It's not DNS There's no way it's DNS It was DNS --SSBrooks
Today's #homelab lesson ..
If resolv.conf has permissions of 0600, things will break. Remember to set the umask .
Got to meet Cliff Stoll at #thotcon
DFIR life goal achieved
I do a pretty good job of leaving corporate-speak at work.
In a signal exchange with my wife, I used the word "bump". I had to explain what it meant.
All the things meme with the caption "ISO8601 ALL THE TIME THINGS!" caption.
#DFIR #DFIRMEMES #INFOSECMEMES
After we achieved our mission, we left the site at 2AM. Fortunately for our client, the head of IT didn't "put strychnine in the guacamole". This is why I still keep a USB to RS232 in my IR go bag to this day.
Luckily, the IT admin left me an open session on the RS232 port. So I didn't actually have to "hack" it. After adding another admin user and an interface to a device implant I brought with me to "phone home".
After finding the device in question, which took a bit due the spider web of cables, we found the admin interface, RS232. I connected my laptop and fired up my favorite serial terminal program.
There was one device that didn't have an exposed admin interface. I just happened to have experience on this network device. So at 10 pm on a Friday, we come to the client site, dressed as the cleaning crew.
Hold on for a wild story. I had a client who had sufficient cause to worry that the head of IT was going to "put strychnine in the guacamole" and take down the whole organization. My team worked with our red team to establish persistence in the network.
Many threat actors leave the Windows firewall disabled. And services like Shodan, Censys, Binary Edge, et.c are able to pull back that data. Very useful for tracking threat actors and for doing IR investigations.
Where it is sufficiently unique:
SSL metadata
JARM/JA4 data
SSH Keys
Unique services running on weird ports
Banner/content hashes
Windows "bleedthrough" hostname (Windows VMs exposed on some virtual host)
There's probably more that I missed.
Swiftonsecurity or ionstorm (fork of the former)
I once again appeal to the void that any operation/working group/team activity that involves folks in more than one timezone just switch to UTC.
ISO 8601 + UTC || GTFO
TIL about IP over Burrito Carriers .... now I want a burrito
datatracker.ietf.org/doc/html/dra...
There are two stages of a security career: Before you know the truth of what you read in the news on an incident, and after, when you know exactly what happened and can't say a single fucking thing.
πNew report out today!π
The Curious Case of an Egg-Cellent Resume
Analysis & reporting completed by @_pete_0, @svch0st and guest contributor @k3dg3 from @proofpoint!
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2024/12/02/t...
Russian citizen and notorious ransomware affiliate Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin) has been arrested and indicted in Russia for his involvement in several hacking groups.
www.bleepingcomputer.com/news/securit...
Russian hacker Mikhail Matveev, tied to #LockBit & Hive ransomware, arrested in Russia. The US had offered a $10M reward for his role in global ransomware attacks.
thehackernews.com/2024/11/want...
#cybersecurity #malware
If you want to change just the display of one (or many if your network allows broadcast) you can use a script similar to gist.github.com/skreuzer/b29...
and make them all say "PC LOAD LETTER"
Yed > visio
Especially for automation
Cyber Blackfriday tips is already ongoing on GitHub (via Thomas Roccia, fr0gger_)
github.com/0x90n/InfoSe...
Exploring the full bluesky firehose, in three dimensions: firehose3d.theo.io
Was a huge Tweetdeck user (till Musk paywalled it and I had to use a shonky cheat version instead) - hugely grateful for @deck.blue - somebody hire @gildaswise.com sharpish.
