2K Following Security Researcher, Creating and Sharing Educational Content.
Michael Koczwara @MichalKoczwara
25K Followers 2K Following Threat Researcher/Founder @Intel_Ops_io Threat Intelligence, Adversary Infrastructure Hunting, Curated TI Feed (Coming Soon) https://t.co/VQWaze6gaF
mRr3b00t @UK_Daniel_Card
123K Followers 8K Following Department of Cyber WAR. Member of the Counter Spider Collective. Wielder of AI to defend in Cyber Space. Ralph Vibe Specialist. VibeOps Operator!
Stephan Berger @malmoeb
29K Followers 1K Following Head of Investigations @InfoGuardAG https://t.co/A5lnFAu7eX
Josh Stroschein | The... @jstrosch
12K Followers 1K Following Reverse engineer and content creater | 😱 1M+ views on YT | 🎙️ Host of Behind the Binary podcast 👇
Kostas @Kostastsale
20K Followers 385 Following I like building things that solve real problems, working across cybersecurity, product, and research | 🇬🇷🇨🇦
Uğur Can ATASOY @MrUgurCanAtasoy
568 Followers 2K Following Sr. Security Engineer @Udemy | Instructor & Researcher | prev @MercedesBenz @TryHackMe @STMDefence | #CCSP #GCIA #OSCP #OSWP #CySA+ #eCTHPv2🕵🏼♂️
breachcache @breachcache
31 Followers 21 Following Publishing DFIR cases with full kill chains, IOCs, negotiations and real footage of threat actors operating.
Sreeharsha Kornu @sreeharshakornu
117 Followers 704 Following Cybersecurity analyst. Liverpool FAN since 2004. YNWA
Kishor Parmar @iamkishorparmar
9 Followers 77 Following Network Engineer Wired & Wireless | Youtuber | Ambedkarite |
Akshat @ciaaaasquare
0 Followers 167 Following
Dorothy @dorothy19010000
1K Followers 4K Following do good stuff feel good stuff its not complicated
V1km4n__ @V1km4n__
32 Followers 1K Following CTF|Software Developer|Linux|Python|Bash|Server Administrator|Network 🤖
~ @RizxiPrawiro
29 Followers 874 Following Advanced Adversary Simulation and Emulation | Cyber Threat Hunting & Cyber Threat Intelligence
Anton @Antonlovesdnb
6K Followers 4K Following Blue Team stuff | Trying to be a decent human being | @munkschool Grad | Hunt & Response @HuntressLabs
Matt @mattreadingthis
1 Followers 138 Following
cole @terr65578
40 Followers 344 Following
Puthiyavan @citam0n
8 Followers 826 Following
eth @KHL_ETHA
10 Followers 3K Following
DMAN 😎😛🤑✌ @drosty521
126K Followers 123K Following Big Steeler fan! I stay as far away from drama as possible! Bi Polar and dealing with it. #mentalhealthmatters #justdoit #legalize #loveallanimals #RESIST
⚡️ @ehtL1ght
28 Followers 995 Following
Cailloux @Cailloux968499
12 Followers 805 Following
squar3grap3s @squar3grap3s
0 Followers 156 Following
kuan @nulldiscipline
0 Followers 502 Following
ivan cabrera @ivancabrer63256
5 Followers 34 Following
Ari @jackkel90
2 Followers 257 Following
Sun_K @sunbelt_kerio
37 Followers 1K Following
N S @0x4E53h
1 Followers 198 Following
th3c0d1 @th3c0d1
19 Followers 673 Following
helina @helina1945
0 Followers 2K Following
xox_ x0d @deth_0x00
3 Followers 324 Following
Elie @HaykalElie
687 Followers 2K Following Creator behind @CineTrakApp - A movie and TV show tracking and discovery app https://t.co/a5jOME4TVQ - ◽️Infosec ◽️Videogames ◽️Tech ◽️Music
SunilCh @SunilCh26
0 Followers 56 Following In a Constant Relationship with Logs, Alerts & Threat Actors Security analyst • Threat Hunter 🛡️🖥️
DarkShadow23 @djfrank507
71 Followers 279 Following ⚙️Cibersecurity Engineer 🧙♂️CloudSecurity Engineer 💻Infrastructure Engineer
Marcos @Marcos58294438
14 Followers 1K Following Transitioning careers away from healthcare and into cybersecurity. 🎓
Leleco @leleco_bh
1K Followers 2K Following Mineiro raiz, passaporte marcado 🌎 | Viajo sem peso, vivo no limite. O que falta, conto pessoalmente.
Rahul R @0x_Deed_Beef
0 Followers 540 Following
youngaqua @youngaqua50
10 Followers 472 Following
daten_krake @daten_krake
8 Followers 174 Following
J @jamFilm03
77 Followers 678 Following
Katie Drury @KatieDrury17
0 Followers 8 Following
crispyscientist @crispyscientist
8 Followers 697 Following
The1stRoundDraftPick @Da1stRndDrftPic
77 Followers 475 Following I'm a man of focus, commitment, sheer will. I can assure you the stories you hear about me, if nothing else, have been watered down
Ed @edwardblackburn
62 Followers 230 Following
EMAIL @binaryborscht
3 Followers 124 Following
NaMANANa XV @NaMA_REE
715 Followers 3K Following Name: Maryee - biascico un po' 日本語 - #百合 - #Symphogear -#YuYuYu -#starlight -#othersidepicnic -ragazze giappo con i pugni nelle mani - orgoglio italico🇮🇹
FLY @JJJJ00070
0 Followers 17 Following
Florian Roth ⚡️ @cyb3rops
221K Followers 3K Following Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇 | vi/vim
vx-underground @vxunderground
440K Followers 362 Following The largest collection of malware source code, samples, and papers on the internet. Password: infected
SwiftOnSecurity @SwiftOnSecurity
411K Followers 9K Following computer security person. former helpdesk.
Alexandre Borges @ale_sp_brazil
31K Followers 175 Following iOS, Chrome and Windows Security Researcher | Exploit Developer
MalwareHunterTeam @malwrhunterteam
254K Followers 37 Following Official MHT Twitter account. Check out ID Ransomware (created by @demonslay335). More photos & gifs, less malware.
ςεяβεяμs - м�... @c3rb3ru5d3d53c
26K Followers 245 Following 💕 Malware Reverse Engineer & Malware Geneticist 💕 #Binlex Developer https://t.co/EKYUS9Itvd 👩💻 She/Her
Ali Hadi | B!n@ry @binaryz0ne
35K Followers 570 Following DFIR and Adversary Simulation | All posts reflect the views and interests of the person behind this account only |
Jiří Vinopal @vinopaljiri
10K Followers 567 Following Security Researcher at @_CPResearch_ All opinions expressed here are mine only. https://t.co/bNWc3kafmd
Karsten Hahn @struppigel
26K Followers 781 Following MalwareAnalysisForHedgehogs, Principal Malware Researcher at GDATA, he/him 🦔🌈🏳️⚧️
Matthew @embee_research
15K Followers 2K Following Security Researcher, Creating and Sharing Educational Content.
John Hammond @_JohnHammond
321K Followers 3K Following Cybersecurity Researcher @HuntressLabs Just Hacking Training @JustHackingHQ w/ @ethicalhacker https://t.co/UtsNJiyQtS && https://t.co/narO3sz7y6
Justin Elze @HackingLZ
71K Followers 5K Following CTO @TrustedSec | Former Optiv/SecureWorks/Accuvant Labs/Redspin | Race cars
Michael Koczwara @MichalKoczwara
25K Followers 2K Following Threat Researcher/Founder @Intel_Ops_io Threat Intelligence, Adversary Infrastructure Hunting, Curated TI Feed (Coming Soon) https://t.co/VQWaze6gaF
Thomas Roccia 🤘 @fr0gger_
35K Followers 2K Following AI Security x Threat Intel · Threat Researcher · Creator of #Unprotect & #NOVA · Malware Warlock · Python 🧡 · Prev @Microsoft @McAfee_Labs
hasherezade @hasherezade
91K Followers 957 Following Programmer, #malware analyst. Author of #PEbear, #PEsieve, #TinyTracer. Private account. All opinions expressed here are mine only (not of my employer etc)
blackorbird @blackorbird
42K Followers 702 Following Peace and Love. Just Analysis/Hunter/Youtuber/AiCoder/Entrepreneur/. #APT #threatIntelligence #Exploit #CTI #meme #cyber #hacker #OSINT #Ai Need Remote Job
marc ochsenmeier @ochsenmeier
14K Followers 72 Following Malware Analyst @BoschGlobal CERT | Author of #pestudio
mRr3b00t @UK_Daniel_Card
123K Followers 8K Following Department of Cyber WAR. Member of the Counter Spider Collective. Wielder of AI to defend in Cyber Space. Ralph Vibe Specialist. VibeOps Operator!
Stephan Berger @malmoeb
29K Followers 1K Following Head of Investigations @InfoGuardAG https://t.co/A5lnFAu7eX
Typefully @typefully
43K Followers 7 Following Join 200k+ creators to write, schedule & publish on 𝕏 and LinkedIn, without distractions • Now with AI ✨
OIHEC hackers @HackersOIHEC
47K Followers 15K Following Hacker mexicano - Fundador de OIHEC antes OMHE - #opensoc #latam #speaker #pentester #blueteam #redteam #criptoanarquista #security
Luke Acha @luke92881
493 Followers 349 Following Incident Response and Malware Detection enthusiast.
spencer @techspence
17K Followers 3K Following 🛠️ Former Sysadmin, now Pentester | Microsoft MVP | Helping IT teams make their environment harder to attack | @SecurIT360 & @CyberThreatPOV
Logesh @logesh0210
14 Followers 287 Following
Mark Manson @Markmanson
676K Followers 123 Following #1 New York Times Bestselling Author of five books, including "The Subtle Art of Not Giving F*ck". Co-Founder of @Purpose_AI. Host of Solved Podcast.
Matt Pocock @mattpocockuk
298K Followers 786 Following I teach devs for a living. Author of Total TypeScript and AI Hero. Ex-@vercel. Used to be a voice coach.
JK Molina @OneJKMolina
239K Followers 190 Following Co-Founded Tweet Hunter. Sold for $8 million. Building https://t.co/zRSu8nSvH3 so you can build a membership off your done-for-you AI prompts.
Charlie Eriksen @CharlieEriksen
3K Followers 411 Following Security Researcher @AikidoSecurity. Previously @SecCodeWarrior, co-founder at Adversaryio & Principal Security Engineer/Partner @thesyndis. Opinions all my own
Soumyani1 @reveng007
1K Followers 2K Following Red mind. Blue mission. Turning attack tradecraft into detections | CRTO | CRTP | @BlackHatEvents 2024 Arsenal, @WWHackinFest 2024 Presenter and @BSidesSG 2023
ᴍɪᴄʜᴀʟɪs �... @Cyb3rMik3
4K Followers 3K Following Regional Threat Protection Tech Lead @Microsoft | Former Microsoft MVP | Father 👭/Husband👫/🍷&⌚️ enthousiast/Explorer ✈️ | Views my own.
Andy Gill @ZephrFish
20K Followers 641 Following Security Researcher, RT, Director & Course Author at @ZephrSec |Staff on @CuratedIntel | Lab Creation @XintraOrg | https://t.co/gvGwReANzD - check out my RT course
Aura @SecurityAura
6K Followers 675 Following GCIH, GCFE, GDAT | DFIR, TH, DE | @CuratedIntel DFIR https://t.co/BMWUwziTLh https://t.co/MmX2YNVqdk https://t.co/R20zseQfLk
Socket @SocketSecurity
22K Followers 5K Following Socket is the #1 software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS. 👀 @npm_malware
Fabian Bader @fabian_bader
10K Followers 890 Following #Security #Azure #AAD #MDE #M365 #AD #PKI #XDR #EntraID Microsoft MVP Tweets and opinions are my own @[email protected]
Elastic @elastic
65K Followers 183 Following Where developers learn, build, and share. Your source for hands-on demos, cheat sheets, explainers and more.
Sean Metcalf @PyroTek3
37K Followers 685 Following Identity Security Architect @ TrustedSec. Microsoft Certified Master #ActiveDirectory & former Microsoft MVP. Co-Host @ Enterprise Security Weekly. He/Him. #BLM
Julien | 🦋@julien.... @JMousqueton
2K Followers 563 Following Field CISO at @cohesity | owner of https://t.co/mcCsqeRJaO | | Lecturer at @Ecole2600 🏴☠️
Tim Blazytko @mr_phrazer
6K Followers 262 Following Binary Security Researcher & Trainer | PT Chief Scientist @ Emproof Also at https://t.co/YBfgAt3kc7
Dark Web Informer @DarkWebInformer
221K Followers 72 Following One guy. Global cybercrime. Tracked so you don't have to. Ransomware, data breaches, dark web activity, darknet markets, IOCs & emerging threats. Stay informed!
BriPwn @BriPwn
1K Followers 450 Following Cybersecurity Professional | MSISE, GIAC x16, CISSP-ISSAP, CISM | SANS Certified Instructor
Zach @svch0st
4K Followers 1K Following Everything DFIR @TheDFIRReport | @CuratedIntel | @XintraOrg https://t.co/ggakuKBS0S
Renzon @r3nzsec
4K Followers 921 Following IR/Forensics @Unit42_Intel | Contributor/Analyst @TheDFIRReport @XintraOrg | Co-Founder @guidemtraining | CTF member @_hackstreetboys
Panos Gkatziroulis �... @ipurple
27K Followers 826 Following Red/Purple Teamer | Blogger | Ex-Director @pentestlabltd | Mod @ https://t.co/1nzjl9KpSH | https://t.co/mIM1GA1mN4
InfoGuard Labs @InfoGuard_Labs
296 Followers 1 Following Insights from the frontlines of offensive security and incident response @ https://t.co/uMKNWv9KUy
DAN KOE @thedankoe
951K Followers 964 Following join the next content bootcamp: https://t.co/KHN63fQmtI
Giuseppe `N3mes1s` @N3mes1s
13K Followers 327 Following windows, macos, linux, android && lowlevel && ring-1 lover; EDR chef; malware hunter; purple team💜
Will @BushidoToken
38K Followers 3K Following Senior Threat Intel Advisor @TeamCymru Co-founder @CuratedIntel Co-author @SANSForensics FOR589 Co-founder @BSidesBournemth @darknetdiaries #126: REvil
Anton @Antonlovesdnb
6K Followers 4K Following Blue Team stuff | Trying to be a decent human being | @munkschool Grad | Hunt & Response @HuntressLabs
Lex Fridman @lexfridman
5.1M Followers 688 Following Host of Lex Fridman Podcast. Interested in robots and humans.
ᴅᴀɴɪᴇʟ ᴍɪ... @DanielMiessler
158K Followers 1K Following I help people and companies articulate and pursue their Ideal State. | https://t.co/muV0Un0Hi8, https://t.co/c9CkgMpaQw, https://t.co/z0T3GvB2Kn | Ex: Apple, Robinhood
Peter Steinberger �... @steipete
556K Followers 2K Following Polyagentmorous ClawFather. Came back from retirement to mess with AI and help a lobster take over the world. @OpenClaw🦞 + @OpenAI
Open Threat Research @OTR_Community
5K Followers 5 Following Empowering the InfoSec Community through Open Source projects and collaboration! https://t.co/T9YKVakZ9o
Abhishek @HeyAbhishek
110K Followers 533 Following Helping you use AI for content, marketing & business growth | Daily tutorial on AI tools, agents, GenAI & Emerging Tech | DM for collab or 📧 [email protected]
LP @jotunvillur
3K Followers 1K Following #SecKC | #FSD 🦆 | Security Ops Executive | Ultrarunning and powerlfiting | tweets != employers
Hack The Box @hackthebox_eu
246K Followers 228 Following Cyber Mastery: Community Inspired. Enterprise Trusted.
Mehmet Ergene @Cyb3rMonk
14K Followers 454 Following Learn Threat Hunting, Detection Engineering, DFIR, and KQL https://t.co/uAlYlXIXot @BluRavenSec Microsoft Security MVP #ThreatHunting #DataScience
LainKusanagi @unknownseeker99
741 Followers 183 Following Systems, people and ideas, all of them have hidden vulnerabilities | CRTO | CRTP | OSCP | PNPT
Bad Sector Labs @badsectorlabs
9K Followers 526 Following Cybersecurity news, techniques, exploits, and tools every week at https://t.co/UgKmeEEjIV 🐘 @[email protected]
Xanderux @Xanderuxsf5
217 Followers 531 Following Threat intelligence analyst | #infosec Cyber threat intel community: https://t.co/5u7OdssOHI lolweb maintainer : https://t.co/sPciJFVGcN
The Haag™ @M_haggis
10K Followers 2K Following ⚔️ Prevention Engineering at MagicSword | Co-Host of Atomics on a Friday | LOLDrivers & Atomic Red Team Maintainer
Daniel Vassallo @dvassallo
203K Followers 2K Following 🚀 https://t.co/X5QMm3wlHe 🏭 https://t.co/ZvHZp55zso 🕹️ https://t.co/vHWIhHxTv6
Clandestine @akaclandestine
61K Followers 5K Following | Security | Osint | Threat Research | Opsec | Threat Intelligence | Infosec | Threat Hunting | Humint |Trends for United States
You might like
Steve YARA Synapse Mi...
@stvemillertime
18K Followers
Myrtus
@Myrtus0x0
9K Followers
Karsten Hahn
@struppigel
26K Followers
Arkbird
@Arkbird_SOLG
16K Followers
Dee
@ViriBack
10K Followers
Matthew
@embee_research
15K Followers
RedDrip Team
@RedDrip7
17K Followers
Jiří Vinopal
@vinopaljiri
10K Followers
Tommy M (TheAnalyst)
@ffforward
15K Followers
Mehmet Ergene
@Cyb3rMonk
14K Followers
ReversingLabs
@ReversingLabs
7K Followers
CAPE Sandbox
@CapeSandbox
5K Followers
nao_sec
@nao_sec
13K Followers
m4n0w4r
@kienbigmummy
5K Followers
James
@James_inthe_box
22K Followers