Been a long while since Story Time… I don’t know why this popped into my head, but perhaps there’s something in it someone will find helpful. So here goes

Recovering a Linux backdoor that is still running but was deleted off disk:   • Check the /𝗽𝗿𝗼𝗰/𝗣𝗜𝗗 directory for the running process   • If 𝐫𝐞𝐜𝐨𝐯𝐞𝐫𝐞𝐝_𝐞𝐱𝐞 is in it, thats the reconstructed executable. #linux #forensics #dfir

On 𝗔𝘂𝗴 𝟭𝟯 𝟭𝟮 𝗣𝗠 𝗘𝗦𝗧, I am presenting on MS Quick Assist and how we're seeing it used in attacks. More importantly, how to perform investigations and forensics on MSQA attacks. Register here: ow.ly/TvlR50WxW5A #DFIR #forensics

A friend of mine - @OpenHeartGames - is running a D&D game all day for Extra Life. Drop by their stream and donate to a good cause! extra-life.org/index.cfm?fus… #dnd #rpg

Analyzing a MS Quick Assist compromise is not easy, but my blog on Quick Assist forensics should help: inversion6.com/resources/blo… #dfir #forensics #incidentresponse

Today marks the official launch of the Inversion6 Incident Response (IR) team, and I couldn't be more excited! Ready to tackle challenges, protect, and respond like never before. Let’s go! #IncidentResponse #CyberSecurity #DFIR inversion6.com/resources/new…

In light of the Okta news, here are some statistics on 52 character usernames (or UPNs in Azure) I've enumerated in Azure, to give an idea of what makes a long UPN and how common they are. Out of 53 million UPNs I've collected, only 1438 individual UPNs are 52 characters (0.003%). Seems to be pretty rare, but could always be skewed based on my particular username lists. If a full UPN is considered, it's not just the traditional 'username' aspect that contributes to its length. The main cause of these long UPNs is that they are configured at their '[tenant].onmicrosoft.com' domain. 423 of 464 domains where UPN exceeded 52 were '.onmicrosoft.com' tenant domains. The most common username that contributes to long UPNs is 'administrator', being found in 64% of the domains. I've included the counts by length of the pre-domain usernames, and the domains, where the overall UPN was 52 chars .

Just in time for Oct31, we're thrilled to release our most anticipated scenario of the year -- Kevin Ross' lost classic "The House on the Promontory". Written back in the 1980s but unpublished until ... this all-hallows-eve. #OldSchoolLovecraftianRPG. drivethrurpg.com/en/product/…

This is my night

For those new to #DFIR, what skills do you feel you are missing? Working on a new training project, and looking for topics that would appeal to those new to the industry.

Our recent flurry of new scenario releases has prompted a few folks to ask us just how many Cthulhu Eternal scenarios now exist. The pics below show the cover of all the ones *we've* released. More info on each at cthulhueternal.com/our-scena… All available at drivethrurpg.com/en/publishe…

Just in time for the 134th Birthday of the 'old gent' from Providence, we've released another all-new Cthulhu Eternal scenario in PDF. "Fathoms Below" features a 1960s Cold War expedition to find lost Atlantis, & a homage to a certain tale about a temple. legacy.drivethrurpg.com/prod…

Can anyone recommend a good copy/scan color printer? Ours sucks (Epson). Bonus points if I don't have to buy a subscription to print.

So....anyone fuzzing all the config update files from other EDR vendors to see who else can be crashed?

Very excited to have received these today from @chillcryptworld! #ttrpg

I recommend reading this thread as it gives some great insight and stories into incidents. #DFIR Also, the current top comment on there is freaking incredible! reddit.com/r/sysadmin/commen…

Hot take. Am I wrong on this?

7. Try and correlate timeframes around when files/data of interest was accessed and potential exfiltration.