Notices by Fritz Adalis (fritzadalis@infosec.exchange)

@jeffowski @guyjantic
That kid wore the same clothes for like 30 years.

@wdormann @mimir He's referring to the Cyberdpm blog post linked in @GossiTheDog 's blog post. The Cyberdom one is AI generated and... wrong.

@GossiTheDog
Can you do anything other than prevent installation? Maybe a hard link to system32 could break the machine if it changes the perms. Maybe a toctou bug, watch the ntfs journal until the folder is there then replace with a hard link?

@wdormann @GossiTheDog @jernej__s
I wonder if it'll fail to install if iis is actually present, or present but moved to another drive.

It's my cat's 15th birthday!

#catuesday #cats #birthday

@RickiTarr @catsalad
https://en.wikipedia.org/wiki/Treet

@ryanc @cR0w @kajer
Pretty sure Microsoft's CA does this out of the box. This is why Microsoft always gets the best quadrant.

@Viss @briankrebs
Shits By Design is my new company name.

@GossiTheDog @paulsanders
It also still makes sense if you haven't played the game and only know it from memes.

Neighbor is out here pruning my tree.

#catsOfMastodon #NeighborCats #catsintrees

@SwiftOnSecurity
The IBM slide deck about computers making decisions.

@dansup @PixelFed @tinker
Why wait to make it open source?

@ryanc @jerry @shadownetworks @cR0w
Is this RFC 768 in the room with us right now?

@ryanc @jerry @shadownetworks @cR0w
UDP packets aren't even real.

KITTAY! That house is not for you!

#NeighborCats #caturday

@sj
Doesn't VLC use ffmpeg?

@ekis
They weren't stealing, they were playing short-necked plucked guitars.

Wondering if anyone else has seen this behavior.

We received an alert from MS Defender for Cloud that a suspicious IP had downloaded from a storage blob using a SAS token. It turned out that someone was misusing the SAS token feature and had sent the URL via email.

Since then, we've determined that every URL sent via email (O365) is being downloaded immediately by... someone. We brought in someone for IR but they haven't seen anything similar and we can't find a cause. We even set up two secops mailboxes (which are supposed to bypass all MS security) and sending an email between them still triggers the downloads.

The source IPs so far have all been in the US, and Spur tags most with "Oculus Proxy" and most ASNs are "Constant" or "HostRoyale". User agents match Chrome 125 or 131.

The only thing I've found online is complaints on Reddit about this causing a 100% click rate in KnowBe4. No real resolution there though.

We're thinking it's something automated/enterprise, but I want to be sure. Has anyone seen anything similar? TIA.

#threatintel #incidentresponse

@ekis
Maybe they're building the bunkers for all of us!

@ekis
We yearn to rise to mediocrity.