@kl_secservices profile picture
kl_secservices @kl_secservices

Kaspersky Lab Security Services team

Joined January 2018
  • Tweets 40
  • Following 1
  • Followers 438
23 Photos and videos
Pinned Tweet
kl_secservices@kl_secservices
Apr 1
We know it’s been a while since our last post. But we’re back, with great news! We’re launching our blog, “Purpleshift,” featuring interesting articles, talks, and research for both blue and red teams. Yeah that’s why it’s purple :) purpleshift.io/

Red plus Blue makes Purple!

purpleshift.io
9
8
1,513
A recent firmware assessment led us to a RISC-V chip with an early Packed-SIMD (P) Extension. Missing IDA Pro support required reverse engineering undocumented instructions, adding processor support, and implementing decompiler lifting. Read more: purpleshift.io/articles/2026…
1
1
3
65
Recently, there was a vulnerability in the Windows Snipping Tool that allowed user NTLM hashes to leak. For detection, monitor the launching of SnippingTool.exe with the filePath parameter that starts with '\\' or its URL-encoded version. Read more purpleshift.io/purple/2026-0…
6
22
1,415
In this blog post, we continue our story about discovering a misconfigured Kubernetes cluster during a pentest engagement conducted by our colleague @irabva , which eventually led to access to internal source code repositories. purpleshift.io/purple/2026-0…
1
3
5
228
New NTLM audit policies and events in Windows 11 24H2 / Windows Server 2025 can help detect coercion attacks and analyze unusual NTLM authentication behavior. In the screenshot below, there is an example of a coercing attack Read more here: purpleshift.io/purple/2026-0…
2
2
64
Can local LLMs really perform pentesting effectively? Our colleague @ahmed_khlief benchmarked local LLMs (GLM, Qwen, GPT-OSS, Gemma) against a vulnerable web app using MCP tools, no RAG or internet access. See the top-performing models and key findings: purpleshift.io/articles/2026…
1
2
88
CopyFail (CVE-2026-31431) allows local privilege escalation to root in all major Linux distributions. The vulnerability gives an attacker the ability to modify the cache of any readable file. Check here what you should do purpleshift.io/purple/2026-0…
1
3
102
AI agents like OpenClaw are becoming more common. Our colleagues and @Black2Fan analyzed it and found a way to get remote command execution. Read more here: purpleshift.io/articles/2026…

Attacks via OpenClaw: when your LLM can make RCE

Following a special link, the AI agent itself will execute shell commands

purpleshift.io
4
4
545
Gained initial access to a company network… but what next? In this real pentest project our colleague @irabva shows how Kubernetes misconfigurations led to full cluster access and exposed S3 data. If you work with K8s, read this purpleshift.io/purple/2026-0…

Accessing services through Kubernetes

K8s clusters can be an interesting target during a pentest

purpleshift.io
1
4
5
475
Our colleague @haider_kabibo has discovered a flow in MSRPC that introduces a new technique for privilege escalation in processes with SeImpersonatePrivilege. Read More: purpleshift.io/purple/2026-0…

PhantomRPC: A new method for privilege escalation

Fake RPC server can impersonate the security context of the calling client, up to SYSTEM

purpleshift.io
1
1
74
All information you need about attacking System Center Configuration Manager (SCCM) and the best detection mechanisms can be found in our colleague @Gam4enko’s talk: “C2 by Microsoft: What Can Go Wrong If SCCM Ends Up in the Wrong Hands.” purpleshift.io/purple/2026-0…

Privilege escalation on SCCM with WebClient

An attacker can take over the domain if automatic client push installation is enabled on the server

purpleshift.io
1
4
12
622
If you're interested in wireless network penetration testing, you may encounter 802.11r (Fast BSS Transition) used for fast roaming. There’s no Hashcat module for its hashes, but our colleague @0xc0rs recently published one. Find more . purpleshift.io/purple/2026-0…

Bruteforcing WPA 802.11r: a new module for HashCat

Previously, pentesting tools did not work with 802.11r hashes

purpleshift.io
2
17
3,954
Sharing highlights from incident response cases in 2022 by @AymanShaaban in brighttalk.com/webcast/18657…. You can get the slides github.com/klsecservices/Pub… and the analyst report github.com/klsecservices/Pub… #dfir #incidentresponse
4
2
533
Significant raise in vulnerability exploitation as initial access vector. Analysis of incident response practice in @AymanShaaban webinar brighttalk.com/webcast/15591… and analyst report github.com/klsecservices/Pub… #dfir #incidentresponse #threathunting
9
4
Evasion and detection in CLR securelist.com/detection-eva… by @Gam4enko with PoC github.com/gam4er/SneakyRun #threathunting #dfir
1
32
46
Analyst report for IR cases from 2020 is available github.com/klsecservices/Pub… #DFIR #incidentresponse #threathunting
1
18
10
Dive into #blueteam metrics and adversarial TTPs from our #MDR #threathunting operations github.com/klsecservices/Pub…. More details securelist.com/managed-detec…
16
11
#POS terminal and #verix security research will be presented by @zero_wf on #TheStandoff in a couple of minutes. Catch up with the stream standoff365.com/conferences/… and full slide deck github.com/klsecservices/Pub…
2
16
9
Talk by @epotseluevskaya, @_moradek_ , @alender911 on #defcon @ICS_Village youtube.com/watch?v=PVV7Ich0…. Actually this is "we don't need backup, so don't bother" recording as they were not able to connect due to technical issues. Anyway, get loot here github.com/klsecservices/SPP…

1
8
6
Greetings from speakers )
4
9
Load more