🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• SinkVPN: Redirecting endpoint cloud telemetry by abusing usermode VPN tunnels - The website `itresit.es` is owned by **ITRESIT SOLUCIONES INFORMÁTICAS S.L.** 🔍 Show Kagi Synopsis
  The cybersecurity article details a post-exploitation technique called **SinkVPN**, which exploits user-mode VPN tunnels to redirect and drop cloud telemetry from endpoints.
  
  **What Happened:**
  Attackers utilize SinkVPN to establish a VPN connection that routes traffic through a gateway they control. By selectively dropping connections intended for specific cloud services, such as telemetry, updates, or management beacons, they can effectively make an endpoint appear "offline" to these services. This is achieved without requiring administrative privileges or making modifications to local firewalls, registry keys, or DNS settings.
  
  **Who is Affected:**
  This technique impacts any cloud function that relies on outbound connections from an endpoint. This includes:
  - Endpoint Detection and Response (EDR) software
  - Patch and update infrastructure (e.g., Windows Update)
  - Mobile-device-management policies
  - Data-loss-prevention (DLP) and Cloud Access Security Broker (CASB) telemetry
  - Remote monitoring and management (RMM) beacons
  - License and compliance audits
  
  **Security Implications:**
  SinkVPN poses significant security risks by enabling attackers to:
  - **Evade EDR solutions:** By making telemetry invisible, it hinders detection by security tools.
  - **Disrupt essential services:** It can interfere with system updates and management functions.
  - **Bypass security policies:** It makes telemetry invisible, thus circumventing policy enforcement.
  The technique exploits a common, unprivileged user feature, highlighting a gap in current defensive controls.
  
  **Technical Details:**
  SinkVPN leverages the default behavior of user-scope VPN connections available on Windows, macOS, Linux, Android, and iOS. This creates a "0/0 route via the VPN adapter," forcing traffic through the attacker-controlled tunnel. The risk can be amplified by proprietary VPN clients whose services often run with high integrity, allowing malicious tunnels to override existing configurations. Key characteristics of this method include:
  - **No elevation required:** It does not need administrative privileges.
  - **Transient artifacts:** The VPN adapter and route disappear after the session ends.
  - **Broad OS compatibility:** It works across multiple operating systems.
  
  **What Defenders Should Know:**
  Defenders need to adopt a multi-faceted approach for detection and mitigation:
  - **Detection:**
  - Monitor network topology for changes in the default gateway (network-topology drift).
  - Collect VPN connection events from both the operating system and third-party clients.
  - Correlate these events with cloud services that report hosts as offline (heartbeat correlation).
  - **Mitigation:**
  - Restrict the ability of users to create VPN profiles.
  - Filter outbound VPN protocols at the network perimeter.
  - Lock down third-party VPN graphical user interfaces (GUIs) to prevent unauthorized profile additions.
  Defenders should treat the establishment of outbound VPN connections as a privileged operation and continuously monitor for routing changes and endpoint communication anomalies.
• 100 Days of KQL 2026: Days 11, 12, 13 and 14 - The content posted at the URL is controlled by **m4nbat** . 🔍 Show Kagi Synopsis
  This cybersecurity article details a detection method for **masquerading**, specifically when a file's original filename does not match its current filename. This technique is often employed by threat actors to disguise malicious executables as legitimate system utilities or files.
  
  **What Happened:**
  The article describes a **Threat Detection Analytic** designed to identify instances where a process is running with a filename that differs from its original filename. This is a common tactic used in cyberattacks to evade detection.
  
  **Who is Affected:**
  While the article doesn't specify particular user groups, **any organization using Microsoft Defender for Endpoint (MDE)** and collecting `DeviceProcessEvents` data can potentially detect this activity. The threats listed, such as **Akira, Carbanak, Turla, Bumblebee, Darkhotel, FIN7, Volt Typhoon, APT1, APT28, APT29, APT41**, and others, indicate that a wide range of sophisticated threat actors utilize this masquerading technique.
  
  **Security Implications:**
  The primary security implication is that **malicious software can operate undetected by appearing as legitimate files**. This can lead to:
  - **System compromise:** Attackers can gain unauthorized access and control over systems.
  - **Data theft:** Sensitive information can be exfiltrated.
  - **Further network propagation:** The initial compromise can be used to spread malware across the network.
  - **Evasion of security controls:** Standard security measures may fail to identify the threat if it's disguised effectively.
  
  **Technical Details:**
  The analytic leverages the `DeviceProcessEvents` data source from Microsoft Defender for Endpoint. It works by:
  - **Comparing `FileName` with `ProcessVersionInfoOriginalFileName`**: It identifies processes where these two fields do not match.
  - **Excluding noisy folders and specific files**: To reduce false positives, common system directories like "Program Files" and "Windows" are excluded, as are specific known benign executables.
  - **Global file prevalence enrichment**: This step helps to filter out legitimate files that might have variations in their original and current filenames due to normal system operations or software updates.
  - **MITRE ATT&CK Mapping**: The technique is mapped to MITRE ATT&CK techniques **T1036.005 (Masquerading: Match Legitimate Resource Name or Location)**, **T1036.003 (Masquerading: Rename Legitimate Utilities)**, and **T1036 (Masquerading)**.
  - **Query Language**: The detection logic is implemented using Kusto Query Language (KQL), as shown in the provided query.
  
  **What Defenders Should Know:**
  Defenders should be aware that:
  - **Masquerading is a common evasion technique**: Threat actors actively use this to hide their presence.
  - **This analytic is low fidelity**: It cannot be used as a sole detection method and requires further investigation.
  - **Context is crucial**: The analytic provides fields like `FolderPath`, `ProcessCommandLine`, `Signer`, `SignatureState`, and `ThreatName` to aid in investigating potential alerts.
  - **Regularly review and tune detections**: To minimize false positives and ensure effectiveness against evolving threats.
  - **Understand the excluded items**: Knowing why certain folders or files are excluded helps in interpreting the results.
• Global Cybersecurity Outlook 2026 - World Economic Forum in collaboration with Accenture 🔍 Show Kagi Synopsis
  The **Global Cybersecurity Outlook 2026** report, published by the World Economic Forum in collaboration with Accenture, analyzes the evolving cybersecurity landscape.
  
  **What Happened:**
  The report highlights that the cybersecurity landscape is being reshaped by **accelerating AI adoption, geopolitical fragmentation, and widening cyber inequity**. These factors are leading to attacks that are faster, more complex, and unevenly distributed.
  
  **Who is Affected:**
  **Organizations and governments** globally are affected by these trends. The report specifically mentions the impact on **economies and societies**.
  
  **Security Implications:**
  The primary security implication is the **rising pressure on organizations and governments to adapt** to a more challenging risk environment. This is exacerbated by persistent **sovereignty challenges and widening capability gaps** in cybersecurity.
  
  **Technical Details:**
  The article does not provide specific technical details about the cybersecurity threats or defenses. It focuses on the broader trends and their implications.
  
  **What Defenders Should Know:**
  Defenders should be aware that cyberattacks are becoming **faster, more complex, and unevenly distributed**. They need to prepare for an environment where **AI adoption, geopolitical shifts, and disparities in cybersecurity capabilities** are key factors influencing the threat landscape. The report aims to provide **actionable insights for strategy, investment, and policy** to help leaders navigate these challenges.
• ProxyBridge: Proxifier Alternative to redirect any Windows/MacOS TCP and UDP traffic to HTTP/Socks5 proxy - InterceptSuite 🔍 Show Kagi Synopsis
  ProxyBridge is a lightweight, open-source universal proxy client designed to provide transparent proxy routing for applications on **Windows** and **macOS** 【1】. It allows users to redirect TCP and UDP traffic from specific processes through SOCKS5 or HTTP proxies, with the capability to route, block, or allow traffic on a per-application basis 【1】.
  
  **What Happened:**
  ProxyBridge has been developed as a tool to enable transparent proxy routing for applications that do not natively support proxy configurations. It acts as an intermediary, intercepting and redirecting network traffic at the system level 【1】.
  
  **Who is Affected:**
  The tool primarily affects users on **Windows** and **macOS** who need to manage or analyze network traffic for specific applications 【1】. This includes:
  - Users who want to route traffic from proxy-unaware applications (e.g., games, desktop apps) through proxies like Tor, SOCKS5, or HTTP 【1】.
  - Security professionals who need to redirect traffic through tools like InterceptSuite/Burp Suite for testing purposes 【1】.
  - Individuals looking to intercept and analyze traffic from applications that lack built-in proxy support 【1】.
  - Users who wish to test application behavior under various network conditions or analyze communication patterns 【1】.
  
  **Security Implications:**
  ProxyBridge offers several security-related use cases and implications:
  - **Enhanced Security Testing:** It facilitates security testing by allowing redirection of application traffic through security analysis tools 【1】.
  - **Traffic Control:** The ability to block specific applications from accessing the internet or specific networks can prevent unauthorized communication or data exfiltration 【1】.
  - **Anonymity:** Routing traffic through proxies like Tor can enhance user anonymity 【1】.
  - **Potential for Misuse:** Like any powerful network tool, it could potentially be misused to reroute sensitive traffic through untrusted proxies if not configured carefully. The feature to prevent proxy loops by excluding proxy applications is a crucial safeguard 【1】.
  
  **Technical Details:**
  - **Cross-Platform:** Supports both Windows and macOS 【1】.
  - **System-Level Interception:** Works by intercepting packets at the kernel or network extension level 【1】.
  - **Windows Implementation:** Utilizes **WinDivert** for kernel-level packet interception. Requires Windows 10 (64-bit) or later and administrator privileges. Features an Avalonia-based GUI and a CLI 【1】.
  - **macOS Implementation:** Employs Apple's **Network Extension framework** for transparent proxy capabilities. Requires macOS 13.0 (Ventura) or later and supports both Apple Silicon and Intel processors. Features a native SwiftUI interface 【1】.
  - **Proxy Support:** Works with **SOCKS5** and **HTTP** proxies 【1】.
  - **Protocol Agnostic:** Supports both **TCP** and **UDP** protocols, making it compatible with a wide range of applications (HTTP/HTTPS, databases, RDP, SSH, games, DNS, etc.) 【1】.
  - **Flexible Rules:** Allows for detailed rule configuration based on processes, IPs, ports, protocols, and hostnames, with wildcard support 【1】.
  - **Interfaces:** Offers both a graphical user interface (GUI) and a command-line interface (CLI) 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of ProxyBridge as a tool that can be used to manipulate network traffic at a system level. Key points for defenders include:
  - **Traffic Redirection:** Understand that applications might have their traffic rerouted through proxies without explicit user knowledge within the application itself 【1】.
  - **System-Level Access:** The tool operates with elevated privileges (administrator on Windows, Network Extension on macOS) to achieve system-level interception 【1】.
  - **Bypassing Network Controls:** It can potentially bypass network security controls or monitoring systems if traffic is routed through external proxies 【1】.
  - **Detection:** Network monitoring may show traffic originating from unexpected IP addresses or ports if ProxyBridge is in use. Analyzing process activity on endpoints can help identify its presence 【1】.
  - **Configuration Management:** Be aware of the flexible rule configurations, which allow for precise control over which applications and traffic types are routed or blocked 【1】.
  - **Use Case Awareness:** Recognize that it can be used for legitimate purposes like security testing and analysis, as well as potentially for malicious activities if deployed by unauthorized users 【1】.
• ai-knowledge-graph: AI Powered Knowledge Graph Generator - robert-mcdermott 🔍 Show Kagi Synopsis
  The provided article describes an **AI-Powered Knowledge Graph Generator** that transforms unstructured text documents into interactive knowledge graphs.
  
  **What Happened:**
  The system processes a given text document by first breaking it into smaller, manageable chunks. It then uses a chosen Large Language Model (LLM) to extract knowledge in the form of Subject-Predicate-Object (SPO) triplets from each chunk. These triplets are then standardized to ensure consistent entity naming, and relationships are inferred to connect disparate parts of the graph. Finally, an interactive HTML visualization of the knowledge graph is generated.
  
  **Who is Affected:**
  This tool is designed for users who work with large amounts of unstructured text and wish to extract and visualize the relationships within that data. This could include researchers, data analysts, or anyone needing to understand complex information landscapes.
  
  **Security Implications:**
  The article does not directly address cybersecurity implications. However, the system's reliance on LLMs and its ability to process and connect information could have indirect security relevance:
  - **Data Privacy**: If sensitive documents are processed, the LLM's handling of that data becomes a privacy concern. The system supports various LLM endpoints, including local ones (like Ollama), which could mitigate some risks associated with sending data to external cloud services.
  - **Information Leakage**: The generated knowledge graph could inadvertently reveal sensitive connections or patterns within the input data if not properly secured.
  - **Supply Chain Risks**: As with any software, the dependencies and the LLM models themselves could be potential vectors for security vulnerabilities.
  
  **Technical Details:**
  - **Core Functionality**: Extracts Subject-Predicate-Object (SPO) triplets from text using LLMs.
  - **Features**:
  - **Text Chunking**: Splits large documents into smaller parts.
  - **Knowledge Extraction**: Identifies entities and relationships.
  - **Entity Standardization**: Aligns different mentions of the same entity.
  - **Relationship Inference**: Adds new connections between entities, including transitive and LLM-assisted inference.
  - **Interactive Visualization**: Generates HTML graphs using the PyVis library.
  - **Configuration**: Uses a `config.toml` file to set LLM parameters (model, API key, base URL, max tokens, temperature), chunking parameters (size, overlap), and options for entity standardization and relationship inference.
  - **LLM Compatibility**: Works with any OpenAI-compatible API endpoint, including Ollama, LM Studio, OpenAI, vLLM, and LiteLLM.
  - **Process Flow**:
  1. **Chunking**: Text is divided into overlapping chunks.
  2. **SPO Extraction**: LLM processes each chunk to extract triplets.
  3. **Entity Standardization**: Entities are aligned (optional, can use LLM).
  4. **Relationship Inference**: New relationships are inferred (optional, can use LLM).
  5. **Visualization**: An interactive HTML graph is created.
  - **Visualization Features**: Color-coded communities, node sizing by importance, distinct line styles for original vs. inferred relationships, and interactive controls.
  
  **What Defenders Should Know:**
  While the article focuses on knowledge graph generation, defenders should consider the following:
  - **Data Handling**: Understand where the input data is processed (local vs. cloud LLM) and the associated privacy and security risks.
  - **LLM Security**: Be aware of the security posture of the chosen LLM endpoint. Local deployments might offer more control but require diligent security management.
  - **Output Security**: The generated knowledge graph itself could be a target or a source of sensitive information. Access controls and secure storage of the output files are important.
  - **Configuration Security**: Ensure that sensitive configuration details, such as API keys, are managed securely.
  - **Vulnerability Management**: Regularly update dependencies and the system itself to patch any known vulnerabilities.
• This script fetches installed browser extensions for the supported browsers and displays them in the terminal. - The content posted at the URL is controlled by **Bert-JanP**. 🔍 Show Kagi Synopsis
  The `ListBrowserExtensions.ps1` PowerShell script is an incident response tool designed to **enumerate installed browser extensions** for **Google Chrome, Mozilla Firefox, and Microsoft Edge** 【1】.
  
  Here's a breakdown of its aspects:
  
  * **What happened:** The script itself doesn't describe an event; rather, it's a tool to investigate potential events. It's used to gather information about browser extensions that might be relevant during a security incident.
  * **Who is affected:** The script affects users who have Google Chrome, Mozilla Firefox, or Microsoft Edge installed on their systems. The information it gathers pertains to the extensions installed within these browsers.
  * **Security implications:** The script's security implication lies in its ability to **detect potentially unwanted or malicious browser extensions** 【1】. These extensions could be used for various malicious purposes, such as data theft, phishing, or redirecting users to malicious websites. By listing them, investigators can identify potential threats.
  * **Technical details:** The script operates by checking the default installation directories for each of the supported browsers and then listing the extension directories found within them. It **only requires user-level permissions** to execute 【1】.
  * **What defenders should know:** Defenders can use this script as part of their incident response toolkit to **quickly identify suspicious browser extensions** that may have been installed without the user's knowledge or consent 【1】. This information can be crucial in understanding the scope of a compromise and identifying potential attack vectors.
• ADTrapper: Hunt Smarter, Hunt Harder - ADTrapper is a comprehensive security analysis platform designed for cybersecurity professionals to analyze Windows Active Directory authentication logs. - The content posted at the URL https://github.com/MHaggis/ADTrapper is controlled by **MHaggis** (Michael Haag). 🔍 Show Kagi Synopsis
  ADTrapper is an **Active Directory Security Analysis Platform** designed to help cybersecurity professionals analyze Windows authentication logs for security threats.
  
  **What Happened:**
  ADTrapper was developed to provide advanced threat detection, anomaly analysis, and interactive visualizations for Windows authentication logs. It transforms raw log data into actionable security insights.
  
  **Who is Affected:**
  The platform is intended for **cybersecurity professionals** and **organizations that utilize Windows Active Directory**. It directly impacts these entities by providing tools to monitor and secure their AD environments.
  
  **Security Implications:**
  ADTrapper aids in detecting a range of security threats within Active Directory, including:
  - **Brute force attacks**
  - **Password spraying**
  - **Privilege escalation**
  - **ADCS (Active Directory Certificate Services) attacks**
  It offers over 54 detection rules and can integrate with SharpHound data for a more comprehensive analysis, thereby strengthening an organization's defense against common and advanced AD-based threats.
  
  **Technical Details:**
  The platform is built with a modern tech stack:
  - **Frontend:** Next.js 14, TypeScript, Tailwind CSS
  - **Backend:** Node.js 20 LTS
  - **Database:** PostgreSQL 15
  - **Deployment:** Docker containers managed by Docker Compose
  
  Key features include interactive force-directed graph visualizations, SharpHound integration, and a self-contained Docker deployment. Data collection is handled by a PowerShell script (`capture.ps1`) which can gather authentication events (e.g., 4624/4625, Kerberos, NTLM) and AD CS events. It also supports AD enrichment and can output data in CSV or JSON formats.
  
  **What Defenders Should Know:**
  Defenders can leverage ADTrapper for proactive monitoring of their Active Directory environment. Key points for defenders include:
  - **Prerequisites:** Docker and Git are required.
  - **Deployment:** A quick start guide is available for deployment, with options for both simple and production environments.
  - **Data Collection:** Understanding the `capture.ps1` script and the types of events it collects is crucial for effective log analysis.
  - **Features:** Familiarity with the interactive visualizations and SharpHound integration will enhance threat hunting capabilities.
  - **Production Deployment:** For production use, defenders should consider secure password configuration, HTTPS, firewall rules, backups, and reverse proxies.
• Obfusk8: Obfusk8: lightweight Obfuscation library based on C++17 / Header Only for windows binaries - x86byte 🔍 Show Kagi Synopsis
  Obfusk8 is a C++17 obfuscation library designed to make reverse engineering of applications more difficult by employing various compile-time and runtime techniques to protect code logic and data.
  
  **What Happened:**
  The Obfusk8 library has been developed to offer developers tools for obfuscating their C++ applications. Its primary goal is to deter reverse engineering by complicating code analysis.
  
  **Who is Affected:**
  - **Developers:** Those who want to safeguard their intellectual property, prevent code tampering, or make their applications harder to analyze.
  - **Reverse Engineers and Malware Analysts:** Individuals attempting to understand, decompile, or analyze software will encounter increased challenges.
  
  **Security Implications:**
  - **Enhanced Code Protection:** Significantly hinders attackers from understanding application logic, extracting sensitive data, or discovering vulnerabilities.
  - **Deters Reverse Engineering:** Increases the time, effort, and expertise required to reverse engineer applications.
  - **Malware Evasion:** While its stated purpose is legitimate code protection, it can be used by malware authors to evade detection by security software and analysts.
  
  **Technical Details:**
  Obfusk8 utilizes several advanced techniques:
  - **`main` Function Wrapping (`_main` Macro):** Modifies the application's entry point to include:
  - **Virtual Machine (VM) Execution:** A simulated CPU executes "encrypted" instructions.
  - **Indirect Control Flow Flattening (ICFF):** Employs complex state machines and dynamic keys to obscure control flow.
  - **Bogus Control Flow:** Inserts misleading jump patterns and opaque predicates (`OBF_BOGUS_FLOW_*` macros).
  - **Anti-Analysis & Anti-Debug:** Incorporates forced exceptions (SEH) and debugger checks.
  - **Virtual ISA Engine (`obf_vm_engine`):** Simulates a custom CPU with volatile registers, a program counter, and a `dispatch_key`. Instructions are disguised using Mixed Boolean-Arithmetic (MBA) and bitwise manipulations, with randomized handler dispatch.
  - **Compile-Time String Encryption (`OBFUSCATE_STRING`):** Encrypts string literals using a modified AES cipher with dynamic keys, decrypting them on the stack at runtime.
  - **Stealthy Windows API Calling (`STEALTH_API_OBFSTR` / `OBF_STEALTH_API`):** Bypasses the Import Address Table (IAT) by using PEB-based resolution and compile-time hashed names for DLL and API lookups.
  - **Advanced Indirect Syscall Engine (`K8_SYSCALL`):** Resolves system call numbers by parsing the Export Directory of `ntdll.dll` and uses a `syscall; ret` gadget from `ntdll.dll` to maintain clean call stacks, circumventing user-mode hooks.
  - **API Abstraction Classes:** Helper classes (e.g., `K8_ProcessManipulationAPIs`, `k8_NetworkingAPIs`) that encapsulate common Windows APIs and automatically use stealthy resolution mechanisms.
  - **Core Obfuscation Primitives:** Includes building blocks such as Mixed Boolean-Arithmetic (MBA), Opaque Predicates, Junk Code Injection (`OBF_CALL_ANY_LOCAL_JUNK`), and Anti-Disassembly tricks (`OBF_JUMP_*`, `OBF_STACK_ALLOC_MANIP`).
  
  **What Defenders Should Know:**
  - **Increased Analysis Complexity:** Obfuscated code demands more advanced reverse engineering techniques and tools, significantly increasing analysis time and effort.
  - **Dynamic Analysis is Crucial:** Techniques like VM execution, runtime decryption, and dynamic API resolution diminish the effectiveness of static analysis. Defenders should prioritize dynamic analysis, including debugging, sandboxing, and memory analysis.
  - **Challenges for Signature-Based Detection:** Obfuscation methods such as junk code injection, control flow flattening, and encrypted strings can make it harder for signature-based detection to identify malicious code.
  - **Focus on Behavior:** Defenders should concentrate on the observable behavior of an application rather than solely on its static code structure. This includes monitoring API calls, network activity, and process interactions.
  - **Obfuscation is Not Invincibility:** While Obfusk8 substantially raises the bar for attackers, it is a defensive layer, not an infallible solution. Determined attackers may still find ways to deobfuscate or bypass the protections.
  - **Potential for Malware Use:** The same techniques used for legitimate code protection can be, and often are, employed by malware authors to evade detection.
• Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure - Red Asgard 🔍 Show Kagi Synopsis
  The cybersecurity article details an investigation into the Command and Control (C2) infrastructure of the **Lazarus Group**, a North Korean threat actor, which was uncovered through a cryptocurrency project on Upwork. This campaign, named "Contagious Interview," targets organizations that outsource development work, particularly in the cryptocurrency and Web3 sectors.
  
  **What Happened:**
  The Red Asgard threat research team discovered malware embedded within a cryptocurrency project obtained via Upwork. This discovery initiated a five-day investigation that mapped the attackers' active C2 infrastructure. The malware was delivered through several methods:
  - **VSCode Auto-execution:** Exploiting `.vscode/tasks.json` for automatic execution.
  - **Backend Remote Code Execution (RCE):** Utilizing `Function.constructor` within `errorHandler.js`.
  - **Cookie Payload Delivery:** Fetching JavaScript from a C2 server via a cookie mechanism.
  
  **Who is Affected:**
  The primary targets are **organizations that hire freelance developers**, especially on platforms like Upwork, for projects related to **cryptocurrency or Web3 technologies**. The malware is disguised within seemingly legitimate code repositories, posing a significant **supply chain risk**.
  
  **Security Implications:**
  The Lazarus Group is employing advanced techniques for malware delivery, C2 communication, and payload execution, leading to several security implications:
  - **Malware Infection:** Compromise of developer environments and client projects.
  - **Data Theft:** Exfiltration of sensitive information, including browser data, wallet credentials (Exodus, MetaMask), and other credentials.
  - **Resource Hijacking:** Deployment of XMRig cryptocurrency miners on victim machines.
  - **Evasion Tactics:** The group uses extensive obfuscation (64 layers involving Base85, XOR, zlib, and reversed base64), masquerading (e.g., `msedge.exe` for miners, `Runtime Broker.exe` for persistence), and custom binary protocols (`Z238`) to evade detection.
  - **Infrastructure Blending:** They reuse MongoDB Atlas clusters for both C2 backend and legitimate development projects to conceal their activities.
  - **Active Defense:** The operators actively monitor their infrastructure and respond to probing by taking services offline, closing ports, and implementing rate limiting.
  
  **Technical Details:**
  - **Attack Vectors:** VSCode auto-execution, backend RCE via `Function.constructor`, and cookie payload delivery.
  - **Infrastructure:** Initial C2 servers were hosted on Vercel (e.g., `task-hrec.vercel.app`, `kb102531x.vercel.app`). Subsequent C2 servers were dedicated, with IPs like `147.124.213.232` and `147.124.212.125`, running Windows Server with Express.js on port 1244 and pyftpdlib on port 21.
  - **Payloads:** Modular payloads were delivered via token-authenticated endpoints, including stealers for Chrome and wallets, network modules, Remote Access Trojans (RATs), and the Tsunami backdoor bundled with an XMRig miner.
  - **Obfuscation:** A complex 64-layer obfuscation process was used, incorporating Base85, XOR, zlib, and reversed base64.
  - **Protocols:** A custom binary protocol was observed on ports 22411-22412 of the `Z238` server, utilizing XOR 0xcb for payload encoding.
  - **Persistence:** Achieved through the Startup folder (`Windows Update Script.pyw`), Scheduled Tasks ("Runtime Broker"), and Microsoft Defender exclusions.
  - **Dead Drops:** Encoded Pastebin profile URLs (approximately 1,000) were used for dead drop resolution.
  - **XOR Keys:** Various XOR keys were identified for file encryption, network module variants, Base85 decryption, URL encoding, and module decryption.
  
  **What Defenders Should Know:**
  - **Thorough Vetting:** Organizations must **rigorously vet code repositories** from freelance developers. It is recommended to **disable VSCode auto-run tasks** and review `package.json` scripts before running `npm install`.
  - **Indicators of Compromise (IOCs):**
  - **Network IOCs:** Specific C2 IPs such as `147.124.213.232` and `147.124.212.125`, and ports like 1244/tcp and 1249/tcp.
  - **Host IOCs:** Suspicious file names like `Windows Update Script.pyw`, `Runtime Broker.exe` in non-standard locations, and `msedge.exe` in specific paths. Directory creations such as `~/.vscode/pay`, `~/.vscode/bow`, and `~/.n2/` are also indicators.
  - **Detection Signatures:** YARA strings like `!!!HappyPenguin1950!!!`, `TSUNAMI_INJECTOR`, `G01d*8@(`, and `.vscode/pay` can be used for detection.
  - **Awareness of Active Defense:** Defenders should be aware that the Lazarus Group operators are actively monitoring their infrastructure, and their activities might trigger defensive responses from the attackers.
  - **Understanding Sophistication and Weaknesses:** While the Lazarus Group demonstrates mature operational security (OPSEC) by compartmentalizing credentials and blending C2 infrastructure with legitimate services, they also exhibit vulnerabilities such as hardcoded credentials and timing oracles that can be exploited for detection.
• OID-See: Giving Your OAuth Apps the Side-Eye - The content posted at the URL is from a personal blog. The author states, "This is a personal blog and all content herein is my own opinion and not that of my employer." 🔍 Show Kagi Synopsis
  OID-See is a tool designed to analyze OAuth applications and service principals within Microsoft Entra ID, mapping their relationships to identify potential abuse paths and impersonation risks. It functions similarly to "BloodHound for OAuth in Entra" by visualizing these connections in a graph format. The tool is intended for Entra administrators, cloud security engineers, and anyone concerned about the security implications of SSO integrations.
  
  ### What Happened
  
  OID-See was developed to address the complexity and obscurity of OAuth application sprawl in Microsoft Entra ID. Traditional methods of reviewing applications in tables are insufficient for understanding the intricate relationships and potential attack vectors. OID-See uses a graph model to make these relationships apparent, allowing for the identification of risks that would otherwise be missed. A key finding highlighted by the tool is "identity laundering," where metadata from Microsoft accounts can mislead defenders about the true origin and trustworthiness of third-party OAuth applications.
  
  ### Who is Affected
  
  The tool is designed for **Entra administrators** and **cloud security engineers** who are responsible for managing and securing Microsoft Entra ID environments. It is also relevant for anyone who has implemented or relies on "harmless SSO integrations" that utilize OAuth applications.
  
  ### Security Implications
  
  OID-See aims to uncover several critical security risks associated with OAuth applications:
  
  * **Impersonation**: Delegated permissions that allow an application to act as a user across sensitive resources.
  * **Over-privilege**: Applications with excessive or overly broad scopes that grant more permissions than necessary.
  * **App Permissions**: Application roles and permissions that can lead to a significant blast radius if compromised.
  * **Persistence**: The use of long-lived credentials, refresh tokens, or federated credentials that allow an application to maintain access stealthily.
  * **Reachability**: Applications that do not require assignment are exposed by default, increasing their attack surface.
  * **Trust Signals**: Misleading metadata, such as a "Microsoft Accounts" publisher for a third-party app, can obscure the true provenance and trustworthiness of an application. This includes issues with verified publishers, identity laundering heuristics, and unusual reply URL configurations.
  * **Governance**: Lack of clear ownership, problematic assignment models, and unclear responsibility for applications.
  * **Long-lived Credentials**: The presence of unmanaged or expired password and key credentials associated with service principals and applications.
  * **Public Client Configurations**: Applications configured as public clients can expand the attack surface, even if they are not inherently malicious.
  
  ### Technical Details
  
  OID-See operates on a "Graph-only first" principle, meaning it primarily relies on Microsoft Graph API calls to gather data. The scanner performs the following:
  
  * **Data Collection**: It makes various Microsoft Graph API calls (including beta endpoints) to enumerate service principals, application objects, delegated permission grants, app role assignments, owners, and directory role contexts. Key properties like `passwordCredentials`, `keyCredentials`, and `federatedIdentityCredentials` are inspected.
  * **Enrichment**: The tool enriches the collected data by analyzing reply URLs, parsing schemes, normalizing domains, and detecting brokered schemes. Optional enrichment includes WHOIS, RDAP, DNS nameserver, and ASN information to validate domain provenance and reduce false positives.
  * **Scoring**: OID-See generates risk scores that are externalized, explainable, and configurable. It differentiates between risks like impersonation and persistence, and considers context such as privileged scopes, broad reachability, and the presence of assignments. It also flags signals like `CREATED_PRE_CONSENT_HARDENING` for apps created before significant consent hardening measures were introduced.
  * **Authentication**: The scanner uses the **device code flow** for authentication to Microsoft Graph, avoiding embedded client secrets and SaaS models. It utilizes the well-known Azure CLI client ID (`04b07795-8ddb-461a-bbee-02f9e1bf7b46`) by default but supports a "bring your own app registration" mode.
  * **Required Graph Scopes**: The necessary scopes for the scanner are `Directory.Read.All`, `Application.Read.All`, `AppRoleAssignment.Read.All`, and `DelegatedPermissionGrant.Read.All`.
  * **Graph Model**: The core of OID-See is its graph representation, which visualizes nodes (applications, users, resources) and edges (relationships, permissions, assignments). This allows for the identification of derived paths such as "Effective impersonation paths" and "Persistence paths."
  
  ### What Defenders Should Know
  
  Defenders should understand the following when using or evaluating OID-See:
  
  * **Relationship-Centric Risk**: OAuth risk is fundamentally a relationship problem. Tables obscure these relationships, while graphs make abuse paths obvious.
  * **Metadata Can Mislead**: Be aware that Microsoft's metadata, particularly regarding publishers and ownership, can be misleading. Unverified applications can appear "Microsoft-shaped," and "Microsoft Accounts" as a publisher does not automatically guarantee trustworthiness.
  * **URL Analysis Nuances**: Naive analysis of reply URLs can lead to false positives, especially with Microsoft's own ecosystem. Domain provenance checks (RDAP, WHOIS, DNS) are crucial for accurate assessment. Wildcard reply URLs, while sometimes legitimate, should be flagged as a risk signal.
  * **Explainable Scoring is Key**: The scoring mechanism must be transparent and explainable. OID-See prioritizes clear explanations for risk assessments, moving beyond simple node connections to provide actionable insights.
  * **Workflow**: A recommended workflow involves running Graph-only scans first, then using risk summaries and filters to identify suspicious applications. Enrichment can be enabled for deeper validation.
  * **Complementary Tool**: OID-See is not a replacement for Cloud Security Posture Management (CSPM) or Identity Security Posture Management (ISPM) tools but complements them by focusing specifically on the identity attack surface and the potential for impersonation and privilege escalation through OAuth applications.
  * **Non-SaaS Design**: The tool is designed to run locally, producing a file for local exploration, which avoids sending telemetry to external services.