da_667

@da_667@infosec.exchange

Senior Security Researcher, Proofpoint Emerging Threats.

I've been doing this cybersecurity thing for the better part of a decade now. Probably longer than that. I'm starting to forget. Time is relative, but it surely isn't kind to my memory.

I'd like to think I do cybersecurity well, but blue teamers collectively get told they're doing it wrong constantly. So maybe I just failed forward throughout my career.

Oh, I wrote a book. Its a good framework for setting up a virtual machine lab. See my bookmarked toots if you're curious.

Work-Related hashtags:
#Iocs #ThreatIntel #DFIR #Malware #NSM #suricata #snort #BEC #phishing #APT #ThreatDetection

Hobbies:
#VideoGames #XCOM2 #Minecraft #Synthetik #Fallout #Skyrim #Anime #Manga #Adventure #Fantasy #Isekai #HomeImprovement #WoodWorking #MetalWorking #HomeLab

This profile is from a federated server and may be incomplete. Browse more on the original instance.

da_667, to random

it feels so good to be able to run a bat file that just deletes defender AV.

da_667, to random

I love it so much.

da_667, to random

hey hey, people. Happy monday.

da_667, to random

that one kid screeching in the store that they didn't get what they want, while you quietly wish you had a cattle prod for such moments.

da_667, to random

I don't even understand why the fuck windows update even has error codes when every single fucking one of them always has the same advice from microsoft: Delete SoftwareDistribution, run the troublshooter which never works, run dism /cleanupimage /restorehealth or use the windows 11 installer tool to do a clean install. Don't even bother giving me the error code.

Then you go to the event viewer for windows update logs and its like "the update failed to download" and you ponder the pros of lobotomy via soup spoon.

da_667, to random
da_667, to random

happy concussion sport day.

da_667, to random

I let me windows box run again last night after the massive addition to my HOSTS file from this repo:

https://gist.github.com/niutech/1f1c1518ce0eba7e8d429c812d39493d

and also, a whole shit ton of system modifications from privacy.sexy...

I had a grand total of 56kb of traffic recorded overnight

-CRL pickup from microsoft
-ICMPv6 router advertisements
-DHCP
-NTP

That was it. That was all of it. Damn its good.

da_667, to random

years of proprietary SSLVPNs and weird connection rituals only to find out that the OS under the hood is like, CentOS 5 or some shit.

da_667, to random

So I tried keeping ms teams and dropbox installed on my malware box to make it look a little "lived in", and I fucking can't lads. Those two apps alone generated like 180MB of traffic in the span of moments after the machine booted. I didn't create a dropbox or teams account for either app on the system and they were just shitting traffic EVERYWHERE.

da_667, to random

I made some slight changes to my pfblocker config on the firewall. some of these domains just did not want to co-operate with being put in the hosts file.absolutely refused to null route www.msn.com and config.msedge.skype.com so I null routed them on the DNS server. Fuck you: the revengeance

da_667, to random

discovered a new reason to hate snort 2.9 today. Maybe I'll nerd out over it on the Emerging Threats community site.

da_667, to random

wonderful. Got mitmproxy and tshark working as services on my windows analysis box. I'm able to stop the services, grab the pcaps, keylog file, open it up in wireshark elsewhere, and apply the keylogfile to decrypt SSL sessions seamlessly.

Feelsgoodman

da_667, to random

in addition to starting MITMproxy on startup, I'm looking to start up tshark. Currently working on perfecting my tcpdump filter to eliminate a bunch of annoying ass noise.

da_667, to random

Ride never ends. lmao. https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

da_667, to random

Hypothetically, if you wanted to run MITMProxy on startup on Windows, how would you go about it?

I'm currently considering making a task scheduler task that just triggers "on startup". Is this the best way to go about this?

da_667, to random
da_667, to random

let this be a lesson: the Toothbrush botnet had no teeth.

da_667, to random

You've put four different regular expressions into this rule. Are you _sure_ about this?

Me: Skidaddle, Skidoodle, Your CPU Perf Is Now a Noodle

da_667, to random

fun, useless fact about me: I can plug my nostrils with my upper lip.

fun, useless fact about you: You'll try to do this after reading it, and realize you can't

da_667, to random
da_667, to random

Complete the sentence:

"I work in information security. That's why I _________________"

where blank can be words or an image macro as you so desire.

da_667, to random
da_667, to random

are php short open tags still a thing?

da_667, to random
  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • provamag3
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • anitta
  • Leos
  • tester
  • JUstTest
  • All magazines
    •