Jeff Beley
@beley.org
Incident response and incident response accessories @Accenture. Opinions are my own. DNS aficionado. grep/sed/awk connoisseur.
After we achieved our mission, we left the site at 2AM. Fortunately for our client, the head of IT didn't "put strychnine in the guacamole". This is why I still keep a USB to RS232 in my IR go bag to this day.
January 23, 2025 at 10:35 AM
After we achieved our mission, we left the site at 2AM. Fortunately for our client, the head of IT didn't "put strychnine in the guacamole". This is why I still keep a USB to RS232 in my IR go bag to this day.
Luckily, the IT admin left me an open session on the RS232 port. So I didn't actually have to "hack" it. After adding another admin user and an interface to a device implant I brought with me to "phone home".
January 23, 2025 at 10:34 AM
Luckily, the IT admin left me an open session on the RS232 port. So I didn't actually have to "hack" it. After adding another admin user and an interface to a device implant I brought with me to "phone home".
After finding the device in question, which took a bit due the spider web of cables, we found the admin interface, RS232. I connected my laptop and fired up my favorite serial terminal program.
January 23, 2025 at 10:33 AM
After finding the device in question, which took a bit due the spider web of cables, we found the admin interface, RS232. I connected my laptop and fired up my favorite serial terminal program.
There was one device that didn't have an exposed admin interface. I just happened to have experience on this network device. So at 10 pm on a Friday, we come to the client site, dressed as the cleaning crew.
January 23, 2025 at 10:33 AM
There was one device that didn't have an exposed admin interface. I just happened to have experience on this network device. So at 10 pm on a Friday, we come to the client site, dressed as the cleaning crew.
Hold on for a wild story. I had a client who had sufficient cause to worry that the head of IT was going to "put strychnine in the guacamole" and take down the whole organization. My team worked with our red team to establish persistence in the network.
January 23, 2025 at 10:32 AM
Hold on for a wild story. I had a client who had sufficient cause to worry that the head of IT was going to "put strychnine in the guacamole" and take down the whole organization. My team worked with our red team to establish persistence in the network.
Many threat actors leave the Windows firewall disabled. And services like Shodan, Censys, Binary Edge, et.c are able to pull back that data. Very useful for tracking threat actors and for doing IR investigations.
December 19, 2024 at 8:17 PM
Many threat actors leave the Windows firewall disabled. And services like Shodan, Censys, Binary Edge, et.c are able to pull back that data. Very useful for tracking threat actors and for doing IR investigations.
Where it is sufficiently unique:
SSL metadata
JARM/JA4 data
SSH Keys
Unique services running on weird ports
Banner/content hashes
Windows "bleedthrough" hostname (Windows VMs exposed on some virtual host)
There's probably more that I missed.
SSL metadata
JARM/JA4 data
SSH Keys
Unique services running on weird ports
Banner/content hashes
Windows "bleedthrough" hostname (Windows VMs exposed on some virtual host)
There's probably more that I missed.
December 18, 2024 at 9:13 PM
Where it is sufficiently unique:
SSL metadata
JARM/JA4 data
SSH Keys
Unique services running on weird ports
Banner/content hashes
Windows "bleedthrough" hostname (Windows VMs exposed on some virtual host)
There's probably more that I missed.
SSL metadata
JARM/JA4 data
SSH Keys
Unique services running on weird ports
Banner/content hashes
Windows "bleedthrough" hostname (Windows VMs exposed on some virtual host)
There's probably more that I missed.
Swiftonsecurity or ionstorm (fork of the former)
December 10, 2024 at 6:23 PM
Swiftonsecurity or ionstorm (fork of the former)
If you want to change just the display of one (or many if your network allows broadcast) you can use a script similar to gist.github.com/skreuzer/b29...
and make them all say "PC LOAD LETTER"
and make them all say "PC LOAD LETTER"
a man in a striped shirt and tie leans on a printer
Alt: a man in a striped shirt and tie leans on a printer freaks out when the printer says PC LOAD LETTER
media.tenor.com
November 29, 2024 at 2:37 PM
If you want to change just the display of one (or many if your network allows broadcast) you can use a script similar to gist.github.com/skreuzer/b29...
and make them all say "PC LOAD LETTER"
and make them all say "PC LOAD LETTER"
Yed > visio
Especially for automation
Especially for automation
November 27, 2024 at 1:36 AM
Yed > visio
Especially for automation
Especially for automation