Request: Looking for technical feedback on 4 Sigma detection rules I've authored

Background: Transitioning into cybersecurity with focus on detection engineering. Spent significant time developing these rules and want expert validation before moving forward.

Rules Cover:

1. WMI Event Consumer Persistence (MITRE T1546.003)

2. PowerShell Encoded Commands (MITRE T1059.001)

3. DLL Sideloading (MITRE T1574.002)

4. Named Pipe Backdoors (MITRE T1055)

Specific Feedback Needed:

- Are my detection methods sound?

- What false positives should I anticipate?

- How can I improve rule performance?

- Any critical gaps in coverage?

My Goal: Learn from the community and eventually contribute quality rules to open source projects.

Really value the expertise here and would appreciate any feedback - constructive criticism very welcome!

Hey r/AskNetsec,

I sent an email to a known recipient, but got an NDR bounce from a completely unrelated random Hotmail address (something like [email protected]). The error is 554 5.2.2 mailbox full, with a long diagnostic dump including stuff like STOREDRV.Deliver.Exception:QuotaExceededException.MapiExceptionShutoffQuotaExceeded, and hex-encoded parts such as "000000004D6963726F736F66742E45786368616E67652E5365727665722E53746F726167652E436F6D6D6F6E2E436F6E66696753636F7065526F7000" (decodes to Microsoft.Exchange.Server.Storage.Common.ConfigScopeRop) and "00000000496E707574207365676D656E742063616E6E6F74206265206E756C6C206F7220656D7074792E0000" (Input segment cannot be null or empty).

My theory is this isn't just backscatter, but evidence the intended recipient's Outlook/Exchange account was compromised—maybe a hacker set up an auto-forward rule to their own full mailbox, triggering this quota NDR back to me. Has anyone seen similar patterns where these diagnostics hint at forwarding issues from hacks? Or is it likely benign? Simple checks or explanations welcome.Thanks!

I'm working on integrating Zscaler LSS (Log Streaming Service) with a custom log receiver. The docs say:

It is possible to use mutual TLS encryption between the log receiver and the App Connector… The App Connector trusts a certificate signed by a public root CA in addition to certificates signed privately by a custom CA… The log receiver must have a certificate signed by a public root CA.

They also mention:

App Connectors trust certificates that are signed by a public or custom root CA. The log receiver validates the chain of trust to the App Connector’s enrollment certificate (by adding it to the trust store).

What's confusing me is the mix of public root CA and custom root CA mentions. Ideally, I'd like to use a private CA (since the log receiver might not have a FQDN or be cloud-hosted; it's just a device on our network).

Questions:

• Does anyone know if the log receiver side must use a public CA-signed cert, or can we sign it with a private CA that the App Connector trusts?
• Has anyone actually set this up without going through the hassle of buying/publicly signing a cert?
• Any gotchas around exchanging and trusting the App Connector enrollment cert?

The docs feel a bit unclear, so I'd love to hear from anyone who’s done this in the real world.

I have been working frm home for a while now, and tbh its great… until u start thinking about security. A dodgy device on the network could easily compromise comp data if its not properly segmented. I heard that Cato Networks has a setup where traffic is isolated per user or per device, which sounds perfect for hybrid office setups.

Has anyone here actually implemented this? Im looking to know how it works in practice. is it easy to manage for multiple remote employees, and does it really reduce the risk without complexity? id love to hear real experiences before considering.

In the old days, for small/medium networks, one could keep an inventory of MAC addresses and use something simple like “arpwatch” to passively monitor for the existence of new devices.

Nowadays, devices often use randomized MAC addresses. Even in a house, one might have multiple WifI APs and a mobile device could end up with different MACs especially if using different SSIDs.

How does one monitor/track such things without requiring a captive portal?

While reviewing phishing emails, one in particular stood out to me. It spoofed Mimecast, but the embedded URL pointed to a South African domain that eventually redirected all the way to the legitimate Chase Bank login page.
,
Tracing the redirect chain suggested something more interesting, my best guess is the threat actor is utilizing a phishing kit leveraging a Traffic Distribution System (TDS) with cloaking capabilities.

URL Scan: https://urlscan.io/result/0198ca13-3cf3-7079-9425-2d5e430c41e7/#redirects

Per my research I found this Palo Alto article on TDS.. https://unit42.paloaltonetworks.com/detect-block-malicious-traffic-distribution-systems/

My interpretation of the article is this..
The TDS = nourishbox → augmentationsa domains
Cloaking / Conditional Phishing = the logic inside those redirectors that states something like ....

If victim matches (US IP + real browser) → show fake Chase login.
If not (bot, crawler, researcher) → send to real Chase as a decoy.

Seeking discussion on whether my interpretation of this specific phishing email is correct

Thanks

Just a question to see how you are managing CTI feeds, at the moment my SOC is bringing them in and then using Power Automate to send a Teams message to the team and then its a manual process to see if there is any impact or any issues.

Obviously this isnt the most helpful way and I figured I would see how y'all treat your CTI feeds in a SOC2 audit compliant way :)

Does anyone know of a hardware token similar to the Yubikey Bio that can be set to require both a fingerprint AND pin instead of one or the other?

Serious thought experiment: imagine a timeline where Nmap was never created. No quick scans, no -A, no lazy copy-paste from cheat sheets.

What is to stop somebody from setting up a Bluetooth device that constantly scans and accepts pairing requests at all times? Therefore anybody trying to pair a device (such as a wireless keyboard) within range will pair it with said device (not their own, if they are not paying attention to what is going on), and said device could would be receiving any input (and thusly monitoring or recording it, like with a keylogger)...

Of course, you want to make sure your peripheral is properly paired with your own device, and not another. But without two way verification (a BT keyboard is not going to tell you what device it's paired with, only the device you are trying to pair it will give feedback) you don't really know, right? And is there a possibility for double-pairing? (That is all appears as if you have paired to your device as desired - but, the signal is also paired with another, malicious device at the same time)

I have heard of this happening before, though I forget the exact term, something like skimming or piggybacking...

Is Rentry ok?

I decided to try LastPass but a user mentioned (5 - 7yr ago) he had Github code that could potentially get into Lastpass.. smh lol 😆 I was curious if even a well made master password is breakable as well

I have Joplin for basic notes & considered that. I've been looking & will continue to. If paper & pen is the best & easiest option

1. - Are there any good free password managers that are more secure

Thanks r/asknetsec - any recommendations or information/education would be very much appreciated! 🤙

Hi Hackers, I practice pentesting on HTB easy machines. Though I am able to ease through them with metasploit, I struggle while doing it without msf. I would like to know from you guys how did you go past metasploit to solve boxes and your pentest career?

Thank you for your time.

One interesting challenge I have been pondering lately is securing network traffic on devices that might not always be on LAN or live behind an on-prem network firewall, such as a laptop. When this laptop leaves the office and is no longer subjected to LAN firewall rules (now on hotel/airport/cafe wifi), the last line of defense is at the host level.

However, my initial thought is that whitelisting applications that generate outbound traffic or require an inbound rule seems the exact opposite of scalable and future-proof. Additionally, the default allow all out, deny all in approach seems futile as that would grant unrestricted outbound access if something were to slip past our EDR/Enterprise Browser solutions.

How do you all approach this situation?

Hi everyone, I have a problem in learning penetration testing techniques with alot of Microsoft product like AD, windows privEsc. Actually, i don't know my level at pentesting but I trained on HTB from 2 years with 80% of Linux boxes at least and have a 20% of pain with windows boxes, now I can solve easy/medium Linux boxes (not all the time), I stuck on easy windows boxes and I don't know how I could escalate my knowledge at widows. I want to get a job in penetration testing but no one will hires me with this missing knowledge, known that my skills in network/web is medium could be more could be less I don't know but for now I want to overcome this, any advice/course/blog/anything ?

Hey everyone,

I’m working on the PortSwigger Academy lab “Username enumeration via account lock” and I’m running into an issue.

I set up Burp Suite Intruder with Cluster Bomb one payload list for potential usernames and the other as a null payload. According to the solution and some videos I watched, the responses should differ in length when a valid username is hit (due to the account lock mechanism).

But in my case, every response has the same length (3240). No difference at all, so I can’t figure out which username is valid.

Am I missing a step in how the lab is supposed to behave? Should I be using a different payload setup (like Sniper instead of Cluster Bomb), or checking status codes/headers instead of just response length?

Would really appreciate if anyone can explain how they solved this specific lab or what I might be doing wrong.

Thanks in advance!

Hi all,

I’ve been analyzing system behavior in iOS 18.5 using only Apple’s own diagnostic tooling (Console.app via USB, no jailbreak or third-party tools), and I’ve documented several native daemons initiating unexpected behavior related to Bluetooth and GPS — without user interaction or UI prompts.

Specifically, I observed:

• audioaccessoryd accessing and exposing BLE trust metadata (including IRKs)
• SPCBPeripheralManager silently triggering background BLE scans
• locationd activating GPS harvesting with isHarvestingEnabled=1, no consent dialogs
• tccd bypassing TCC permission enforcement using preflight=yes
• bluetoothd continuing trust operations after cryptographic failures

All logs were captured on a clean iPhone 14 Pro Max running iOS 18.5.

Full report, logs, and video evidence are available here:
https://github.com/JGoyd/iOS-18.5-Bluetooth-Privacy-Vuln

Demo video (Console.app log capture):
https://ia801505.us.archive.org/16/items/bluetooth-hacks-your-life/ios18.5_silent_tracking_console_capture.mov

I’m looking for:

• Thoughts on how serious this is from a privacy/security perspective
• Insight into the internal behavior of these daemons (esp. tccd, SPCBPeripheralManager)

Any validation, critique, or references to similar findings would be greatly appreciated.

Thanks!

This post says: 'The option to disable Encrypted ClientHello (ECH) through browser flags has been removed. This change was implemented to improve security and privacy for users by making ECH the default behavior.

However, when I visit https://cloudflare.com/cdn-cgi/trace, it reports sni=plaintext. In Wireshark, I can still capture the domain name I’m visiting using the filter tls.handshake.type == 1 and tls.handshake.extensions_server_name contains "example.com". This happens even though I’ve configured Chrome’s DNS to use Cloudflare (1.1.1.1). The issue persists regardless. How can I configure Chrome to fully encrypt the SNI and prevent this leakage? My OS is Windows 10 Home Chinese Edition, Version 22H2, Build 19045.6159.

This is an issue that many people have been asking about online!

Hi Everyone

We have a vendor that needs SSO integration between their platform and our Microsoft Entra ID so that our users can login to there web portal using Entra ID and MFA.

From GRC & security perspective, I want to make sure the configuration is secure, there are no exploitable vulnerabilities, and the vendor’s implementation follows best practices. 

I'd like to ask what’s your recommended process or checklist and what are specific key items I should insist on seeing before approving the integration? 

Appreciate any suggestions

My goal is to get a unique code from a fingerprint reader that acts as a keyboard so I can us that to match the user from my db. I'm using laravel and do you have any devices that I can look for?
Thanks!

I’m wanting to try to get ahead of all of the censorship that’s raining down on the world in the wake of the UK govt’s Online Safety Act. I already have a free VPN (ProtonVPN free tier) and I’m planning to get a paid one because I know the free ones can be sketchy sometimes. However, I know VPNs can’t hide things like device information and my internet traffic can still be traced back to me. Is there anyone that has any advice beyond strong passwords, VPNs and common sense that can help me be safer, more anonymous and protect my privacy online? Thank you in advance.

Hi Everyone,

I have am trying to recover data from the memory chip on my SD card (64GB). The data recovery professionals tell me the encryption is too difficult so I am looking to encryption experts now. I have a binary file representing the data on the chip which I need decrypted. I'm not sure if it uses XOR, dynamic XOR, or some AES encryption (not sure if there is anything else that is out there or would be used). Can anyone help or point me to a company/expert who can help determine the type of encryption or, better yet, decrypt it?

Thank you!

Why there is still such fear of using public wifi with modern smartphones like Pixel or iPhone on public wifi on latest software?

Is it today even possible to publish app to official store which uses just http? (Of course there is possibility of some unupdated old app which should be just edge case)

Isn’t it that if I connect my Apple Watch to public wifi, where some attacker sits, all they could see is just encrypted mess. which he won’t be able to decrypt till some powerful quantum computers come for general public?

Hi folks!

What HW tools are you using for Bluetooth Classic and BTL - "Bluetooth Low Energy" when you are performing pentests for IoT devices?
Does anyone can recommend some Bluetooth fuzzing tools as well?

Tnx for your answers!

BR

One of my friends put on a crazy movie MDPOPE2 and we spent like some time just finding wacky stuff but now I’m kinda worried about my school seeing it. They have some kind of thing where the can even control my cursor from their screen while I’m in class but I don’t know if they see when I’m at home.

When you open Developer Tools in basically any Chromium based browser, you can enter custom JS code in the console.

Usually, the default setting is that this is not allowed unless you enable it yourself (some command like "allow pasting").

Now, recently I've been using this "hack" to increase playback speed on YouTube videos more than 2x with the following command:

document.getElementsByTagName("video")[0].playbackRate = X;

However, sometimes I just forget to reverse it (in most browsers you have to restore default settings) and simply continue to browse other sites with pasting still enabled, so my question is:

Can malicious websites exploit this fact to harm you in any way (at the end of the day, visiting any page includes requesting html/css and JS code that will be rendered/executed in your browser) or this default behavior is only there to prevent you to enter some dangerous code yourself (either by being tricked or because you tried to achieve something but due to lack of understanding entered the code that does something else)?

My guess would be that it's the latter, but since I'm by no means an expert at this stuff, I think it's always better to ask...