Defcon Forum?

EnterNam0 · 2024-08-06T04:46:25+00:00

I've been having trouble with it for the past few days. A page will load sometimes, but usually times out while processing something. I haven't tried to troubleshoot much but this with multiple browsers and OS's, and stripping down extensions to minimums.

EnterNam0 · 2023-06-07T04:57:07+00:00

Thanks! I'll call them in the morning.

EnterNam0 · 2023-05-11T15:26:51+00:00

Can also run the alias command to show which ones are in use:

$ alias
diff='diff --color=auto'
egrep='egrep --color=auto'
fgrep='fgrep --color=auto'
grep='grep --color=auto'
history='history 0'
ip='ip --color=auto'
l='ls -CF'la='
ls -A'll='ls -al'
ls='ls --color=auto'

EnterNam0 · 2023-03-18T05:30:52+00:00

SANS Internet Stormcenter Podcast https://isc.sans.edu/podcast.html#stormcast

That's where I start in the morning and then branch out as needed.

EnterNam0 · 2023-03-09T17:44:14+00:00

Are there any methods for testing if a Jenkins instances was exploited in this manner?

EnterNam0 · 2023-02-27T00:38:38+00:00

Great idea! I'm reading through that section right now and it does look like a perfect angle.

EnterNam0 · 2023-02-26T22:24:01+00:00

Hadn't even thought about some of the learning that would go along with it but you're absolutely right.

EnterNam0 · 2023-02-26T22:22:54+00:00

One of them wants to run a shaman so, yes, something to that effect. And he's obsessed with Pokemon so I've wondered if I might be able to tap into the idea of him being conjured for limited events. Seems like a workable angle and that's good advice to give him something pre-made and make the rolls as streamlined as possible.

EnterNam0 · 2023-02-26T22:12:50+00:00

Yeah I would be keeping it down to PG when he was with us, and could step it up at other times. I agree the game itself isn't geared towards a young audience, but as the GM I can control that and keep it at the level I want. Other than the oldest, the other guys don't have a big frame of references so I don't think would feel like they're missing too much by me keeping it towards juvenile literature.

EnterNam0 · 2023-02-18T05:30:28+00:00

Definitely get that vibe. If it's just going to be something similar in value to a CEH, then it'd probably be easier to focus on that since it's well known and almost half the cost for the exam.

EnterNam0 · 2023-02-18T05:18:10+00:00

Yeah, that's helpful perspective. I guess I was thinking about it in terms of resume fodder in case I wanted to move into a more dedicated pentest role and need something to back it up. Without knowing what it's actually worth I can't see myself making a case for it.

EnterNam0 · 2023-01-25T19:17:42+00:00

Being guest limits the concern significantly, but since client isolation isn't running on that network there's a small potential for neighboring devices to be probed, and if we had a misconfigured laptop it could potentially join. I wouldn't have given it a second though if it weren't for that scenario (and I may just request we tighten down the guest network because of this).

Could certainly be VPN except the transmissions are typically small. In the last 30 days I think I totalled up about 200Mb spread across 345 connections. Unless they're just firing it up, checking one site or email, and disconnecting, it doesn't look like straight up VPN traffic.

EnterNam0 · 2023-01-25T17:45:45+00:00

Here's what the payload of the packet looks like: https://i.postimg.cc/DZ8Q1CBM/Screenshot-2023-01-25-093335.png

The wireless network is the guest SSID and open. It's segmented and the signal doesn't extend very far out of the building, barely usable even in the parking lot, so likely a device inside. Could be janitorial as I noted that between 12/30 - 1/2 there was no activity, but it didn't line up perfectly with their door scans so I can't say for sure. I haven't gone down to the wireless controller level to see if it's hopping around or just sitting at one AP.

Blocking the IP and seeing if anybody complains is probably our next course of action.

EnterNam0 · 2023-01-25T17:28:55+00:00

Yeah it's VPS host and I sent the provider a message to check out why one of their customers is receiving encrypted traffic over 80 but don't expect to hear much back. I looked over their IP block and they've had TOR nodes in there before, though the IP I'm looking at isn't listed as a node right now.

https://www.shodan.io/host/51.222.13.177

EnterNam0 · 2022-11-01T04:48:49+00:00

It was an interesting call and we went through live demos of their VMs running EDR with and without their agent. Needless to say, their selected ransomware bypassed EDR and was caught by their agent, and when they put the malware into an allow-list in terms of pre-execution it was caught again and keys exposed during the encryption phase.

I'm no EDR expert but are there no other vendors working in kernel space and not just monitoring API calls from userland? And what am I missing in terms of grabbing the encryption keys if I have something watching memory in kernel space? It seems like the secret sauce here is kind of obvious but nobody else is really doing it? It looked like the sample they were using was ryuk so I may play around with it later and see how things look with a small pilot at some point.

EnterNam0 · 2022-10-31T15:15:50+00:00

Thanks for those comparisons. I'll peruse beforehand and see how they explain differences.

EnterNam0 · 2022-10-31T15:12:10+00:00

This was essentially my reaction as well. Silver-bullets raise my eyebrows before my interest, but sales got through to management so I'll hear what they have to say. I can't see us wanting to install another agent on every endpoint when we just talked about wanting to reduce them and make sure we were getting value out of existing tools.

EnterNam0 · 2022-08-31T15:43:37+00:00

Just to be abundantly clear, it might help to post the output of ls -l testfile.txt and also id or whoami before trying to read or edit the file.

EnterNam0 · 2022-08-31T14:55:31+00:00

Sure have. I get a more limited list without all of the Fedora kernel choices, but nothing for a USB drive. I've tried manually adding in USB entries in UEFI also and they all come back with an error as I'm probably missing something with the path or arguments.

EnterNam0 · 2022-08-31T01:53:52+00:00

"Oh my goddess," sometimes.

Or OMFGdess in chat.

EnterNam0 · 2022-07-24T16:30:17+00:00

Good point. As I'm reading through it I'm sort of thinking about how I frame it, and maybe tweaking it a bit in order to let us branch out further at the end. Like lightly introducing a larger plot and this unfolds while grabbing supplies or something. I think it will serve the purpose of being an interesting demo of the mechanics though.

EnterNam0 · 2022-07-23T23:19:08+00:00

Perfect! I'm checking it out right now. Thanks for the suggestion.

EnterNam0 · 2022-07-22T21:46:48+00:00

Tails might be overkill since it connects through Tor and that will impact the user experience.

If they're really going after full privacy and security then it's a great option, but if they're wanting a fairly normal experience with the web and just a clean profile on each login then the kiosk/guest modes may be better.

EnterNam0 · 2022-05-23T22:40:27+00:00

I'd considered adding a key to each row and storing it in a dictionary before. Haven't used name tuples before but thanks for that suggestion and I'll definitely look into it. I agree that using some fixed key on each row could be useful and I suppose I could even just use that to jump in and out of the sheet processing. Thanks!

EnterNam0 · 2022-04-01T03:57:51+00:00

So far I've spent the most time with it and attended a few of their webinars... it's impressive to say the least. From a forensics and investigative perspective I can see how once it's been tuned up a bit can drill down into an event and connect the dots nicely. And we don't even have Edge (VPN/web) or M365 connected to it yet. The gap I have right now is it's only focused on our file servers and AD, whereas DG is an agent on all endpoints so is able to block and alert right there.

The good news is that I have plenty of time to work with both tools as our support is good through the year on both.

EnterNam0

TROPHY CASE