GitHub - Nehboro/nehboro: Browser extension blocking scam and phishing pages Browser extension blocking scam and phishing pages - Nehboro/nehboro

github.com/Nehboro/nehb...

Nehboro, a browser extension blocking phishing attempts on page load

nehboro.github.io

⚡️ Dedicated IOCs feed - Blocking BAD AS IP ranges, domains & reported urls
📊 97 heuristic detections for all kind of scams
🤖 AI Analysis on demand

hopefully in the webstore soon

ExtSentry Guard - Chrome Web Store Detects and warns about known malicious browser extensions using the ExtSentry IOC feed.

Automatically block and disable malicious browser extensions with a browser extension!
Perfect for family devices or anyone who just wants simple protection, no GPOs or enterprise setup... now on the Chrome Web Store:
chromewebstore.google.com/detail/extse...

💠 VSXSentry 💠
vsxsentry.github.io

VS Code Extensions threat intel feeds for multiple platforms, VSIX analyzer, scripts & policy generator, remediation and forensic traces guide

🧅 TOR archive feed:
tor-archive.github.io

Every IP that has ever been a TOR node!
Searchable with full timeline, exit/guard/middle role, country, ASN, updated hourly since 2024.

GitHub - ExtSentry/ExtSentry.github.io: Browser Extension Threat Intelligence feed - extsentry.github.io Browser Extension Threat Intelligence feed - extsentry.github.io - ExtSentry/ExtSentry.github.io

🧩 ExtSentry 🧩
extsentry.github.io

Browser Extensions threat intel feeds for multiple platforms + extension checker, permissions analyzer, policy generator, forensic traces guide, remediation playbook & endpoint inventory scripts

github.com/ExtSentry/Ex...

LOLC2

Collection of C2 frameworks abusing legitimate services to evade detection

Major update: new projects tested, enriched data, and deeper insights.

lolc2.github.io

LOLFSAAS

Living off Free SaaS

Hundreds of SaaS platforms with free tiers, documenting abuse surface, opsec risks, authent methods, C2 framework mappings, and operational limits.

lolfsaas.github.io

LOLEXFIL
Living off the land Data Exfiltration method

lolexfil.github.io

awesome-lists/Lists at main · mthcht/awesome-lists Awesome Security lists for SOC/CERT/CTI. Contribute to mthcht/awesome-lists development by creating an account on GitHub.

Hello @yousefnein.bsky.social glad to hear the repos are being useful. If you’d like to contribute or enhance any of the lists in github.com/mthcht/aweso..., contributions are very welcome. I don’t have much time to keep them updated quickly

GitHub - mthcht/Splunk-MCP-Client: Query Splunk in natural language using Claude AI and the Splunk MCP Server. Query Splunk in natural language using Claude AI and the Splunk MCP Server. - mthcht/Splunk-MCP-Client

If you want to experiment with the Splunk MCP Server splunkbase.splunk.com/app/7931, I just published a client to interact with it:
github.com/mthcht/Splun...

it cost around 5 cents per splunk query, an automated case investigation cost an average of 50 cents depending on the complexity.

Lumma Stealer sinkholed domains Lumma Stealer sinkholed domains. GitHub Gist: instantly share code, notes, and snippets.

Lumma Stealer - 995 sinkholed domains by Microsoft
gist.github.com/mthcht/4b16e...

it used to be great...

@hexacorn.bsky.social :o someone just sent me your list hexacorn.com/examples/201... this is great thanks!

I started another list dedicated to mutex names for detection
github.com/mthcht/aweso...

Help me enhance this list, I still have plenty more to add!

Thanks! Glad you like them!

THIS WEBSITE HAS BEEN SEIZED

Discover domains tied to sinkhole NS servers at sinkholed.github.io

Filter by TLD or NS, export in JSON/CSV, weekly update!

Search for the known sinkhole Name Servers in DNS query logs and web access to the sinkholed domains to identify potentially compromised hosts!

😯 I have 652022 sinkholed domains extracted here github.com/mthcht/aweso...

🎭 #ThreatHunting February updates 🎭
🐙 release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬 yara: github.com/mthcht/Threa...
🐾 Specific artifact lists: github.com/mthcht/aweso...

Of course! PRs are welcome 🙏

Powershell: after 5 "type .\5\test.txt" calls, the test.txt file is a symlink to win.ini CMD: A single "type .\6\test.txt" call results in every single file being printed, including the final win.ini symlink

From over at the Bad Place:
There's an interesting NTFS symlink attack outlined here:
dfir.ru/2025/02/23/symlink-attac...

Basically, if an NTFS filesystem is corrupted in a way to provide duplicate file names, Windows will […]

[Original post on infosec.exchange]

Confluence Exploit Leads to LockBit Ransomware Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…

It took just 3 hours:

RCE → Metasploit C2 → Anydesk for remote GUI-access → LockBit ransomware

Interestingly, we observed the threat actor using PDQ Deploy, a patch management tool.

Read the report here:

A bookmark of my lists is now automatically generated after each update in my repo github.com/mthcht/aweso...
I'm also looking to automatically add my starred repos lists github.com/mthcht?tab=s... in this bookmark but there doesn’t seem to be a API endpoint for the stars lists 🤔 ?

It's growing! Now at 38 services and 82 projects 🙈 What's your favorite LoLC2?

Pushed a #KQL for: Successful device code sign-in from an unmanaged device.

Query is available for AADSignInEventsBeta and SigninLogs. Less known is the AADSignInEventsBeta filter for device code:
| where EndpointCall == "Cmsi:Cmsi"

🏹Query: github.com/Bert-JanP/Hu...

In case you don't want to do this yourself, I just discovered that you can request access to a complete list of all existing domains across 1131 TLDs on czds.icann.org for free, including NS records! The lists are updated every month, approval is required for each TLD 🌍

Hey SDDL SDDL: Breaking Down Windows Security One ACE at a Time | Splunk Explore SDDL in Windows security with our comprehensive guide to help enhance your defensive strategy against privilege escalation attacks.

Hey SDDL SDDL: Breaking Down Windows Security One ACE at a Time www.splunk.com/en_us/blog/s....

Thrilled to share my first blog at @splunk! @mhaggis.bsky.social and I take a deep dive into the weird & exciting world of SDDL and ACEs - what they are, how they work, and how attackers can abuse them.

Path masquerading zerosalarium.com/2025/01/path...

Interesting technique, if you're hunting for this, you can directly search the unicode characters in Splunk 🥷

Most SOCs handle hundreds to thousands of detection rules in their SIEM. Proper categorization is essential when creating a new detection, as it helps define criticality, urgency, implementation effort, and verbosity level. Keeping things structured will reducing alert fatigue!

I'll keep this updated, let me know if you have any projects to add! some C2 candidates: github.com/lolc2/lolc2....