First time for everything right ?

For those who have been asking I won't be at RSA this year. No booth. No badge. No hallway conversations about "the threat landscape." I'll be exactly where I should be. With my team at https://t.co/ghbSKW68bj and with our customers. Conferences are great for some things. But

Me and my Sunday co-worker hunting Handala

Sunday coffee time before I go to Lowe’s to buy 2x4s to repair a horse stall Curbside pickup FTW

I spent my normal whiskey/cigar break thinking and reading and counting how many configuration "switches" are available when you are a firm like Stryker. 36,000 to 45,000 config settings And that's before you count the permutations. You think a spreadsheet and a quarterly

CISA published an advisory on endpoint hardening after Stryker. The RBAC guidance is solid. Multi Admin Approval for Intune is not a complete solution either. An attacker with Global Admin can create the second approver account themselves. That is a five minute delay, not a

bingo got you

Spent last 32 hours nonstop finding more Handala / Stryker data & open systems Processing it tonight will have another detection pack/ioc late tonight or early hours Found evidence of potential upcoming issue Taking a one hour whiskey break and cigar to clear the mind a little

Taken from the Stryker Handala / Intune Detection Pack v2 "Check PIM role settings for Global Administrator, Intune Administrator, and Cloud Device Administrator. If you see only the "Require Azure MFA" checkbox and no Authentication Context configured, you have the same gap

This is a mega blog update, all centered around Stryker (so a part2, or an update) On March 6, I found an open directory on a live Iranian operational server. Custom brute force tools with Persian-language comments. 280+ Israeli targets. Neo-reGeorg webshells on the Portuguese

25+ years of doing this and the pre-op checklist still starts with "secure the whiskey!!!." Full HackHaus lab rebuild this weekend New AI systems (lots of Blackwells) coming online in the HackHaus for some serious punishment testing on the code i built Wire rack goes where the

The Book of Genetic 1:1 In the beginning there was only signal, and the signal moved across the void. 1:2 And the void was without boundary, unsegmented and dark, and malicious traffic moved upon the face of the deep. 1:3 And the Architect said, Let there be visibility, and

Has anyone sold shares of themselves, like an IPO ? (initial Person Offering)

vent : Life [redacted] [redacted] so [redacted] [redacted] with [redacted][redacted] and shitty [redacted] /vent

Iran-linked Handala wiped a 56,000-employee Fortune 500 on the night of March 10-11 They got Global Admin creds, logged into Microsoft Intune, and bulk-wiped every enrolled device But 50TB of exfil means they were deep in the environment for weeks first Detection pack covering

I am going to show you a photo of my Cock and the Only Chicks crew

March 14th Press release goes out. "On March 14th we detected unusual activity."

March 12th Attacker deploys ransomware. Now everyone knows. March 13th The incident response plan is located. It is a PDF last updated in 2021. Two of the three contacts listed no longer work there. The third one is on vacation in Costa Rica and is not responding. March 13th,

October through February Attacker is doing recon, moving laterally, exfiltrating quietly. The SIEM is generating low alerts. The alerts are going into a queue. The queue is very long. February 11th An analyst named Marcus sees something weird. He creates a ticket. The ticket is