hanshan

@[email protected]
24 Followers
129 Following
54 Posts

Detection Engineer. Ostensibly.

Irony Engineer. Passionately.

People love me @redcanary. Probably.

(but they don't endorse my ramblings. Surely.)

hanshanFeb 10, 2024

Nobody:

Me: changes the language setting on networked storage to Russian to avoid them getting ransomed.

hanshanDec 13, 2023
I can't take credit for the title, or for the talented writing. I just clicked the big, red, "this is evil" button. https://redcanary.com/blog/bitsadmin/
Diary of a Detection Engineer: Blown to BITSAdmin - Red Canary

The combination of the BITSAdmin tool with Veritas backup software pointed our detection engineers to an attempted ransomware attack.

Red Canary
hanshanNov 22, 2023
Anthropic AI announced that their latest release has 2x fewer hallucinations. I played around with it this morning and I am pleased to say it has reached "random commenter on reddit, but like, one with insanely negative levels of karma to the point where you're pretty sure it's just a troll account" levels of trust. Which honestly is fun.
hanshanOct 20, 2023
When you throw an exploit in the test environment but it’s actually prod.
hanshanJan 8, 2023
Casey NewtonJan 8, 2023
My friends and I recently replaced "LOL" in our group chat with LAMP (laughing at my phone) and it improved every conversation 500 percent
hanshanJan 1, 2023

I’ve noticed something when I meet a person. They ask what I do, I say cybersecurity blah blah, and their response is almost always one of the following:

1: Interesting, my company/school/church/city/bank got ransomed recently (they proceed to tell me about lost data, how painful it was, etc)

2: Oh cool, I use duck duck go

3: So, do you catch people watching porn a lot?

hanshanNov 29, 2022
Detecting evil requires a baseline, right? So you know what’s normal in your environment and what’s unusual enough to warrant investigation.
But I’m curious, how granular do most organizations make their baselines? Do you know on a “per department” level who uses what software and what that stuff looks like on an endpoint and the network? Or is it per team? Per user, even?
Help me out, I’m trying to learn how deeply most orgs pay attention to what’s normal.
hanshanNov 19, 2022

#DFIR fundamentals note to self (and others who could use the reminder):

For Windows, let's say you're looking through a list of service binaries to see if any have been popped.

You see one with a network connection and think, "found it!" but then you see that netconn is to localhost.

Don't shrug and say, "ah, must not be compromised then, the netconn is benign." Check the binary on the other side of that localhost connection. It's possible you have two malicious files. The service one talking on loopback to a second binary making the netconn to c2 (or another host, etc).

hanshanNov 12, 2022
I’m here because of @hacks4pancakes.
I mean, I passed all my sans certs thanks to her blog so I figured, listening to her hasn’t failed me yet
hanshanNov 12, 2022
Who's good at writing killer Carbon Black Response and Microsoft Defender queries? I'm looking for new resources for more complex searches beyond the docs