It's not DNS There's no way it's DNS It was DNS --SSBrooks

Today's #homelab lesson ..

If resolv.conf has permissions of 0600, things will break. Remember to set the umask .

Got to meet Cliff Stoll at #thotcon
DFIR life goal achieved

I do a pretty good job of leaving corporate-speak at work.

In a signal exchange with my wife, I used the word "bump". I had to explain what it meant.

All the things meme with the caption "ISO8601 ALL THE TIME THINGS!" caption.

#DFIR #DFIRMEMES #INFOSECMEMES

After we achieved our mission, we left the site at 2AM. Fortunately for our client, the head of IT didn't "put strychnine in the guacamole". This is why I still keep a USB to RS232 in my IR go bag to this day.

Luckily, the IT admin left me an open session on the RS232 port. So I didn't actually have to "hack" it. After adding another admin user and an interface to a device implant I brought with me to "phone home".

After finding the device in question, which took a bit due the spider web of cables, we found the admin interface, RS232. I connected my laptop and fired up my favorite serial terminal program.

There was one device that didn't have an exposed admin interface. I just happened to have experience on this network device. So at 10 pm on a Friday, we come to the client site, dressed as the cleaning crew.

Hold on for a wild story. I had a client who had sufficient cause to worry that the head of IT was going to "put strychnine in the guacamole" and take down the whole organization. My team worked with our red team to establish persistence in the network.

Many threat actors leave the Windows firewall disabled. And services like Shodan, Censys, Binary Edge, et.c are able to pull back that data. Very useful for tracking threat actors and for doing IR investigations.

Where it is sufficiently unique:

SSL metadata
JARM/JA4 data
SSH Keys
Unique services running on weird ports
Banner/content hashes
Windows "bleedthrough" hostname (Windows VMs exposed on some virtual host)

There's probably more that I missed.

Swiftonsecurity or ionstorm (fork of the former)

a man in a suit and tie is asking where you are Alt: a man in a suit and tie is pretending to speak on a phone while asking "what time is it where you are?"

I once again appeal to the void that any operation/working group/team activity that involves folks in more than one timezone just switch to UTC.

ISO 8601 + UTC || GTFO

two men are standing next to each other and one of them says " and now i want a burrito " . Alt: two men are standing next to each other and one of them says " and now i want a burrito " .

TIL about IP over Burrito Carriers .... now I want a burrito

datatracker.ietf.org/doc/html/dra...

There are two stages of a security career: Before you know the truth of what you read in the news on an incident, and after, when you know exactly what happened and can't say a single fucking thing.

The Curious Case of an Egg-Cellent Resume Key Takeaways Initial access was via a resume lure as part of a TA4557/FIN6 campaign. The threat actor abused LOLbins like ie4uinit.exe and msxsl.exe to run the more_eggs malware. Cobalt Strike and…

🌟New report out today!🌟

The Curious Case of an Egg-Cellent Resume

Analysis & reporting completed by @_pete_0, @svch0st and guest contributor @k3dg3 from @proofpoint!

Audio: Available on Spotify, Apple, YouTube and more!

thedfirreport.com/2024/12/02/t...

Russia arrests cybercriminal Wazawaka for ties with ransomware gangs Russian law enforcement has arrested and indicted notorious ransomware affiliate Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin) for developing malware and his ...

Russian citizen and notorious ransomware affiliate Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin) has been arrested and indicted in Russia for his involvement in several hacking groups.

www.bleepingcomputer.com/news/securit...

Wanted Russian Cybercriminal Linked to Hive and LockBit Ransomware Has Been Arrested Russian authorities arrest Mikhail Matveev, key LockBit and Hive ransomware hacker, charged with global cyberattacks.

Russian hacker Mikhail Matveev, tied to #LockBit & Hive ransomware, arrested in Russia. The US had offered a $10M reward for his role in global ransomware attacks.

thehackernews.com/2024/11/want...

#cybersecurity #malware

a man in a striped shirt and tie leans on a printer Alt: a man in a striped shirt and tie leans on a printer freaks out when the printer says PC LOAD LETTER

If you want to change just the display of one (or many if your network allows broadcast) you can use a script similar to gist.github.com/skreuzer/b29...
and make them all say "PC LOAD LETTER"

Yed > visio

Especially for automation

GitHub - 0x90n/InfoSec-Black-Friday: All the deals for InfoSec related software/tools this Black Friday All the deals for InfoSec related software/tools this Black Friday - 0x90n/InfoSec-Black-Friday

Cyber Blackfriday tips is already ongoing on GitHub (via Thomas Roccia, fr0gger_)

github.com/0x90n/InfoSe...

Exploring the full bluesky firehose, in three dimensions: firehose3d.theo.io

Was a huge Tweetdeck user (till Musk paywalled it and I had to use a shonky cheat version instead) - hugely grateful for @deck.blue - somebody hire @gildaswise.com sharpish.