https://karmine05.github.io/dirtyfrag-blog/categories/security-ops/ Recent content in Security-Ops on karmine's notes Hugo -- gohugo.io en dhruv@fleetdm.com (Dhruv Majumdar) dhruv@fleetdm.com (Dhruv Majumdar) © 2026 karmine's notes Tue, 26 May 2026 13:00:00 -0400 https://karmine05.github.io/dirtyfrag-blog/posts/clickfix-copypaste-fleet-detections/ Tue, 26 May 2026 13:00:00 -0400 dhruv@fleetdm.com (Dhruv Majumdar) https://karmine05.github.io/dirtyfrag-blog/posts/clickfix-copypaste-fleet-detections/ ClickFix is the most active cross-platform initial-access technique of 2026 — fake CAPTCHAs and support prompts that silently copy a malicious command to the clipboard, instruct the user to paste it into the Windows Run dialog or macOS Terminal, and deliver infostealers (Lumma, AMOS), remote-access tools (NetSupport RAT), and AppleScript keychain stealers. No code-execution vulnerability is exploited — the victim is the delivery mechanism. This brief walks the five-stage attack flow, lists atomic indicators, and ships a Fleet/osquery detection pack with every query validated against the current Fleet table schema. https://karmine05.github.io/dirtyfrag-blog/posts/shadow-earth-053-fleet-detections/ Tue, 26 May 2026 11:00:00 -0400 dhruv@fleetdm.com (Dhruv Majumdar) https://karmine05.github.io/dirtyfrag-blog/posts/shadow-earth-053-fleet-detections/ Trend Micro disclosed SHADOW-EARTH-053 on 30 April 2026 — a China-aligned cyberespionage campaign exploiting ProxyLogon against unpatched Microsoft Exchange and IIS to deploy GODZILLA web shells and ShadowPad across South, East, and Southeast Asia plus one NATO target. This brief documents the campaign through Lockheed’s seven kill-chain stages with a Diamond Model rendered for each stage, consolidates the atomic indicators, and ships a vetted Fleet/osquery detection pack. Every query in the pack has been audited against fleetdm.com/tables before publication — schema bugs in the publicly circulating versions are called out and corrected inline. https://karmine05.github.io/dirtyfrag-blog/posts/fleet-mcp-manifesto/ Wed, 13 May 2026 09:00:00 -0400 dhruv@fleetdm.com (Dhruv Majumdar) https://karmine05.github.io/dirtyfrag-blog/posts/fleet-mcp-manifesto/ Endpoint risk and threat hunting with Fleet just got a lot easier with the MCP. fleet-mcp is a Model Context Protocol server that turns Fleet’s API into a typed tool catalog any AI agent can call. This is the manifesto — why it exists, what it does, what it deliberately won’t do, and what it gives you that a REST API never could. https://karmine05.github.io/dirtyfrag-blog/posts/mini-shai-hulud-tanstack-supply-chain/ Tue, 12 May 2026 08:00:00 -0400 dhruv@fleetdm.com (Dhruv Majumdar) https://karmine05.github.io/dirtyfrag-blog/posts/mini-shai-hulud-tanstack-supply-chain/ An active npm supply chain worm targeting developer credentials dropped on May 11, 2026. 42 TanStack packages (84 versions) directly compromised. The broader Mini Shai-Hulud campaign affects 175 packages across 17 namespaces. This is the detection approach we ran across 30 hosts using Fleet — and the critical caveat about what Fleet’s built-in npm table misses. https://karmine05.github.io/dirtyfrag-blog/posts/pre-cve-response-with-fleet/ Fri, 08 May 2026 13:30:00 -0400 dhruv@fleetdm.com (Dhruv Majumdar) https://karmine05.github.io/dirtyfrag-blog/posts/pre-cve-response-with-fleet/ Vulnerability management isn’t CVE management. When a public exploit lands before NVD has caught up, traditional vuln scanners return empty and incident response stalls waiting for a row in a database. This is a worked example of using Fleet’s primitives — live osquery, run-script, policies — to investigate, scope, mitigate, and verify based on the artifacts of the threat instead of its catalog representation.