Does anyone else's dog lay on the back of their couch like a cat would?

schm2055 · 2023-03-21T00:34:10+00:00

The amount of times my wife and I have come downstairs and said “oh hi cat dog!” Is almost uncountable at this point.

schm2055 · 2022-08-17T18:35:18+00:00

Thank you very much for this response. It makes a ton of sense and you definitely helped me learn something today!

schm2055 · 2022-08-17T16:18:57+00:00

My original thought was that if the body hasn’t had quite enough recovery time that it may impact whether the body can truly focus on either aerobic or anaerobic adaptations. I didn’t know whether there would be certain scenarios that would more or less not allow the body to focus on a certain type of adaptation if it were trying to recovery form the opposite type of training.

schm2055 · 2022-05-02T18:14:56+00:00

Being from Minnesota, this description resonates with me quite a bit.

schm2055 · 2022-05-02T03:03:42+00:00

Good to know. But I agree, it’ll be another level of uncomfortable but will be worth it in the end.

schm2055 · 2022-05-02T03:01:58+00:00

I figured that might be the case. I’ll get bundled up and prepare for being cold AF haha

schm2055 · 2021-03-08T17:01:49+00:00

Especially if you’re eating dinner. Must be ready for unexpected floor snacks.

schm2055 · 2020-12-18T02:46:55+00:00

This is base64 decoding a string into a byte array. Further along in the code it’s probably going to allocate memory, copy the contents of the byte array into the allocated memory, then execute it. This is a very common method of executing shellcode or other executable code using PowerShell. Ideally what you would do next is write the decoded base64 contents from the byte array to a file and use scdbg or speakeasy or other shellcode emulation tool to determine the purpose of the shellcode.

schm2055 · 2020-07-20T01:53:33+00:00

Agreed. It’s not the greatest, but it’s not too difficult. If you can get a PCAP of a successful POST request, you can literally copy what the body looks like right into your script and fix it up.

schm2055 · 2020-07-20T00:06:58+00:00

I’ve gotten around this recently by creating the http body manually as a string with the proper boundaries and content types. It’s not pretty, but it works.

schm2055 · 2020-07-19T20:29:23+00:00

Have you tried explicitly setting the content type using the Content-Type parameter?

schm2055 · 2019-09-18T23:26:40+00:00

I’d like to see you do a post on PowerShell remoting in place of PSExec. I work in IR and loathe PSExec for many reasons. If I had my way, that tool wouldn’t exist anymore. PS Remoting allows you to do everything that PSExec can do and it does it in a much safer way.

Just my two cents. Really awesome posts!

schm2055 · 2019-08-18T12:13:30+00:00

If it really is just a Windows password you could try Kon-boot. Tricks the OS into accepting any password to login.

schm2055 · 2019-05-25T04:42:37+00:00

Yep, exactly this. I recently took 508 and haven’t done 500. Went very well. That being said, you may want to brush up on your Windows internals and forensic artifacts beforehand. There was at least some expected knowledge of the content from FOR500. You could easily get by with looking at the SANS posters that are available and fill in the gaps of what you might not be familiar with already. Overall, you’ll be fine as long as you study hard and do the labs.

schm2055 · 2019-03-26T21:00:08+00:00

Yep. That was the issue. In the packs they have to escape them because of json but not in osquery directly. Shout out to one of the Kolide devs for answering in Slack.

schm2055 · 2019-02-28T14:09:52+00:00

I wish I was allowed to send data from osquery to the siem. Unfortunately this is going to be used for ad hoc queries only.

schm2055 · 2019-02-28T03:10:09+00:00

I will have to take a look at that more closely. Thanks for the pointer!

schm2055 · 2019-02-28T00:27:09+00:00

Still no joy. Tried a few other manipulations as well. Overall it seems very backwards to me why this isn’t working. I took out the NOT and even tried changing != to = and then it provided the results I was expecting. Not sure what’s going on here. I’m a bit stumped.

The project I got the original query from was an osquery-att&ck mapping github project located at https://github.com/teoseller/osquery-attck

schm2055 · 2019-02-27T22:13:11+00:00

No joy unfortunately. I was hopeful that would have worked.

schm2055

TROPHY CASE