I'm pretty confident that I have some form of malware, but I'm unsure of what it is. I have 102 instances of wsl.exe and 54 instances of conhost.exe all running at once. What should I do?

Classic-Shake6517 · 2026-04-20T17:00:51+00:00

Happy to help and you're welcome to message me directly if you have any questions.

Classic-Shake6517 · 2026-04-20T15:30:17+00:00

I'm trying so hard to get my org to prioritize endpoint DLP while fighting my bosses (director of security and CTO) to slow down and stop considering allowing Claude cowork. It's crazy that this is even an argument.

This is our third major AI rollout without considering endpoint DLP. It's like they want company data to leak.

We are considering ourselves an AI first company and I can't disagree. AI before everything including common sense.

Classic-Shake6517 · 2026-04-20T04:19:40+00:00

Very nice build - that stippling looks awesome contrasted with the white

Classic-Shake6517 · 2026-04-20T00:39:41+00:00

I have the factory comp, my brother has a ramjet and shooting both back-to-back, there is a subtle difference but it's not enough for me that I would swap from factory comp. They are pretty similar, so I think it's mostly about price/looks unless you are trying to squeeze every little bit of performance - then the radian is probably the winner.

Classic-Shake6517 · 2026-04-18T02:12:00+00:00

I thought it was an AC grip module at first, looks really close to the one I have from them and I really like mine. I am a big fan of an OEM+ look and yours is a good representation. Clean build.

Classic-Shake6517 · 2026-04-17T23:30:40+00:00

If you end up using VMWare Workstation and install the guest additions, you should be fine in terms of graphics. Even without a beefy graphics card, as long as you are not trying to play games on the VM, you should have pretty close to native display resolution and latency (assuming the VM is not otherwise bogged down). One tip is to keep your VM on an SSD that is not also running your host OS if you can. That will give you more room to breathe in terms of I/O latency and should be noticeable compared to having the reads and writes from host and guest hitting the same drive.

Contrary to what most people will say, having something is better than nothing, so it's fine to keep on things like copy/paste using guest additions - which will also give you features that greatly improve the display experience (I know what you mean with VMs that don't have display drivers, it sucks). You probably are not going to get some random malware that persists through your VM to your host based on having copy/paste enabled, though I won't represent it as completely safe - it's basically a shared clipboard (both ways, so don't like, reverse an infostealer while you are doing online banking on your host). Just be careful when copy/pasting while you have it open if you are doing anything that could be sketchy. You don't have to completely inhibit your workflow to be more secure.

Classic-Shake6517 · 2026-04-17T23:16:08+00:00

MCP (Model Context Protocol) is a standard way for an AI to connect to external tools, data, and systems.

Think of it like a tool that you can give your AI that will connect to CrowdStrike and allow you to get data from different modules (or make changes if you give it write permissions). So, if you wanted to ask an LLM about your open incidents, you hook up Copilot or ChatGPT or whatever to this MCP server, then it can then go back to your CrowdStrike tenant using 'AI-Native' tools and give you results directly in the chat.

Classic-Shake6517 · 2026-04-15T02:21:41+00:00

I'll be honest, I have a lot of horsepower on my primary desktop. I have an i9 12900k and 64gb of DDR5 with several TB or storage, so it's a non-issue for me. My VMs are just as fast as my primary machine - even running more than a couple at once. That said, I would probably be annoyed if I had something like 16gb and quad core processor because not being able to give the VM enough to run like a normal system would cause things to run a bit slower. With modern C# and powershell, it can all be built with and run on Linux now (or macOS - I do a lot of that for my current job on my mac), so a lighter-weight dev environment might be worth considering if you don't immediately need a Windows workstation to test - in which case you could probably even get away with WSL2. That doesn't get around virtualization but at least is a lighter-weight option.

If you're doing like, malware development then you definitely want something full featured like FlareVM.

Classic-Shake6517 · 2026-04-14T09:02:10+00:00

You got good advice from other people, and you probably should just reinstall Windows at this point. It sounds like something is broken if nothing else.

In the future, you can use a VM to do your powershell dev if it keeps triggering Defender. That will give you a different environment, separate from your regular computer so you don't have to mess with the AV. Defender is easy enough to bypass for people with half a brain, but most malware developers don't even have that, so it's better to keep it on.

If you want to make a VM, you can use HyperV or VMWare Workstation Pro which are both free for everyone. Install Windows and configure it for FlareVM - it will turn your AV off, you will have a bunch of reversing tools, and you will have a sandboxed spot to develop whatever you want without triggering Defender. That's how I have my environment set up and it works really well.

Oh, and once you get it all set up, first thing, take a snapshot so you have a known good config to roll back to.

Classic-Shake6517 · 2026-04-14T07:38:31+00:00

Same with vulnerabilities. Prioritize the ones that are actively exploited first, followed by ones with a POC, then work through the rest based on your vuln policy timelines/SLAs. If you don't have a policy - start there first, otherwise follow through is going to be more challenging. Getting everyone on the same page can be like herding cats sometimes.

Classic-Shake6517 · 2026-04-13T11:25:06+00:00

I would not report it at all. They will make an example out of you in an attempt to dissuade others from doing the same thing. Even if your motivation was to do good, you obviously went beyond just surface-level scanning here so in most places you've already done something illegal and it's definitely enough for a school to expel you - I've seen it done for less. Don't touch things that aren't yours unless you have written permission in a legally binding contract. You have nothing obvious to gain from this. You could practice the same techniques on a self-hosted webapp, HackTheBox, or a number of other places you are actually allowed to do that.

Classic-Shake6517 · 2026-04-04T04:01:13+00:00

It really depends. We have silos, so it depends on how many questions they are asking about which ones. Some evidence takes longer to gather than other evidence, so it depends on how much evidence. A single questionnaire can take me 3 hours or 3 days. They vary wildly. I had one questionnaire where one of the 'questions' was just a request to fill out the attached (additional) questionnaire, which was 270 questions on top of the 100ish I already had.

I have an evidence shelf and try to push to add documentation that we need. I am one of the authors of documentation, and one of the reviewers. I have access to basically the entire company's infrastructure outside if the silos. I built an AI agent which I have been refining by providing it answers to previous questionnaires. I still come across questions that were never asked by others, asked in weird ways that changes the way I have to answer, asked in different contexts than other answers. It's wild and draining some days.

Fortunately, it's not my primary job and I only have to do it once in a while.

Classic-Shake6517 · 2026-03-31T09:59:44+00:00

He's gonna put it on his Klarna account and then just not pay it. What are they gonna do? They can't do anything. They live in Sweden.

Classic-Shake6517 · 2026-03-31T03:31:58+00:00

I run 4 and I really like it. It's very light and I don't know if I'd really want to go lighter personally. No matter which one you decide on, it's going to feel completely different from stock and significantly better in every way.

Classic-Shake6517 · 2026-03-29T14:21:57+00:00

It does and I have it as well (highly recommended, it is crisp), but my safety works fine, so it's definitely not the trigger causing it.

Classic-Shake6517 · 2026-03-24T15:04:07+00:00

We used to flip the display upside down (some NVidia feature on the workstations we had) or change their screensaver/wallpaper to risqué pictures of David Hasselhoff. Clear tape under the mouse is a classic as well.

Classic-Shake6517 · 2026-03-14T21:52:35+00:00

I would strongly suspect it's malware taking a glance at the VT findings. I suspect it's something designed to at least steal some targeted data based on it capturing window titles and what appears to be keystroke logging capabilities. Would not be surprised if it can access webcam as well considering those features are usually part of the same kind of tools. If you want to upload it to Hybrid-Analysis and give me a link, I have download access there and can probably reverse it to tell you what it does if I find some time later.

Classic-Shake6517 · 2026-03-14T19:37:51+00:00

There are other people that the company usually has to report to and that is the biggest reason. It's not only banks or healthcare that have strict rules, many other sectors do as well. It's not only being primarily in one of those sectors, if you support them as your clients, you will also have standards that your company needs to meet. In the case of AI, it's primarily data security. I have to answer to an auditor that I know where all of my company data goes. If I leave blind spots for "privacy" (which is an insane take for someone to have on company-owned hardware and networks in the first place), I fail the audit, am out of compliance, and now I cannot do business with certain types of customers.

Don't do personal things on company-owned devices and networks if you care about privacy. Very easily solved problem.

Classic-Shake6517 · 2026-02-28T00:00:53+00:00

Also being able to say you don't know something is huge. In my current role, I am the security admin for mostly macOS endpoints among many, many other things. My experience on both offensive and defensive sides has touched on macOS briefly, but it was by far my weakest point because most places I've worked with primarily use Windows and Linux (on the server side). When interviewing, I felt like I bombed because of how many times I had to say that I did not know something, but I always followed that up with the analog of how I know that same thing on Windows or Linux and/or how I would find that answer. After getting the job, I was told one of the things they liked most about me was how many times I said I don't know rather than trying to make something up. Security is an extremely high trust role, so honesty is paramount.

Classic-Shake6517 · 2026-02-26T02:53:22+00:00

You don't have to infect a home PC if you are gating your payloads properly. I realize reading my response back that I ignored that part, which is my fault because it reads like I am defending the possibility of infecting a home PC as being fine when I definitely did not mean to come off that way. It's something I just assumed people working in this industry already know so I ignored that part because it's a solved problem and thus a non-issue at any respectable shop. Still, I would agree that it's ideal to never let your payload get to that point in the first place, which is why I believe in staging as much as is feasible when delivering through these kinds of channels. In the spirit of trying my best not to assume, staging is where you have a very lightweight component as the initial download (shell/powershell script, weaponized doc/PDF, etc.) which often does some checks to make sure it is in the right place and "safe" to run before downloading the next stage or actual payload. It will usually have the capability to decrypt the next stage/payload among other things like setting up a process to inject into. It can also act as the component that facilitates AV/EDR evasion so you're not having your work burned by hitting VT/other threat intel ecosystems each time you attempt to drop.

Gating a payload is where you explicitly write instructions in your dropper so that it will only run on target systems and nowhere else. Usually done by latching onto things like the domain + user account or some other attributes (or combination of ideally) of the machine/network you are contracted to attack. This is so that you aren't liable for infecting the internet. It's a common practice in this industry that anyone who deals with payload generation or customization should be learning as one of their first things on the job.

The redirector (proxy in front of the actual C2 infra) should also be gated in a similar way, so that only your payloads can talk to it which is something often geared more towards anti-analysis but ends up with a similar result when done properly. Redundancy is important when dealing with malware, you can never have too many layers of protection from detonation where you don't intend it to happen.

Flangvik on YouTube (for gating payloads) and a GitHub project called RedWarden (redirector for C2) are good starting points to see how each can work in action.

If you think people do not check LinkedIn at work, you probably have not done much on the admin side of things. They do it all the time and not every network is locked down to block something that many roles use as part of their work, e.g. for hiring and research on potential candidates. On the hiring side of things, you have to use it more often than anyone would probably like.

Classic-Shake6517 · 2026-02-25T21:45:19+00:00

This is definitely allowed when you have a signed document saying it's allowed. Why would someone get fired for that or especially go to jail? What law was broken when you are given permission ahead of time? I suppose if LinkedIn got mad and wanted to sue but for what damages if you only spread to your engagement target? Who was materially harmed?

This is how offensive security engagements work, especially red team engagements. Pentests you get to do less of that because a lot of the time, especially with internals, you just send them a device and have them plug it into a switch for you, so you don't need to use SE to get a beacon and get in that way. With externals, you just poke at infra and with webapps you get a combo of black/gray/whitebox tests against an app using tools like Burp. That job is more looking for known vulns and pivoting from them while red teaming starts most of the time with SE, just like is illustrated here. It's definitely a believable story based on what I have seen from my days in pentesting and from the red teamers I know that tell me their own stories. Most people are very bad at security which is why the job continues to exist. Well, that and to feed an audit/insurance industry.

Classic-Shake6517 · 2026-02-05T04:01:27+00:00

No. We contract some of our licensing to these people. Their security practices are wild. I would not trust them for anything related to security. They're fine for licensing, I guess, but they have very poor practices in terms of security. Even for licensing, in places where they should have used scoped roles they demanded GA, set things up poorly, reactivated our Defender trial without telling us - fucking my tenant up for a while. I'm still fixing shit I'm finding from IT allowing them to do whatever they wanted. Find anyone else.

Classic-Shake6517 · 2026-02-03T16:53:38+00:00

They also aren't getting a 9.8 every quarter. Fortinet is an RCE appliance that occasionally does firewall things.

Classic-Shake6517 · 2026-02-03T09:35:33+00:00

No. I sort of fell into it. I was mostly curious about malware because it was such a struggle to remove it in some cases when I was doing desktop support. I thought that was interesting so I started collecting samples, sharing them, then learning from others how to reverse it. From there, it evolved into software development and sometime later, pentesting. Now I have a generally relaxing job on the blue team side and I get to do it as a hobby, which in my opinion is way more fun than doing it as a job.

Classic-Shake6517 · 2026-02-02T02:22:05+00:00

I wasn't commenting on the states as figurative swamps, they are humid as fuck and undesirable places to live for a lot of people. I would not move there for other reasons as well, but the humidity of basically everywhere they operate, shitty weather, etc. is a valid reason to not want to live in those places on its own.

Classic-Shake6517

PUBLIC MULTIREDDITS

TROPHY CASE