What's up everyone! Happy Monday. It's another great week over here because yes, I am again on another internal pentest engagement. This time the clients in the financial services industry. The last few before that have been law firms. Lot of exciting stuff in the works for me personally and with SecurIT360, so stay tuned. Have an awesome week! I appreciate you being a part of this newsletter community. 🙏

🩺Threat Pulse

​Microsoft’s killing script used to avoid Microsoft Account in Windows 11​

Microsoft has removed the ‘BypassNRO.cmd’ script from Windows 11 preview builds, which allowed users to bypass the requirement to use a Microsoft Account when installing the operating system.

Microsoft clearly wants to fight us for our data. They are removing a script (but not an entire feature just yet) that allows you to create a local non-Microsoft account when setting up a fresh windows 11 machine. If you find yourself in this position, here’s what you need to do for now:

1. During setup when you get to the “Let’s connect you to a network” screen, press Shift+F10.
2. Copy and paste the command:
   ​reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v BypassNRO /t REG_DWORD /d 1 /f
shutdown /r /t 0
3. When your computer reboots you should now be able to create a local non-Microsoft account

​The 4 WordPress flaws hackers targeted the most in Q1 2025​

A new report sheds light on the most targeted WordPress plugin vulnerabilities hackers used in the first quarter of 2025 to compromise sites.

This report was created by a company that sells a Wordpress Security product. But that’s not why I wanted to call this out.

It’s super common to see Wordpress vulnerabilities on external pentests. Here’s my advice for mitigating these risks:

1. Make sure your plugins and themes get updated on a regular basis
2. Make sure you’ve got solid backups of your site and you test site recovery at least annually
3. Make sure you’ve got a process for addressing Wordpress vulnerabilities quickly

​FBI warnings are true—fake file converters do push malware​

The FBI is warning that fake online document converters are being used to steal peoples’ information and, in worst-case scenarios, to deploy ransomware on victims’ devices.

These sites are like festering pimples. They normally don’t even work that great anyways let alone the possibility of them having malware injected into them. You’re better off using ChatGPT or similar if you’re not concerned about the data in the documents you’re trying co convert. If you are, there’s a number of open source tools you can use that would allow you to run them locally. You can always inspect the code yourself to check for sketchy stuff. Of course, users who don’t know any better are the biggest concern here. So education us important but also, technical controls like blocking these sites via content filtering would be a great next step.

​Critical flaw in Next.js lets hackers bypass authorization​

A critical severity vulnerability has been discovered in the Next.js open-source web development framework, potentially allowing attackers to bypass authorization checks.

I wanted to point this one out not because it’s another vulnerability but because it indicates a larger trend I see happening. That trend is, rapidly prototyped applications that are rushed to production littered with vulnerabilities and poor coding practices. I tested this for myself. I developed an automated google dorking application using cursor. I wrote it using node and next.js as frameworks. In developing some of the code, cursor literally dropped a command execution vulnerability right before my eyes. It didn’t even say anything about it. It didn’t warn me, nothing. Had I not been watching or reviewing the code it recommended I would have missed it. That’s exactly the type of issues we’re going to have to combat in this new age if “vibe coding.” 🫣

🔐Securing the Stack

How to Analyze Threat Reports for Defenders

🎥 Click here for the video version​

• Why threat reports are important for defenders: These reports help us understand current threats, tailor our defenses, and sharpen our incident response playbooks.
• Goals of analyzing threat reports
  • Understand threat actor TTPs
  • Build detections
  • Understand our potential gaps
  • Test & validate prevention & detection
• Threat report analysis techniques:
  ​Note: These are my own methodologies for different ways defenders can analyze threat reports. You can use one of the techniques, a mix of a couple, all of them in combination, or none of them. You do you! 😜
  • Skimming: you browse the report looking for indicators (IP addresses, SHA1 hashes, domains, etc.), techniques, tools or anything else that catches your eye. For example maybe you don’t want to read the entire Verizon DBIR but you do want to just bounce around through the report and look at some of the stats from other industry’s that may be similar to yours. Usually you feed this right into your EDR/SIEM/SOC.
  • Prioritizing: looking for specific indicators, evidence, TTPs, etc. Maybe you’ve identified a gap in lateral movement in your own organization and want to see what lateral movement techniques threat actors are using. Focus on high-confidence indicators and relevant attacker behaviors.
  • Validation: capturing TTPs and tools used for the purposes of testing them in your environment in order to validate defensive controls. For example, does lateral movement from Suzie’s computer in accounting to a domain control get alerted on? The idea here is you're cross checking against your own security stack, like your EDR and SIEM. But also, this technique includes checking other threat reports. Don't rely on a single source alone.
  • Mapping: this is the lens by which you interpret of understand the context of the report. For example, one method of mapping would be to look at the TTPs and ask yourself, what defensive techniques would hurt the threat actors the most (pyramid of pain). You can also map the TTPs to MITRE ATT&CK and create a heat map to see which techniques are most commonly used. Lastly, if you're a bit more sophisticated in your security maturity, you may have intelligence requirements. These requirements will map directly to what are you trying to mitigate/detect/prevent.

😆Memes & Mayhem

So image generation with ChatGPT 4o was just released and people are going wild over it. I thought I’d use my time procrastinating to create memes. 😂 Here’s what I came up with so far. Any of these relatable?

👨‍💻Behind the Console

Are you getting value from this newsletter? What can I do better? Feel to reply and let me know! Your feedback is imperative to me.

🔔P.s ➡ If you are not already, make sure to subscribe to my YouTube channel. I’m going to be posting longer form videos there starting with the analyzing threat reports video that I posted today!

All the best​
Spencer Alessi

"Spirit of a hacker heart of a defender"
​All My Links | super cool cybersecurity shirts & stickers​