Joined September 2015
- Tweets 613
- Following 316
- Followers 1,660
- Likes 923
150 Photos and videos
Ayush Anand retweeted
ssh.exe -R proves a tunnel exists. It doesn't prove a pivot.
Identical flag in all three rows. What separates a benign port-forward from a SOCKS subnet sweep is the shape of the traffic: fan-out and failure count, not the command line.
Full breakdown drops Thursday.
KQL ES|QL so you hunt it the same day. 🔍
ALT SSH Pivot
1
57
Ayush Anand retweeted
Jun 11
At this point, it's sad how many intrusions could've been exposed if orgs hadn't been using AV such as WatchGuard, BitDefender, ESET, etc. and just relied on the built-in Defender and getting the alerts centralized somewhere ...
Ransomware: 0 detection 3rd party, 65 Defender.
6
7
51
5,227
Jun 4
ssh.exe -R alert on a workstation deserves attention.
Attackers abuse SSH remote tunneling to proxy traffic through compromised hosts and reach internal systems.
Correlating process and network telemetry in MDE can expose what's happening inside the tunnel.
Lab demo 👇 for detection and triage process
youtube.com/watch?v=-57OYlKr…
ALT SSH Pivot Lab Diagram
25
109
5,835
Ayush Anand retweeted
Jun 2
Can you fix Opus 4.8/4.7 to work for offensive security with proper cyber validation approval? I’m a big fan of Claude code but at this point it’s unusable. 4.6 is usable but it’s hard to justify/advocate for the spend of a model 2 versions behind frontier. @bcherny @AnthropicAI
27
23
130
20,958
May 31
Triage before you investigate.
In Elastic, this ES|QL query turns an alert flood into a ranked rule list.
Two functions do the work: STATS and VALUES.
STATS group by rule name and count the alerts.
VALUES pulls every distinct host, user, command line, and file path that fired under that rule. No aggregation loss. The full context travels with the count.
One row per rule. Count on the left. Evidence on the right.
ALT ES|QL group by rules
1
1
15
991
May 31
2
250
Ayush Anand retweeted
May 27
For people who just started with #KQL and want to learn why this is AI-slop. Some indicators are explained in the 🧵
5
22
100
17,678
May 27
One host touching 50 internal IPs across 5 ports in under 5 minutes is not “normal admin activity.”
That is how ransomware operators map your network before encryption. 👀
The best part?
This detection still works when the tool is renamed, packed, or stripped of metadata. Fully tool-agnostic.
I shared both the KQL and ESQL versions in the article. More discovery-phase detections soon.
16
90
15,767
May 27
If you only hunt for netscan.exe, renamed NetScan binaries will slip past you.
Hunt the version info and cmdline instead.
SoftPerfect NetScan has been used by 32 ransomware gangs as mentioned in Ransomware Tool Matrix from @BushidoToken
1
9
45
3,750
May 27
Detection idea:
Version info: SoftPerfect / Network Scanner / scanning networks
Cmdline: /hide /auto
/hide = no GUI
/auto: = scan XML output
KQL Query here:
github.com/Securityinbits/de…
More ransomware hunting notes coming soon.
1
7
351
May 22
Ransomware discovery is often louder than encryption.
45 ransomware gangs have used these 3 scanners before impact:
• SoftPerfect NetScan
• Advanced IP Scanner
• Advanced Port Scanner
Start hunting the scan phase before the ransom note. More hunt logic below. 🔎
2
21
134
19,620
May 20
SoftPerfect NetScan is not just an admin tool.
32 ransomware gangs have used it, and The Gentlemen ransomware used it in a recent @TheDFIRReport case.
Hunt it by version info first.
Then check cmdline for /hide and /auto.
Those flags can turn scanning into quiet recon.
ALT SoftPerfect NetScan KQL Query based on version info and cmd line
1
7
36
1,913
May 20
Detection idea:
Version info: SoftPerfect / Network Scanner / scanning networks
Cmdline: /hide /auto
/hide = no GUI
/auto: = scan XML output
Use this to hunt today:
github.com/Securityinbits/de…
1
5
259
Ayush Anand retweeted
May 15
New blog post covering what's changed in Amatera Stealer 4.0.2 Beta! Plus a bug I found that can be used as a vaccine.
- XTEA-encrypted strings
- C2 protocol changes (AES -> ECDH P256 ChaCha20-Poly1305) making decryption more difficult
- SysCall SSN encoding, decoded just before WoW64Transition
esentire.com/blog/amatera-st…
1
26
92
13,477
Ayush Anand retweeted
May 15
Many SOC alerts look harmless until you see the pattern.
- systeminfo
- nltest
- net.exe
- whoami
If these fire within seconds on one host, you may be seeing pre-ransomware discovery.
In this lab I simulate the burst with Adaptix C2 and detect it using Sigma in Elastic
youtu.be/4xpP2yLYNoE
You will see how to:
• catch the discovery burst
• pivot through process trees
• escalate before encryption starts
3
22
2,209
Ayush Anand retweeted
May 13
Agree, v2 python looks fixed with debug mode.
But check for Iran/Israel looks to be specific function created by the TeamPCP. Vibe coded as usual :)
More details
x.com/Securityinbits/status/…
May 12
Mini Shai-Hulud transformers.pyz is not obfuscated
Python Linux stealer has a fallback C2 path that is similar to previous Shai-Hulud dead-drop C2 pattern
I checked the latest GitHub commit. No fresh C2 value yet.
#TeamPCP will use this when initial C2 fails
More details below 👇
ALT Mini-shai-hulud Github c2 fallback
ALT Mini-shai-hulud config
2
4
428
May 12
Mini Shai-Hulud transformers.pyz is not obfuscated
Python Linux stealer has a fallback C2 path that is similar to previous Shai-Hulud dead-drop C2 pattern
I checked the latest GitHub commit. No fresh C2 value yet.
#TeamPCP will use this when initial C2 fails
More details below 👇
ALT Mini-shai-hulud Github c2 fallback
ALT Mini-shai-hulud config
5
9
52
4,604
May 12
- Exits if Russian language settings are detected or CPU count is <= 2.
- Function says is_israeli_system(), but the geo-check also looks for Israel & Iran markers, then may play audio from C2 and attempt `rm -rf /*`.
- Uses multiple collectors to steal credentials from AWS, Azure, Tailscale, password vaults etc.
1
1
3
397
May 13
This is the github url where we can monitor for dead-drop C2 for v2 Python Linux stealer
No change in total count still 32
api.github.com/search/commit…
2
247