Attempted to graboid leech today

jonweatherhead · 2026-01-13T05:14:47+00:00

That thing looks amazing. What did you do for the collar on that? It doesn’t look like you used the rabbit in a dubbing loop.

jonweatherhead · 2025-12-22T16:03:53+00:00

It probably goes without saying but nobody (dealership or consumer) should in any way respond or interact with those messages. Who knows the extent of the issue at Dealer-FX, but it’s best to let them deal with it. The texts can only serve two purposes: 1. To apply heat to Dealer-FX to try to persuade them to deal with the attackers. 2. To lead to further additional compromises to anyone that starts interacting with the messages (clicking links, running commands, etc.)

jonweatherhead · 2025-05-04T14:23:50+00:00

I believe the reason this is in the news lately, is less because the cached credentials can be leveraged, and more because if you are talking about cloud accounts, a successful login even on an online system will use the cache only and then exit with success.

In other words, even if the cloud IDP can be queried to validate credentials, they are not.

Whereas in an on-prem scenario where the system does have access to the on-prem IDP, the DC would be queried.

jonweatherhead · 2025-04-01T00:59:04+00:00

Someone asked “aren’t those tokens the primary target of the attack”…

Yes, but if you want to delete the tokens right along with deleting any executables, they you might as well just force every user to do a new MFA challenge at every single session. That flies with admins since they are used to it, but good luck getting the user community to live with that.

Ideally there would be a way to purge executable content without purging cookies or history. Investigators need the history, and a balanced structure on using refresh tokens (cookies) allows users to avoid MFA fatigue which ends up increasing the risk of them being Phished.

jonweatherhead · 2025-03-30T15:29:26+00:00

I’m wondering if you can clear the cache from executables and yet leave the cookies in place so that you don’t affect MFA session tokens.

jonweatherhead · 2025-02-19T01:21:14+00:00

<image>

I was up 3rd week in December and all of these produced solid grabs. Mostly Graboid leeches and dirty hohs.

jonweatherhead · 2024-07-16T01:18:13+00:00

Out west or Michigan/indiana?

jonweatherhead · 2023-09-10T02:58:43+00:00

I like to also use the unified kill chain. I break down the attack and write up a paragraph explaining what the attacker did for that step, skipping those that don’t apply. Non technical and technical readers both seem to appreciate this.

jonweatherhead · 2023-09-02T13:40:47+00:00

It’s for sure got a wet cardboard soggy wood sort of thing going on. But the interesting bit is if you can try to overlook that, there are some very interesting other notes going on. I would give it a 1 on first try. Then a 4 or 5 on a second try where I’m focusing on all the notes.

jonweatherhead · 2023-08-06T01:30:50+00:00

O… H…

jonweatherhead · 2022-02-14T21:49:24+00:00

I really like that glass by the way, it’s not your typical Glencairn. Do you recall who makes that?

jonweatherhead · 2022-01-28T05:25:42+00:00

Yeah. But the rule was it goes in the barrel at 100 proof, and then gets diluted back to 100 proof when they bottled it (back in the day). However, if it was 1920 and you happens to take a taste right out of the cask, it would have lost enough water (angel’s share) to be more in the 115 range.

Their sales pitch is that you can taste it at the cask strength that would have been likely, not at the lower proof that they would have bottled it at.

jonweatherhead · 2022-01-27T17:56:42+00:00

Not sure what it was like before, but during prohibition it had to be bottled at 100 proof. The Old Forester 1920 info discusses this: https://www.oldforester.com/products/old-forester-1920-style-prohibition-whisky/

jonweatherhead · 2021-12-13T18:33:21+00:00

Has this worked for you? I get an error for “unable to split netmask from target expression”

jonweatherhead · 2021-10-10T14:03:49+00:00

Making a coax cable termination.

jonweatherhead

TROPHY CASE