KoifSec

The Red Queen’s Race: Arms Race Dynamics in Threat Detection “Now, here, you see, it takes all the running you can do, to keep in the same place.” — The Red Queen, Through the Looking-Glass

New post out! "The Red Queen’s Race: Arms Race Dynamics in Threat Detection"
medium.com/@koifsec/the...

The Invisible Kill Chain: Detecting Non-Human Identity Attacks Across Telemetry Boundaries Your SOC monitors human sign-ins. Attackers compromise service principals. Here’s how to detect the full NHI kill chain — with…

New post out!
detect.fyi/the-invisibl...

If you're dealing with code packages or supply-chain risks, just open-sourced one of my tools - deps.sh - completely usable from the CLI as well. Enjoy!

Introducing the "Adversarial Detection Engineering (ADE) Framework" !

ADE aims to be for detection rules what MITRE is for attack techniques and CWE is for code. We have created a repository of universal, SIEM-agnostic detection "bugs".

Check us out ->
lnkd.in/dFYpptSW
adeframework.org

Move and Countermove: Game Theory Aspects of Detection Engineering Now that I’ve hopefully gotten your attention… I’m also writing a book!

New post out! "Move and Countermove: Game Theory Aspects of Detection Engineering"
koifsec.medium.com/move-and-cou...

Measuring Malice: When Being ‘Almost Right’ Is Exactly Wrong If you’ve spent any time writing detection rules for process masquerading, you know the game: an attacker uses scvhost.exe instead of…

New blog out - showcasing Levenshtein distance to detect process masquerading:
koifsec.medium.com/measuring-ma...

Detection Deep Dive | Shai-Hulud 2.0 YouTube video by KoifSec

Testing something new on YouTube - "Detection DeepDives" - for the first attempt I chose the recent Shai Hulud 2.0 worm. In the video, I attempt to showcase how it can be detected using endpoint telemetry, while providing (hopefully) useful commentary -> www.youtube.com/watch?v=WZJ2...

Introducing LUMEN: Your EVTX Companion TL;DR LUMEN is a privacy-first, browser-native EVTX analysis platform that combines WebAssembly parsing, 2,349 SIGMA detection rules…

TL;DR
LUMEN is a privacy-first, browser-native EVTX analysis platform that combines WebAssembly parsing, 2,349 SIGMA detection rules, optional AI-powered analysis, and advanced correlation capabilities — all running entirely client-side. Check it out:
koifsec.medium.com/introducing-...

Absolutely, I don't see why not. Feel free to DM me :)

Hello everyone! I'm looking for individuals experienced in Powershell and solving CTFs, ideally both, to collaborate on an exciting new CTF initiative for the community. If you believe you have something interesting to contribute, even if you're not experienced, feel free to connect with me.

Deconstructing “Wmiexec-Pro” I recently ran a Kali VM against a Windows test host and instrumented the target with Procmon and WMI/Windows logs to see how a new…

New post out! "Deconstructing Wmiexec-pro"

Technical deep dive into a new post-exploitation framework based on Impacket's wmiexec, including a bunch of new telemetry and detections. Check it out > koifsec.medium.com/deconstructi...

𝗦𝗲𝗲𝗶𝗻𝗴 𝘀𝗼𝗺𝗲 𝘀𝗲𝗰𝗿𝗲𝘁𝘀𝗱𝘂𝗺𝗽 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗶𝗻 𝘁𝗵𝗲 𝘄𝗶𝗹𝗱 𝗹𝗮𝘁𝗲𝗹𝘆, 𝗮𝗻𝗱 𝗶𝘁’𝘀 𝘁𝗿𝗶𝗰𝗸𝘆 𝘁𝗼 𝗰𝗮𝘁𝗰𝗵 𝗯𝗲𝗰𝗮𝘂𝘀𝗲 𝗼𝗳 𝗮𝗹𝗹 𝘁𝗵𝗲 𝗳𝗮𝗹𝘀𝗲 𝗽𝗼𝘀𝗶𝘁𝗶𝘃𝗲𝘀.

The recent NetExec update (codename SmoothOperator) pushed me to share this one 👇
🔗 www.netexec.wiki/news/v1.4.0-...

𝗙𝗶𝗿𝘀𝘁 𝗲𝘃𝗲𝗻𝘁 (𝟰𝟲𝟳𝟮)
Special privileges assigned to new logon:

Detecting Abuse of OpenEDR’s Permissive EDR Trial: A Security Researcher’s Perspective 1. Introduction

𝗥𝗲𝗮𝗱 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗮𝗿𝘁𝗶𝗰𝗹𝗲: kostas-ts.medium.com/detecting-ab...

𝗦𝗶𝗴𝗺𝗮 𝗣𝗥: github.com/SigmaHQ/sigm...

𝗜'𝗱 𝗹𝗼𝘃𝗲 𝘁𝗼 𝗵𝗲𝗮𝗿 𝘆𝗼𝘂𝗿 𝘁𝗵𝗼𝘂𝗴𝗵𝘁𝘀:
• Have you encountered similar permissive trial access in other security platforms? We need to document things before it's too late.

Hope you enjoy reading the post!

1/
In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1]

The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.

Inboxfuscation: Because Rules Are Meant to Be Broken Permiso launches Inboxfuscation, an open-source tool enabling organizations to detect Unicode-obfuscated Microsoft Exchange inbox rules and secure Microsoft 365.

permiso.io/blog/inboxfu...

Process Hunting with PSTree | Splunk This tutorial shows how to use the pstree command & app to help you look through all the processes you have to investigate.

www.splunk.com/en_us/blog/s...

Thoughts on the recent Ethereum smart contracts C2 abuse Hello all! 👋 It’s been a while since my last post. I wasn’t finding anything exciting to write about — until this story caught my…

New blog out!
medium.com/@koifsec/tho...

Sharing the slides from our latest "2025 State of Detection Workshop" !
drive.google.com/file/d/18Q-E...

Lateral Movement – BitLocker BitLocker is a full disk encryption feature which was designed to protect data by providing encryption to entire volumes. In Windows endpoints (workstations, laptop devices etc.), BitLocker is typi…

ipurple.team/2025/08/04/l...

A rather interesting choice of technique to use a renamed legitimate schtasks. Quite easy to detect by writing a rule that searcher "/create " + "/tn " + "/sc " + "/tr " !

Detection Pitfalls You Might Be Sleeping On Detection engineering isn’t just about finding bad behavior. It’s about understanding how attackers appear normal — on accident or by…

medium.com/detect-fyi/d...

“Invoke-Shadow” — Applying Jungian Psychology to Detection Engineering “Until you make the unconscious conscious, it will direct your life — and you will call it fate.” — Carl Jung

detect.fyi/invoke-shado...