Notices by Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange), page 23

@deweyritten I always do Power Reds. Less frequency + replenished fluids? Sign me up.

@snipe This video made me super psyched as I'll be visiting during next year's sardine festival. I've never had premium tinned fish!

@jaybeas @dasharez0ne @drewtoothpaste Better than https://botsin.space/@1994clipart ?

@siggib Excellent! Welcome to the club!

@siggib Elk (https://elk.zone) supports multiple accounts. I've never used it to see how easy it is, but the app itself is great!

@JeffGrigg Big doggos always thinking they're lap size (oof) :blobcatmelt2:

On the Trimarc Happy Hour today, we have @sk3w! When asked what he wanted to talk about, he said "writing red/blue tools (rust, kerberos mitm, network detection agents), guitar, mental health, career path, etc." OH HOW I HOPE HE CHOOSES "GUITAR"!

LIVE NOW!

https://twitch.tv/TrimarcSecurity

@SteveD3 ooh, which one?

@phil @trimarcsecurity Hey, I know that guy!

@vitriolix @TheGibson Sometimes they get you even when you are careful!

Locksmith v2023.9 is out!

https://github.com/TrimarcJake/Locksmith/releases/tag/v2023.9

Hello, ESC3! Goodbye (temporarily), TrimarcJake!

This month's Locksmith release finally introduces full ESC3 detections. Insecure Enrollment Agent templates and Client Authentication templates requiring signing by a single Enrollment Agent certificate will now be flagged. This closes the door on a pretty large hole in Locksmith's detections.

This release also marks a change in my role in Locksmith. I am refocusing my development time toward a new tool for finding and fixing issues in Active Directory-integrated DNS called BlueTuxedo. Until BlueTuxedo is released and gets stable, I will not be writing any new code for Locksmith.

But take a look at this month's release notes. You'll see @techspence and @SamErde are more than capable of running the show for a while. :D

STRESS

@TheGibson Everyone in my org received an identical phishing link in the wee hours of Monday morning. Since I spotted the message before the majority of users had logged on, I decided to use a PowerShell script to delete all messages matching that subject line. I fired off the script and started my drive to work.

When I arrived in the office, I noticed the script was still running and was a bit confused. I'd used this script many times in the past; deleting a single message from all users' mailboxes should have been a quick affair.

But I did something wrong (still not sure what) involving wildcards. Instead of a single message being removed from all mailboxes, ALL messages were being deleted from ALL mailboxes. FAH.

I Ctrl+C'd that thing quickly and went into recovery mode. I was able to restore from a backup taken ~6 hours earlier. The only messages that were completely lost were those received between that backup and the time I started the recovery.

Thankfully, the script deleted messages from the newest mailboxes first. Since we'd just hired a bunch of seasonal workers who barely used their computers, there was almost no data loss.

Somehow, the game of telephone mangled "dude in IT fucked up" into "org was hacked", and the local media picked up the story. The local media contacted my boss' boss' boss for comment. She was completely unaware of the issue, so she called me late in the evening to ask me about the "hack" we'd suffered.

The only hack in this story is me, boss.

@investigatorchic she’s just fine. Just yearly vaccinations!

@infoseclogger I know you’re right, but my thighs are angry about her paws digging into me.

We’re at the vet. She climbed into the chair beside me when we first got here and moved onto my lap about five minutes ago. I think 40 lbs is over the “lap dog” limit.

Dearest criminals,

I understand you are excited, but please stop trying to stuff my credentials into all the things. I haven't re-used a password in 10+ years, so all you are doing is reminding me of accounts I need to get rid of.

Thanks,
Jake

@catsalad Insider threat. I'd be perfect at covering up my exploits as run-of-the-mill incompetence.

@da_667

@Sempf I've been stung by two wasps and a yellowjacket this year. I need to start smoking.