da_667

@da_667@infosec.exchange

Senior Security Researcher, Proofpoint Emerging Threats.

I've been doing this cybersecurity thing for the better part of a decade now. Probably longer than that. I'm starting to forget. Time is relative, but it surely isn't kind to my memory.

I'd like to think I do cybersecurity well, but blue teamers collectively get told they're doing it wrong constantly. So maybe I just failed forward throughout my career.

Oh, I wrote a book. Its a good framework for setting up a virtual machine lab. See my bookmarked toots if you're curious.

Work-Related hashtags:
#Iocs #ThreatIntel #DFIR #Malware #NSM #suricata #snort #BEC #phishing #APT #ThreatDetection

Hobbies:
#VideoGames #XCOM2 #Minecraft #Synthetik #Fallout #Skyrim #Anime #Manga #Adventure #Fantasy #Isekai #HomeImprovement #WoodWorking #MetalWorking #HomeLab

This profile is from a federated server and may be incomplete. Browse more on the original instance.

da_667, to random

https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/

>"The main_proto_A_QueryDns component resolves domains to IP addresses using the cloudflare-dns[.]com service, which main_proto_X_WebSocketClient uses for resolving C2 domain names."

WHAT DID I FUCKING TELL YOU.

da_667,

Time for me to reiterate why I think DOH is fucking garbage. This is the cliffnotes version:

-If you read the RFC, never once is privacy listed as a goal for the protocol
-Ostensibly, you get some privacy on the first hop, but from there, you have zero guarantees on literally anything. You have promises from various companies, but that doesn't mean jack shit.
-I'd like you to consider that cloudflare doesn't have a good track record of policing abuse of their platforms, they tacitly support white supremecists and terrorists, they've been known to forward abuse requests containing personal information of those who have submitted them to their abusers, and they have zero financial incentive to stop the flow of traffic. THIS INCLUDES MALWARE, THERE IS SO MUCH FUCKING MALWARE USING CLOUDFLARE. They are a default DoH provider choice in the major browsers that support it.
-Transaction ID is always set to zero for DoH requests to improve caching. This is actually written into the protocol. Y'all know why the transaction ID/DNS ID exists, right? This opens up attack paths for man in the middle attacks. Think QUANTUM and PRISM-type bullshit, where the answer to your DNS query is changed but you'll never know.
-The only goal of the protocol was to move DNS resolution to the browser, so that the browser is cognizant of how domains are being resolved. Its anti-adblocking tech.
-Think about who the major players are behind DoH - It was driven by Cloudflare, Mozilla, and Google. and while I like Firefox, they all have financial incentive to see how domain resolution is occuring and ensure ads are delivered to clients. Y'all are aware of google's Web Integrity web DRM shit, right? How much you wanna bet that if it becomes a standard, there will be websites popping up whereby resolution via DoH is required for viewing the content? I wonder why that would be?
-Flow analysis easily reveals which HTTPS traffic is likely to be DoH traffic. You can't hide connection metadata.
-Several tools have been developed to used DoH as C2, and even file storage, if you're brave enough.

da_667, to random

looks like my DoH toot is making waves again. Don't make me tap the fucking sign.

da_667, to random

I love it so much.

da_667, to random

it feels so good to be able to run a bat file that just deletes defender AV.

da_667,

you open the door, you pull out the flechette cannon, you blow off chunks of Windows 11, you close the door.

da_667, to random
da_667, to random

hey hey, people. Happy monday.

da_667,

@eater yup. XCOM2:War of the Chosen has a feature called the photobooth, where you can put your soldiers in ridiculous ass poses, and take pictures from different points on the map. Huge variety of poster fonts, image effects, etc.

da_667, to random

happy concussion sport day.

da_667,

happy "I'm so important, they flew TWO empty planes to my airport" day.

da_667,

rest of us get told we're demons for wanting plastic straws, but jesus fuck if I miss concussion sport.

da_667,

friendly reminder that the NFL doesn't acknowledge any of the health problems associated with repeatedly getting concussions from their sport.

da_667,

happy "we always have money to dedicate to this worthless fucking stadium that charges 20 dollars for a beer, but fuck if we have money to maintain infrastructure, schools, feed the children, or literally any-fucking-thing else that returns massive dividends" day

da_667,

happy "we can afford an ad that is probably priced in the millions of dollars for a few seconds of airtime, but we have to cut 5-15% of our staff" day

hacks4pancakes, to random

Fun fact, my chosen nemeses for the last twenty years have been the Freemasons. Just because I’m put out they won’t let me join. I’ve devoted inordinate hours to finding and learning all their secrets people drunkenly admit to.

Yes, it’s all very boring. I just don’t care.

da_667,

@hacks4pancakes thats pretty epic that you have a named enemy, senpai. Like dwarves and giants. or dwarves and elves. or dwarves and other dwarves. Man. Dwarves are a contentious lot.

da_667, to random

I don't even understand why the fuck windows update even has error codes when every single fucking one of them always has the same advice from microsoft: Delete SoftwareDistribution, run the troublshooter which never works, run dism /cleanupimage /restorehealth or use the windows 11 installer tool to do a clean install. Don't even bother giving me the error code.

Then you go to the event viewer for windows update logs and its like "the update failed to download" and you ponder the pros of lobotomy via soup spoon.

da_667, to random

that one kid screeching in the store that they didn't get what they want, while you quietly wish you had a cattle prod for such moments.

da_667,

in deus ex, you could tase the children. that game was ahead in so many ways.

da_667, to random

I let me windows box run again last night after the massive addition to my HOSTS file from this repo:

https://gist.github.com/niutech/1f1c1518ce0eba7e8d429c812d39493d

and also, a whole shit ton of system modifications from privacy.sexy...

I had a grand total of 56kb of traffic recorded overnight

-CRL pickup from microsoft
-ICMPv6 router advertisements
-DHCP
-NTP

That was it. That was all of it. Damn its good.

da_667,

@gsuberland unbelievably, it does.

I ran into a shit ton of issues reaching windows update last night, but it turns out that was likely because mitmproxy was grabbing those connections and the OS didn't appreciate that. After I disabled the proxy, it worked fine.

da_667, to random

years of proprietary SSLVPNs and weird connection rituals only to find out that the OS under the hood is like, CentOS 5 or some shit.

da_667, to random

I made some slight changes to my pfblocker config on the firewall. some of these domains just did not want to co-operate with being put in the hosts file.absolutely refused to null route www.msn.com and config.msedge.skype.com so I null routed them on the DNS server. Fuck you: the revengeance

da_667, to random

So I tried keeping ms teams and dropbox installed on my malware box to make it look a little "lived in", and I fucking can't lads. Those two apps alone generated like 180MB of traffic in the span of moments after the machine booted. I didn't create a dropbox or teams account for either app on the system and they were just shitting traffic EVERYWHERE.

da_667,

Here is a paste of my host file entries, and what I believe these entries affect.

https://pastebin.com/r88TtG90

My goals and yours may be entirely different. I'm looking to make my system as silent as moonlight so that I may more closely monitor malware on it.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • anitta
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • megavids
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • provamag3
  • tester
  • Leos
  • JUstTest
  • All magazines
    •