GitHub

powershell_fileless_script_contains_base64_encoded_content.yml

description: The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell ...
GitHub

powershell_4104_hunting.yml

description: The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field ...
LinkedIn

Investigating Windows 3.x | TryHackMe — Sysmon, Empire C2 and Process Injection Forensics

This investigation picks up where the previous Windows forensics rooms left off, but pushes significantly deeper into the attacker's post-exploitation playbook. Rather than relying on obvious ...
pentestpartners.com

Breaking Out of Citrix and other Restricted Desktop Environments

Many organisations are turning to virtualisation of apps and desktops. This often involves virtualisation platforms such as Citrix to deliver these services. Get your configuration or lock-down wrong ...
WeLiveSecurity

Gamaredon X Turla collab

In February 2025, we discovered that the Gamaredon tool PteroGraphin was used to restart Turla’s Kazuar backdoor on a machine in Ukraine. In April and June 2025, we detected that Kazuar v2 was ...
Bitdefender

Curly COMrades: A New Threat Actor Targeting Geopolitical Hotbeds

This research from Bitdefender Labs details a cluster of malicious activity we've been tracking since mid-2024. It uncovers a new threat actor group we’ve named Curly COMrades, operating to support ...