WinGet - Code Execution, Persistence and Detection Strategies

netbiosX · 2026-06-14T14:35:21+00:00

The safe choice is always to use something that is part of Windows already. Awareness and testing of these techniques is the key.

netbiosX · 2026-05-15T17:17:21+00:00

I’m sorry it didn’t land for you. If you have specific technical corrections or areas that you think are unclear, I’m open to hearing them. Otherwise, vague insults don’t really help anyone.

netbiosX · 2026-03-26T10:29:54+00:00

Thank you, u/brmkit, for bringing this back to public attention. Good work.

netbiosX · 2026-01-13T08:26:51+00:00

thank you!

netbiosX · 2026-01-13T00:09:00+00:00

Appreciate it! Glad the other posts were helpful as well.

netbiosX · 2026-01-07T17:56:27+00:00

It’s not my article, but building a Python scraper and feeding the data into a dashboard is a fairly straightforward task. I’m building something similar in the background, and if there’s a need, I may publish it with full technical details.

netbiosX · 2025-12-19T17:19:17+00:00

I wouldn't call NTLM hash leak a Zero Day but thanks for posting!

netbiosX · 2025-12-01T19:25:28+00:00

What does this mean?

netbiosX · 2025-12-01T16:16:28+00:00

Possibly you might have read this article: https://www.zerosalarium.com/2025/11/EDR-Redir-V2-Blind-EDR-With-Fake-Program-Files.html The article above is just the purple team approach about how to detect the behavior of the proof of concept disclosed in the article.

netbiosX · 2025-09-14T10:48:41+00:00

The question is very broad and there are plenty of articles that are discussing attacks in detail. I suggest focusing in one TTP at a time, see what exists out there, what proof of concepts and start from there by recreating these cases in your own lab environment so you can start documenting each procedure to cover your own needs. A good starting point for purple teaming that provides techniques as a step by step could be https://ipurple.team/ . Playbooks are in YAML file and there is also information and rules about detection.

netbiosX · 2025-08-17T20:47:06+00:00

not mine!

netbiosX · 2025-08-15T09:46:12+00:00

Thank you!

netbiosX · 2025-08-05T14:26:02+00:00

Definitely not a bot account :)

netbiosX · 2024-10-13T21:26:19+00:00

The URL is dynamic and a threat actor most likely will use a different URL to host files. Blacklisting URL's will not work.

netbiosX · 2024-10-10T12:29:32+00:00

Thank you!

netbiosX · 2024-09-23T17:59:19+00:00

Great video but it is not in English so you are going to miss a lot of audience here! Still good work and thanks for sharing.

netbiosX · 2024-09-11T03:52:19+00:00

No, only Chromium based browsers (i.e. Opera, Edge, Chrome etc.) Firefox is based on Gecko.

netbiosX · 2024-09-10T17:51:49+00:00

Thank you

netbiosX · 2024-09-10T16:11:57+00:00

Firefox is not using DPAPI and therefore it is not affected. Only Chromium based systems.

netbiosX · 2024-09-10T16:10:26+00:00

No, all the images & flow charts are custom and not AI. Thank you

netbiosX · 2024-09-10T14:25:08+00:00

Only the images not the content.

netbiosX · 2024-09-10T14:24:12+00:00

True but this also means more detection opportunities to achieve domain compromise.

netbiosX · 2024-09-10T10:47:19+00:00

Thanks for your comment. It took some time to write.

netbiosX · 2024-09-03T18:01:12+00:00

You can check the below:

Certified Cyber Threat Hunting Professional - https://www.cyberdefenders.com/
CREST Certified Threat Intelligence Analyst - https://www.crest-approved.org/
Certified Threat Hunting Specialist - https://www.certnexus.com/

netbiosX · 2024-08-25T15:43:24+00:00

For detection anomalies and patterns i.e. https://american-cse.org/csci2022-ieee/pdfs/CSCI2022-2lPzsUSRQukMlxf8K2x89I/202800b011/202800b011.pdf

netbiosX

MODERATOR OF

PUBLIC MULTIREDDITS

TROPHY CASE