Ryan Andorfer

@Delta booked first class with infant and grandparents. Arrived to check in this morning and the grandparents are downgraded to delta comfort without notification and after getting a confirmation. Help!

My Signature Creation Mind Map Input: Sample > the things that I check to create YARA signatures, Sigma rules or IOCs > or pivot to related samples in order to improve the signatures / rules

@davehull Do what only you can do. Drop the ball and let others pick it up, they will appreciate the opportunity. Figure out what actually motivates you in life, make sure your work goals align to that. Talk to Egon for a refreshing perspective.

@hulu_support getting 503s when trying to watch videos :-(

2/2 Yesterday we were told that they would be looking at ways to mitigate the problem more. Today, it looks like the bypass they had in place has been dammed up. Is this just temporary I hope?

1/2 @MayorShepHarris thank you for personally coming out yesterday to help ensure everything that should be done is being done to protect the homes of Bassett Creek during the bridge construction. @LindaIHiggins do you know what is going on with the project?

At least once a week we encounter a case of lateral movement using off the shelf tools like psexec, command line utilities, or eternal blue. You can stop all of them from moving laterally by blocking SMB and RPC between endpoints using the Windows Firewall channel9.msdn.com/Events/Ignite/…

Windows Event ID 4624 displays a numerical value for the type of login that was attempted. These numbers are important from a forensic standpoint but also for understanding credential exposure and mitigating risks. Descriptions in replies.

Have a practice IR. This may look different than you’re expecting. Can you: 1) deploy software or a script to ALL endpoints without errors? 2) identify all your endpoints? 3) know what your patch or configuration deployment status is for a basic item like KB2871997 or a GPO?

Cool series about #KernelMode #rootkits by @TigzyRK : 1) adlice.com/kernelmode-roo… 2) adlice.com/kernelmode-roo… 3) adlice.com/kernelmode-roo…

@poshboth @sstranger Function Get-ArrayListOutput { Param() $null = $( $arraylist = new-object -TypeName System.Collections.ArrayList $arrayList.Add('First') $arrayList.Add('Second) ) return $arrayList } Get-ArrayListOutput return control from functions

Detecting Lateral Movements in Windows Infrastructure cert.europa.eu/static/WhitePa…

In Pike Place Market, you may have come across the Market Penmaker. He made pens and mechanical pencils from woods around the world. I have given them as gifts to friends and acquaintances. He died last month, but I thought his work so beautiful I wanted to share it.

dotnet new -i Microsoft.PowerShell.Standard.Module.Template dotnet new psmodule 👆BOOM A #PowerShell Standard-ready C# module. One cross-plat codebase for a module that works on PS 5.1 & PS Core 6 (or PS 3+) 🚀⚡️ NuGet nuget.org/packages/Micro… Repo github.com/PowerShell/Pow…

Fun fact: the WMI EventFilter registered by this #DailyScriptlet for persistence leverages TargetInstance.SystemUptime to specify a launch time range (in seconds). For malware, the range is often chosen to allow the system to fully boot then launch once. Method in Vault 7 leak. twitter.com/ItsReallyNick/…

*the sound of a thousand hackers cheering simultaneously around the world* bleepingcomputer.com/news/microsoft…

Poor pentesters, getting up every day to discover & report that software is broken & security concepts are flawed. It takes some time to realise that it'll always stay that way. Become a defender! We kick ass, fight back real adversaries & ruin the day of criminal scumbags.

Magic Wormhole Get things from one computer to another, safely. > I just made my first 381MB file transfer - awesome project magic-wormhole.readthedocs.io/en/latest/welc…

[Blog] Abusing DCOM For Yet Another Lateral Movement Technique ....unsophisticated, but may have some utility wp.me/p7MIao-6H