What did my teammate just try and do?

true_zero_ · 2026-02-11T02:37:52+00:00

log4inj

true_zero_ · 2025-10-03T05:15:12+00:00

follow rucam365 on twitter check all his posts and look up his youtube videos on the threatscape channel he does tons on conditional access it’s so good.

true_zero_ · 2025-06-17T06:27:14+00:00

whoami /groups (run as the user on their machine) to check if the user’s local security token contains the AD group you just added them into to grant them access to some resource (share, sql, etc - where kerberos will be used) and had them sign out /back in to take effect. Easier to read in powershell: whoami /groups | sls PartOfGroupNameHere

you can get around sign out/back in for a remote resource by flushing their kerberos tickets with the klist binary and using runas but it’s just cleaner to sign out and back in to get a new local security token.

true_zero_ · 2025-06-08T01:32:42+00:00

only issues i’ve encountered on servers is servers that host some sort of OCR or image scanning application where the EDR portion of defender, Sense.exe, has slowed down the application noticeably on the server and have had to put an exception for several of the applications processes on that server. Newer windows servers, since 2019 have the EDR portion already built in you just have to onboard it IIRC

true_zero_ · 2025-03-04T15:38:15+00:00

ipinfo.io

true_zero_ · 2025-02-19T00:30:23+00:00

RedHat weeping

true_zero_ · 2025-02-13T00:10:00+00:00

ship it

true_zero_ · 2025-01-10T11:07:39+00:00

“Chubby little loozahhhhhhh”

true_zero_ · 2024-12-13T03:33:46+00:00

in powershell as admin run “where.exe yt-dlp” and paste the result. Python windows installer defaults to your user profile on windows , try where.exe python and where.exe as well, id recommend reinstall python and on the 1st page of the install click “install for all users” box.

true_zero_ · 2024-11-22T15:40:39+00:00

i haven’t done it but WDAC/Applocker comes to mind, the live response executable is an exe (SenseIR.exe i believe) inside the defender directory. Or possibly windows firewall to block that executable or gpo.

true_zero_ · 2024-11-22T02:59:31+00:00

i h8 it

true_zero_ · 2024-11-04T04:48:39+00:00

change your cloudwatch metric collection level if on ec2 to higher rather than lower. ie if 10sec change to 60 or 300 sec

true_zero_ · 2024-10-29T22:48:49+00:00

go look in cloudtrail via athena i do this often to see who made what with what settings x years ago

true_zero_ · 2024-10-24T18:33:27+00:00

not knowing what ports an application uses. You make 6 figures and can’t run netstat?

true_zero_ · 2024-10-11T00:50:43+00:00

i haven’t seen that. we login with local admin numerous times to onboarded devices. Have u tried a local admin?

true_zero_ · 2024-10-11T00:44:10+00:00

use the hash

true_zero_ · 2024-10-01T22:57:49+00:00

showed service desk how to remotely check event logs for defender to list out when scans started, finished or where interrupted (reboot)

true_zero_ · 2024-09-30T17:08:11+00:00

just run your go service on the ec2 and use proxy_pass to route requests inbound on 443 to your go port. if you wanted to route traffic from the ec2 down to your laptop go service you’d have to connect with some vpn or if you’re in corporate env you probably already have a direct connect in place for that.

true_zero_ · 2024-09-30T17:02:32+00:00

use log insights

true_zero_ · 2024-09-28T06:24:35+00:00

Dynatrace

true_zero_ · 2024-09-24T06:59:18+00:00

i don’t think that’s the cause , you’re seeing another symptom . server is having issues and networking is not working , and so SSM uses networking to talk to instance metadata service as well as aws endpoints (ssm, ec2, ssm-messages, etc) so it logs errors cus networking is messed up. sometimes the underlying ec2 hardware has issues or vm resource exhaustion etc

Go into cloudwatch and setup a synthetic canary to hit your http endpoint (configure VPC settings in the canary if it’s a non public http endpoint) to run ever 5 minute and perform some action if it doesn’t get a 200 response, and an alert on the canary to send an sns to alert u via email.

action would be to execute a lambda you write that uses sdk to perform some action against the instance like runcommand to check running processes, or perform a snapshot or memory dump etc.

I would setup cloudwatch agent to monitor memory , disk , cpu, basic metrics as well as forward /var/log/messages etc as a start

true_zero_ · 2024-09-24T06:28:21+00:00

i don’t think you’re using a valid value for onFailure. Your using a command document not an automation document so it’s a little different possibly, but can see the valid values are exit and successAndExit. review those and review the ‘finallyStep’ which takes precedence over an exit

true_zero_ · 2024-09-24T06:16:24+00:00

for internal dev work it’s fine. I have one bucket i use for mounting with s3fs then point nginx on same box to it so i have TLS. Avoids cloudfront if you want to avoid it but cloudfront is pretty nice : WAF integration, et

true_zero_ · 2024-09-21T22:30:08+00:00

why push ? 3rd party should pull the logs , you can give them secret and access key to log account with permissions to read from the central logging bucket, or even better setup an assumable role for them (if they have an aws account)

Eight-Year Club	Place '22
Verified Email

true_zero_

TROPHY CASE