I just wanted to help solve crimes. Not explain why creation dates can be more recent that modification dates over and over again until I’m dead. #DigitalForensics #DFIR

How Russia’s War Has Devastated Civilian Life in Ukraine - bellingcat Russia's full-invasion of Ukraine began four years ago today. While Ukraine has resisted, the impact on civilian life continues to be severe.

Exactly four years since Russia’s full-scale invasion of Ukraine, Bellingcat’s Volunteer Community looks back at the data we have collected on civilian harm during this time - documenting attacks on cities and the near-total destruction of rural villages. www.bellingcat.com/news/2026/02...

Russia’s Matryoshka bots begin Epstein-themed disinfo campaign, focusing false claims against Ukraine and France The Kremlin-linked bot network known as “Matryoshka” has launched a disinformation campaign following the release by the U.S. Justice Department of new documents in the case of Jeffrey Epstein.The cam...

Russia’s Matryoshka bots begin Epstein-themed disinfo campaign, focusing false claims against Ukraine and France
theins.press/en/news/289109

GitHub - tomchop/volatility3-autoruns: Autoruns plugin for the Volatility3 framework Autoruns plugin for the Volatility3 framework. Contribute to tomchop/volatility3-autoruns development by creating an account on GitHub.

I rarely post here, but when I do... I just updated my Volatility autoruns plugin to be compatible with Volatility 3 (long overdue!) Here's the goodies: github.com/tomchop/vola... #dfir #forensics #cybersecurity

We are alarmed by reports that Germany is on the verge of a catastrophic about-face, reversing its longstanding and principled opposition to the EU’s Chat Control proposal which, if passed, could spell the end of the right to privacy in Europe. signal.org/blog/pdfs/ge...

Qilin targeting a French critical infrastructure again.

The Salesloft–Drift Breach: An Attack Path Case Study - SpecterOps This post analyzes the Salesloft–Drift incident through an attack path lens, showing how violations of the clean source principle, identities in transit, and hidden hybrid paths combined to turn a sin...

It's time to change how you think about SaaS integrations.

The Salesloft attack shows how GitHub → AWS → Drift → Salesforce created an attack highway defenders never saw coming.

Jared Atkinson's analysis details the patterns we should look out for. ghst.ly/4ngDQrD

4 research institute march together hand in hand for diversity and inclusion in science © Franck Aubry

© Franck Aubry

© Franck Aubry

🌈 United for diversity in science 🌈
Researchers from Institut Pasteur joined the 2025 Pride March alongside @institutcurie.bsky.social, Les Cordeliers Research Center, @institutcochin.bsky.social @institutimagine.bsky.social

👩‍🔬 Because diverse labs make better science.
#DiversityInScience

Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.

North Koreans reportedly host fake Zoom meeting featuring multiple deepfake colleagues. Target’s microphone doesn’t work so the colleagues talk them through installing malicious fix. www.huntress.com/blog/inside-...

La Société Générale revient sur le TT, je crois qu'il y a des bons profils à recruter au CERT :) #JUSTSayin

French scams over SMS now requiring human interactions likely to protect from automated remediation and better identify vulnerable targets

Update: Dumping Entra Connect Sync Credentials Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials…

New tricks, same impact
posts.specterops.io/update-dumpi...

Mapping Hidden Alliances in Russian-Affiliated Ransomware

dti.domaintools.com/mapping-hidd...

cip.gov.ua/ua/news/anal...
Ukrainian CERT published a synthesis on 3 years of war time defensive activity that is well worth reading.

License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows Flock, which has license plate readers (LPRs) all around the country, wants police to be able to “jump from LPR to person,” according to leaked audio obtained by 404 Media.

New from 404 Media: Flock, the license plate reader company that has cameras all across the U.S., is now building a massive people lookup tool using hacked data. The plan is to "jump from LPR to person." Won't require a warrant. This is according to leak we obtained.

www.404media.co/license-plat...

This DTEX report on North Korea's hacking capabilities, along with Viginum's Russian info op report from last week, are probably the best reports of the year so far

You MUST read it!

PDF: reports.dtexsystems.com/DTEX-Exposin...

Announcing the Official Parity Release of Volatility 3! Visit the post for more.

We are very excited to announce that Volatility 3 has reached parity with Volatility 2! With this achievement, Volatility 2 is now deprecated. See the full details in our blog post: volatilityfoundation.org/announcing-t...

Let me know should you need to test on another system.

@drazuread.com Hi, Entra Connect Sync now uses a MSA account for its service by default. Is Get-LSASecrets handling MSA accounts already or just gMSA?
AD sync itself is still performed by a MSOL_ account.
Thank you!
AADInternals 0.9.8
Microsoft Entra Connect Sync 2.4.131.0
pastebin.com/UU4u7YZR

Dear Americans, what have you done…

Abusing multicast poisoning for pre-authenticated Kerberos relay over HTTP with Responder and krbrelayx

In our latest article, @croco_byte proposes an implementation of a trick discovered by James Forshaw in his research regarding Kerberos relaying. Discover how to perform pre-authenticated Kerberos relay over HTTP with our Responder and krbrelayx pull requests!
www.synacktiv.com/publications...

Active Directory Hardening Series - Part 4 – Enforcing AES for Kerberos | Microsoft Community Hub Disabling Kerberos RC4 is a top priority for many organizations today but identifying devices that don't support AES has been very challenging.  In this...

« Active Directory Hardening Series - Part 4 – Enforcing AES for Kerberos » techcommunity.microsoft.com/blog/coreinf...

« LSA SECRETS: REVISITING SECRETSDUMP » by @synacktiv.com www.synacktiv.com/lsa-secrets-...

Everyone knows your location How I tracked myself down using leaked location data in the in-app ads, and what I found along the way.

An eye-opening blog post on ads-based tracking: « Everyone knows your location: tracking myself down through in-app ads » timsh.org/tracking-mys...

Windows Recycle Bin - The known and the unknown This is my blog about topics in the field of digital forensics.

Windows Recycle Bin - The known and the unknown bebinary4n6.blogspot.com/2025/01/wind...

GitHub - AlbinoGazelle/esxi-testing-toolkit: 🧰 ESXi Testing Tookit is a command-line utility designed to help security teams test ESXi detections. 🧰 ESXi Testing Tookit is a command-line utility designed to help security teams test ESXi detections. - AlbinoGazelle/esxi-testing-toolkit

github.com/AlbinoGazell...

ADFS — Living in the Legacy of DRS It’s no secret that Microsoft have been trying to move customers away from ADFS for a while. Short of slapping a “deprecated” label on it…

Achievement unlocked, my first blog with SpecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion. buff.ly/4j41VQU

Michael Kirchner on LinkedIn: API keys of AWS IAM users are often used when on-prem systems need to… | 14 comments API keys of AWS IAM users are often used when on-prem systems need to connect to your AWS environment. They are difficult to replace (you need some form of… | 14 comments on LinkedIn

Leaked API keys is a huge issue. GitHub detects around 7,000 tokens in public repos **every month**! www.linkedin.com/feed/update/...

Could anyone in this business explain to me how a random app can share PII with 800+ companies?