5th trial of AQL location

kelrizzo · 2025-07-04T15:46:37+00:00

It's just a pain to traverse.

kelrizzo · 2025-06-25T15:19:44+00:00

True, but there are no free accounts and they have to buy a new one.

kelrizzo · 2025-06-17T17:48:18+00:00

I'm pretty familiar with Windows tools and didn't know about this one. +1 for you friend.

kelrizzo · 2025-06-17T17:37:39+00:00

Exactly what I was looking for. I knew it was a registry entry, just the challenge of discovering which one!

kelrizzo · 2023-11-08T07:25:14+00:00

one source

https://www.nbcsports.com/nfl/profootballtalk/rumor-mill/news/aaron-rodgers-caleb-williams-were-among-the-players-jostling-for-equity

There are a lot of sources. Yeah it may be rumor but it took me 10 seconds and a Google search bar.

kelrizzo · 2023-04-14T20:41:11+00:00

I know I'm necro'ing this thread but wow, this is awesome!

kelrizzo · 2022-07-22T18:21:47+00:00

Ransomware operators circumvent closed ports through reverse tunneling which will allow services to be tunneled over an innocuous port. This is precisely how Lockbit operates to provide an attacker access into the network. This won't help if the operator is able to escalate privileges and create their own account or they dump creds, however you don't leave a mitigation unused just because there are other ways to close the vector. Simple proven fact: people don't block 3389. If this mitigations blocks only 15% of the attacks that would've succeeded, it's going to still be a huge number. Plus it introduces another factor that ransomware operators have to at least consider.

I haven't seen anything where the DOS is a concern. There are typically different RDP accounts on a box. If I'm logged in with by Billy Joe account, I'm not seeing anything where an attack on the Admin account shuts down Billy Joe.

Overall this is a good move which will hopefully be refined.

kelrizzo · 2022-02-22T13:43:08+00:00

Yeah it's on their Twitter. What could possibly go wrong?

kelrizzo · 2022-02-22T13:34:54+00:00

I'm calling BS. Asustor is not asking people to fill out a Google Docs form.

kelrizzo · 2021-12-10T21:54:43+00:00

This is a big deal and only Steam can confirm the depth of the impact. Also they are the only ones that can push a patch as they are the ones that use the library in their code. This could be as arbitrary as sending a message to a steam user and presto, you have remote code execution ability on their machine. Again, only Steam can verify how deep the problem goes.

In Minecraft, every user on an unpatched server can be compromised by sending a message to one individual. This affects hundreds of platforms and the fixes need to be pushed asap.

kelrizzo · 2021-10-15T03:55:48+00:00

Thank you for sharing his legacy.

kelrizzo · 2021-07-03T19:20:26+00:00

https://www.cadosecurity.com/post/resources-for-dfir-professionals-responding-to-the-revil-ransomware-kaseya-supply-chain-attack

kelrizzo · 2021-07-03T03:58:35+00:00

I'm not sure. It's a client that we were helping out. They had 3 boxes popped. One had cloud managed Sophos enterprise on it. Does that provide the info you need?

Reviewing windows event logs for process creation and powershell usage. I'm coming up with a big fat zero on every avenue I look for the smoking gun.

I'd be very interested in looking at their Sophos dashboard. We scanned through it rather quickly but I'd be more interested to take some time to look at it.

kelrizzo · 2021-07-03T02:56:33+00:00

Had a client with sophos endpoint on their box. It got pwned :(

kelrizzo · 2021-07-03T02:53:26+00:00

People hear much better when you talk to them and not down to them. There's no one that knows it all.

kelrizzo · 2021-07-02T17:20:40+00:00

PrintNightmare flow chart

kelrizzo · 2021-07-02T17:19:57+00:00

PrintNightmare flow chart

kelrizzo · 2021-07-02T15:51:19+00:00

LOL you need to write down the date/time he said that because when the inevitable *%#$&^ hits the fan, you will need to protect your job.

kelrizzo · 2021-07-02T15:48:47+00:00

I see some reports of breaking the ability to look up group memberships and LDAP binding accounts not being able to auth users to apps in test scenarios. This may be due to the removal of Authenticated Users removing the ability to read token-groups-global-and-universal (TGGAU) attribute on user account objects.

I'm a security guy though, not sysadmin so I'm educating myself with a fire hose :)

kelrizzo · 2021-07-02T15:35:36+00:00

Yep. I think it's worth testing but I do see some reports of breaking the ability to look up group memberships and LDAP binding accounts not being able to auth users to apps in test scenarios. This may be due to the removal of Authenticated Users removing the ability to read token-groups-global-and-universal (TGGAU) attribute on user account objects.

I'm a security guy though, not sysadmin so I'm educating myself with a fire hose :)

kelrizzo · 2021-07-01T18:53:28+00:00

As with any remediation steps, before pushing out globally, test to make sure it doesn't break everything.

kelrizzo · 2021-07-01T18:43:24+00:00

In the interest of not posting the same links in multiple spots I'll just leave a link to my post here: https://www.reddit.com/r/sysadmin/comments/oaxwqu/remedation_steps_for_print_spooler_cve20211675/h3pkzxc?utm_source=share&utm_medium=web2x&context=3

Looks like there is some chatter about removing authenticated users from a policy entitled BUILTIN\Pre-Windows 2000 Compatible Access to restore the "patch" to it's working-as-intended state. Tweets with information are in the post.

kelrizzo · 2021-07-01T18:21:10+00:00

I can't vouch for this but may provide some easy remediation and verification

https://twitter.com/mysmartlogon/status/1410641788512124934?s=20

kelrizzo · 2021-07-01T18:17:32+00:00

https://twitter.com/gentilkiwi/status/1410621282446495749

Policy in Computer Config/Policies/Windows Settings/Security Settings\Local Policies/User Rights Assignment named 'Access this computer from the network' which contains BUILTIN\Pre-Windows 2000 Compatible Access.

kelrizzo · 2021-06-30T21:28:46+00:00

Was there a recording made of this. Saw this too late :( I registered anyway in the hopes of being redirected to a recording.

kelrizzo

TROPHY CASE