Ransomware Playbook: Illuminating Artifacts for Enriched Analysis

all right it's 12:30 so we're gonna get started back up so we can keep everything moving forward thank you hope you enjoyed your lunch um I made the announcement before lunch but I haven't heard of anybody collected it so if you're missing an iPhone they did find one it's at the excuse me at the registration desk I have the uh distinct privilege to introduce our next speaker uh Mr Fernando Tomlinson sorry I can't talk he will be speaking on ransomware playbook Illuminating artifacts for enriched analysis and I appreciate everybody being here and I will turn it over to Mr Fernando thank you all right I just want to make make sure everybody can hear me perfect in

the back all right so let's get into this uh so a little bit about myself Fernando Thomson as he mentioned uh technical manager at mandiant uh subsidiary company of uh Google uh prior to that retired US Army right here from the home of cyber uh cyber warrant officer signal warrant officer uh couple tourist to Afghanistan did a lot of great stuff while serving if you go to Army cyber you'll probably see a room uh as a more associated with me uh but nonetheless also an adjunct cyber security Professor teaching a number of cyber security related topics uh it's an opportunity for me to give back because I didn't start here I had people that were in front of me and which I could

see learn from gain insights from to kind of help build me up so I think that's incredibly important to be able to do that for others uh myself and a few other people uh namely Pete the Georgio who you see out there another guy Alex durus uh we run a platform called under the wire a training platform helping people learn and really get comfortable with the language of Powershell uh we were joking the other day we started that back in 2015 here we are in 2023 uh it started in the parking lot uh of a building in mcdill Air Force Base off the CD and uh now it's grown expeditiously so uh and a number of

sites associated with me all over the web uh but enough about me because that's not what you're here to hear here to uh hear me talk about you're really here to hear me talk about ransomware um so let's start with some stats right uh if you're not familiar mandian produces what they call a m Trends report and they produce this every year so the one that recently came out a couple of months ago was for the year of 2022 and what we've noted based upon the analysis and investigations that we've done is essentially 70% of the ransomware cases we have the entity was notified by an external Source right 30% of those entities were notified from an internal source what's

really intriguing or maybe a little bit comical in some respect is uh another number that I don't have up here because of that 70% that was external notification a good grip a decent amount of that was the threat actor notifying the client right which is a little bit more concerning in some respect but looking at who's impacted here well we could look at another publication and this is coming from our friends over at the FBI from their internet crime report so when we look at all of the defense industrial base um there were 16 sectors in which that were impacted by this and really for the year of 20122 over 2300 complaints to the FBI cases if you

will that were associated with ransomware now that should seem like a lot to you but the more staggering number is the number that we don't know about and that is the true cases that have taken place where people don't report it maybe they've reached out to a mandant maybe they've reached out to another company maybe they've suffered in silence for a lack of better words and tried to get over it as quickly as humanly possible that number is more staggering also this is really talking about us it isn't talking about other entities around the world this ransomware pandemic or epidemic however you want to look at it isn't just a US problem it's a world problem if you

will so these actors some of the most heartless people I've ever seen in my life right like they could care less about what you are going through and what your organization is going through and they will hit you at any time and it doesn't matter what's going on right so here's an example where literally this is me I took a little PTO uh best way to decompress here is to go to Vegas so my wife and I literally just landed turn my phone on and uh ended up picking up a ransomware case for a rather large company obviously can't can't talk about it here but I had to take a break sit down and actually gather what was going

on and and start that investigation now this is not within the last uh 45 days so um you know some of you have seen the news and stuff and it has nothing to do with that uh no no it does not it was not a local company in Vegas uh but um I I shared this photo uh one because my wife was not happy and she snapped it um but two I think it it captures a lot one it captures the company two it captures Vegas but really I'm really trying to highlight that um these actors they don't care and when you're in this field right um as a firefighter if you will in the digital sphere um you have a

responsibility to to respond now looking at this these threat actors some of them are uh a little bit more advanced than others but largely speaking the ground soldiers if you will those individuals they follow a Playbook every now and then they may go off script but for the most part they follow a Playbook and when we look at the Playbook definition here uh from Webster uh is telling us that one or more plays in a book form all right yeah I think we got that a notebook containing a diagrammed football plays right player plays I think we got that as well a stock of usual tactics or methods and really you know when we rack

and stack which ones are most applicable to what we're talking about today uh it's really going to be three first and then maybe two in some form fashion really maybe all three now because we have realized that there is some form of Playbook now we want to get a hold of the Playbook well when they're smoked they're sure to be some fire to follow so let's fast forward here to the kti leaks right um it was a bad time for them it was a good time for us uh because while they were going through their mess and things were starting to appear on the web it was a great opportunity to confirm some of these

hypothesis and thoughts that were already kind of flowing if you will and this is a actual manual now it's been um you know translated to English because it wasn't in English uh but it speaks to really the process that one of their uh actors would follow is part of an overarching campaign I mean step one here if you will find the company's website why do we want to do that well we want to figure out if the juice is worth the squeeze here are we talking about a mom and pop that isn't going to be able to pay right are we talking about a potential company that has I don't know DOD level attention probably don't want

to mess with that one either we need to figure out how do we get somewhere in the middle where it's worth our time and effort and there's some form of payoff so let's do some research now further down in this manual is more information for us more information that we can certainly glean from and while I don't have the whole manual here um which I would recommend you go download you get it off a quick and easy Google search and just just read over it right it's actually kind of entertaining and some of it may look familiar to you based upon what you do in the world already um but a little bit further down we have a

portion where it's talking about uploading data because the name of the game is double extortion and in some respect triple quadruple extortion right gone are the days where an actor is just holding your environment for ransom right and you'd pay a fine or not a fine you'd pay uh a fee if you will and then be able to get a decryptor and get that information back um because people are starting to do backups and that's debatable but people are just less inclined to to pay in some respect organization dependent so double extortion I'm going to steal your data right and I'm going to either release it or sell it or or whatever and then that

starts to get people's attention a little bit more now in my experience I've seen still people don't want to pay um for for for data that's been taken as well but how does that data get out the network well there's a number of different platforms that um that's been observed by myself colleagues and really other people in this space that are notorious for data exportation and even when we look at the kti elite guide it talks about using uh Mega uploads right and it talks about AR clone and I don't know about you but you know I've been in this space uh either it or cyber for over 20 years now and I haven't been in

an environment yet where I've seen in a legitimate manner Mega or ar clone used not to say that they aren't ever used legitimately I would just bet my left pinky toe because I think I could still walk without that um that if I were to see them in an environment there's a good indication that there's some maliciousness proba happening so in the guide itself it is telling these actors that's what they should do right and it goes on and it names a couple of more as a Defender as a forensicator as somebody who responds to these types of events this is a gold mine right this is like the the welcome to the team book if you

will so fast forting a little bit and again I can't stress how much you should probably look at that that guide in this entirety and some of the other documents but fast forwarding a little bit here um you know I think this quote is like key right if a picture is worth a thousand words then a video is worth a million and the reason I bring this up right now is because when we think about this for those in this space uh engagements clients what have you they tend to reach out to you Friday afternoon Friday evening right I I think it's Monday something potentially happens Tuesday they identify it Wednesday Thursday they try to figure

out what's going on and then Friday it's like oh yeah we probably need to call somebody and it's like Friday evening um but nonetheless uh was working a a case where um elsass was being dumped uh there was another instance where ntds.dit was being dumped active directory database they called us in and um they they had some technology that we were able to utilize to get some metadata off a machine we tasked that technology to get that metadata for us so we can start analysis and it was not retrieving that data in a uh timely fashion that we felt was indicative of a good platform if you will we talked to the client we asked the admin did he

have a way to access the method or access this this system if you will in a uh abstracted way um to reduce really any potential um harm and he did it was a virtual machine they were able to use exxi log into that cluster and then from a console perspective pull it up so we wanted to get on teams and share screens with him so we can help him understand what the problem was so we could get the data when we did this and he logged into exxi and conso in somebody was already logged into the system and we're like do you guys use net scan in your environment he's like what thatat well I know you don't use it

because nine times out of 10 it's going to be something that a thread actor is using to be able to um uh do Recon in your environment so you know me being the person that I am I started recording right so for the most part this is a snippet I tried to block out stuff that's not important here of about three and a half hours where we were watching the threat out there live in the environment right I had never seen anything like this before I've done a lot of things in my life but I mean they're using net scan wasn't shocking because a lot of ransomware cases do that um they're looking for open shares they're in here

looking at particular users changing passwords for a user inl test DC list trying to figure out what trusts are out there in the environment looking at group membership up above that's kind of blacked out this is all standard TTP now at the time we didn't know this was pre- ransomware because all we had was the dip was being dumped Els ass was being dumped but we're watching this after and we're watching it live and there's no better evidence than this well you said in the report that they did this and they did this where's your evidence well let let me show you the video right so three and a half hours we watch the ACT

to do that at some point in here we also watch the actor uh up top there top right you kind of see top Center I have en circled p the thread actor was looking for fils that contain the word pass why do you think he's doing that homie's looking for passwords do you think he found some well there's a lot of things that came back that I blacked out now talk about an uncomfortable conversation because um the client is sitting here watching this live with us and they're like oh John Bob credit card information why is that on there I'm like I don't know what's funny to me though is the thread actor is skipping

over stuff like that what he's looking for or she they are looking for are particular passwords for a different network based upon a trust so they're trying to laterally move they're trying to established their position in the environment and as we talk about really the methodology and stages of a rental wear campaign they were very early now fast forwarding upon this a little bit again this whole thing is like three half hours we see them lay down any desk right any desk is a legitimate tool used for remote access uh you probably seen me talk about any desk in a previous talk at another time but nonetheless they had a portable version of any desk

they used it they connected it to any desk or to the system via any desk and then they brought over a file called ubvs doz and really what that file is when expanded is is a program called Universal virus sniffer UVS Universal virus sniffer and when you look at this tool one of these freear type tools it's claim the fame is that it will help you rid a system of rootkits so on surface level it seems like a tool that a admin Defender somebody would be able to utilize to get rid of root kits on their system perfect well let me show you what the thread actor was actually doing well we'll come back to what this

looks like in here a minute but what the threat actor was doing was they were looking for security tools on the system treating it like a root kit and they were neutering it well that's not what the program is made for but by golly that's what the thread actor was doing which really spoke to why we were not able to SE the system and that security tool I mentioned earlier we couldn't get the data that we were looking for because this threat actor was starting to neuter that communication to their security uh application if you will now this comes up right and uh I'm not the smartest person in the room but I venture to say that this is

not a actor of of us descent right I I'm going to you know if it this is what I should have been doing in Vegas putting it all on black 18 right this is not an actor of us to right um so this was great though when it came time for report writing because this was the biggest screenshot I could have ever done with red arrows all over the place um but this isn't shocking right you start doing ransomware enough you start getting a fill for some of these things but watching the thread actor live was super enlightening for the those three and 1/2 hours now in the end what's not shown after this is the thread actor started using

the admin who was helping us he started using that person's account and if there's ever a time where you might have felt violated I think that's a time where you really feel violated this person was an Enterprise admin we're watching this it's all not really fun in games it's never fun in games but the thread actor opens the shell run ass puts in this guy's thing he's like oh he's using he's like wait that's me he's using my stuff he starts hyperventilating like really all right and he starts to cut this connection off from the threat actor that's fine we don't own the risk that's a client decision thread actor knows something is now going on thread actor skips steps

five six seven and jumps straight to nine right which is really Smash and grab if you will and they launched their ransomware that was the very moment we realized this was a ransomware case and because we were right there on the ground of it actually happening we were able to neuter that and the uh Avenue in which they were able to get in the impact to the business three machines one of which was a DC that's neither here nor there the business at large could still go on now that's a that's a a luck thing if you will but really being able to identify some of the things that threat actors do on a regular basis was was

super key and me my co-workers still joke about that to this day that was a Friday night as you could have guessed all right so looking at the methodology at large right like this is a methodology I wouldn't say like this is um the only methodology if you will so all the way to the left we have the thread actor uh they're going to get initial access some way somehow it could be through fishing could be a zero day um pick a zero day out of this summer it's been a hot zero day summer for sure um or end day at this point cuz a lot of them are still legit and organizations because they're not updating or what

have you um or what I've seen over the last 90 days with two cases I was working was an admin would be searching for a legitimate admin tool they would go out to the web and download it however they were not downloading it from the legit place one of them was a malicious Google ad that redirected him to a site hosting uh that that binary another one was a typo squatted domain that kind of looked like it um but nonetheless when they downloaded that binary it gained a foothold in that environment credentials were exfilled and uh there was a period of time where the thread actor didn't do anything and then they walked right back

in the door with the credentials and uh it became a bad week uh they're also going to look to compromise the domain so how that's done well going to try to get to the DC as quickly and as humbly possible uh to certainly dump the DI um dumping credentials along the way uh that's where the credential theft actually comes into play uh the other aspect is are going to look to do reconnaissance what else can I gain access to be it from the perspective of gaining a foothold there or being able to identify poti other networks that would be worthwhile and we've seen some of that firsthand with net scan um as you've seen in the video and there's there's

several other tools that are kind of like that that provide the same capability and are notoriously used by thread actors uh and then we get to the point of data Discovery data stage and data extration and in circle because that's where I'm going to focus a lot of my next part of our talk here but they want to discover d data they want to Stage it and they absolutely want to exfill it why cuz that's the next part of that double extortion right I can't do the double extortion if I ain't got nothing to to to you know really threaten you with if you will and then after that there's some form of rans aware

deployment um and then you know that's that's when it comes to light Something's Happened and they can actually have that conversation about uh those forms of extortion that are definitely happen but let's focus on the three things that we have uh Circle right so Discovery Stag and exfiltration this is not an all inclusive list but this is like a nandy n uh quick reference if you will of things that are useful for analysis and things that have been seen used by thread actors more regularly again not at all inclusive list your Mage may vary based upon threat actors that you're you're used to dealing with or the business sector in which you typically respond uh from a

data Discovery perspective all of those things that are listed those are great artifacts for us to really understand a threat actor trying to discover some data data staging and then and then data explotion so I'm not going to hit all of those data points up under them I will hit a couple uh but but again um more often than not great starting points that that I've seen in my experience uh so data Discovery I mean I can't exfiltrate what I don't know exist and really I need to figure out what what's out there so um quite often we see the domain controller also being the file server quite often we see open shares in the environment um people's

profile automatically being mapped to the file share itself all of those things just make it very very easy for uh the thread actor so uh one of my faves here is shell bags right essentially uh thread actors likely going to have some type of true interactive access and as they're doing some of this data Discovery and they're browsing around to folders them accessing that foldo is going to get U written as a shell bag so we can prove that they knew something was there or prove that they actually looked at this uh quite often what comes up is well what in that folder was access that's going to be a different artifact that we would look at but we would be able to

say this data that's in that folder whatever it is was exposed to the threat actor now the great thing about this too is even if um something doesn't exist anymore be it they got rid of it or something else continued to happen on the system um as part of normal admin activities uh we could still use this to prove that it was there at some point and it doesn't log every interaction but we at least get the first one and the last one uh So Below we see a parse uh snippet associated with it we see the absolute path associated with a subset of directories we see when it was actually created uh the first and last

uh interaction associated with it so we're kind of off to a good starting point in regards to that uh another one jump list and Link files love it love it right uh so now I'm a thread actor I've browsed to a folder that says nandy Nan secrets and shell bags is going to help me capture that I did that um but now I see a couple of files in there that look pretty interesting based upon name how will I know if they are something that I truly want well I'm probably going to try to open them and when we start to do stuff like that we'll be able to get some jump lists and Link files

associated with it the great thing about this is we'll see thread actors um create create a new document copy paste their code or whatever they're using into that document close it up execute that so then it starts to make it a little bit more difficult for us to to Really depict what's in there but then they'll come back and delete it well that's great because when we have an actual link file we can prove that it existed that it was open that's the link file but within that link file we're also going to get a subset of other data so uh all right so this is essentially our recent directory that's going to contain all our link files and when I look at

the one that says. link Ln K I knew that that file existed I can see when that link file was created telling me when it was actually executed but I can also look in that link file and I'll be able to get the target file size so I'll be able to have an understanding in what the file size of the original file was I'll be able to get the creation date associated with that and we'll be able to get the path even though it no longer exists that link file is going to contain that data so that's great this is a forensic SC M particularly when we're looking at people trying to do data Discovery now I had this up a

minute ago and if you've ever seen a window similar to this maybe you had your little taskbar down below or your shelf that's been pinned to and when you are able to hover over it click over it what have you you see some of the recent stuff that has picked uh that that shows up all of that is Jump list right um things that have been previously executed now in that little shortcut menu if you will uh for you that quick access those are jump lists and we can use that also help with our data Discovery efforts all right let's look at some data staging um notoriously WinRAR all right this should either be from the

perspective of them installing WinRAR or bringing a portable version generally if they're going to bring a portable version um it's not going to be labeled WinRAR they're going to do some other stuff associated with it but they would utilize the command line for that portable version of WinRAR and not specify on the command line what files they want to add to the archive instead they would put a list of files in a Word document and through the command line actually point to that list of uh actually point to that file containing that list of files to compress um from our perspective when they're not doing a portable version um we do have some artifacts in the registry for it so we

can depict essentially the archive history what was the name of the archive when it was created and if for some reason they're looking at archives on the system and doing some extraction uh we could be able to get that information as well uh from a seven zip perspective we get something a little bit similar and all of these things kind of shift slightly based upon the actual application so we are able to depict what was actually archived in the sense of what that actual file name is the extraction file path and we can also get the directories that were browsed from a seven zip perspective and so our bottom screenshot is kind of showing that uh

never mind the actual um blown upness if you will of our our characters there but we can see that from our Arc history that this last one that was actually compressed was uh backup. 7z on the desktop now it'll continue to roll if you will or continue to add to that there's a a list of sorts so it isn't just that it continues or excuse me captures just the last one associated with it make calf don't really see people using using this a whole lot um from a local perspective but I put it up there um as you know make cab is built into windows so we can make cab files which are uh compressed files as well and then

also to expand those things IE um uncompressed them we can use another built-in windows program called expand uh not a whole lot of great logging there so we'll really going to look to uh whatever we would use for any evidence of execution any event logs or sorts that are associated with it uh from a windzip perspective uh we can get really a little bit more here so we can get a list of the archives uh the data associated with it when it was browsed when it was extracted all of that great information is shown for us um and just looking at the artifact that we have shown before us we're really looking at what archives were being

created and this is all within the registry uh so usn Journal this is is probably one of my faves between this and the mft which uh we don't talk about the mft here uh so usn Journal is going to be our really our record of transaction records if you will so we're going to be able to see files and folders that were created any updates associated with them um be it the file was renamed the file was deleted data was added to it file was closed it is amazing right um so us Journal is the actual file name usn jrnl however there's an alternate data stream of dollar sign J and that's where the data

is if you're looking at dollar sign J on a system you might note that it could be pretty small depending on the system you're looking at but it's all about how that is being stored on the system um where it's a sparse file uh but if it looks like it's only like 15 Meg on the system when you extract it it's going to be much larger than that but what we're going to get out of that we'll get the name and path we'll get the reason of the change as I mentioned the time we'll be able to get the parent information as well so what's interesting here is you know when we look at this screenshot it

looks like the file name is secrets. text. right so essentially it was a DAT file that they tried to make look like a text file but do dat is still on there and the extension got picked up the other aspect effect is we have the entry number this is going to be the entry number of the mft the master file table and then there's a column where it shows like the parent entry number so that's going to allow us to understand um the parent associated with it all right so this last one data extration uh system resource utilization monitor I don't know if Mark's in here but Mark has a great tool to be able to

parse this I have a tool there's a number of people who who have also written tools but this is a great gem right this was really brought about in I want to say Windows 8.1 um and it's a part of a particular service dynastic policy and depending on the system we can get anywhere from 30 to 60 days of historical data there's a number of things that this is going to provide for us but the big thing that I generally look for look for in this actual artifact is to be able to understand bites out right so even looking at what we have as a snippet here uh we would have the computer because we're doing this at large we

would have the application in this case you see the application is called restic restic is a uh file synchronization data backup platform so we can see we have four instances of it running and this artifact it captures to the database every hour so within this hour of 1344 there were four instances of it running well when did they start this artifact isn't going to tell me it's just telling me within that hour it was running and within that hour we see a number of bytes out we see a number of bytes in so now as a forensicator doing this analysis I'm able to say yes restic executed we knew that there's other artifacts but in terms of what data was

exfilled still working on that but how much data was exfilled well bites out is like roughly 10.6 gigs right so that gives us a good measure to help really inform the client um it really posture us to to help confirm if you will so great artifact from a system perspective outside of something like this to be able to understand the amount of data that went out we would be looking for net flow or something of the like that would not be on the system so on the system this is an amazing artifact AR clone I mean you've seen that in the Playbook this is notorious you can literally sync to over 70 different platforms uh this is a great

choice for thread actors because logging is disabled by default which means they're not going to come behind and try to cut it back on uh but the great thing about this is we do have a couple of artifacts that are useful for so that bottom image there that is something similar to what they would use to upload data you'll see circled it starts with the word copy so they're going to copy from the system going up there's also a sync which would allow it to go both ways this just allows it to go up and then we note victim one right victim one is just what do we want to call the folder on wherever we're uploading um

whatever that platform is what do we want to call that folder right now there is a config file that we reference and that's the one right above it that is going to contain our username and password and whatever the platform is so in this case we see the user right so this is going to be on disk we see the user we see the password and depending on the situation that's an ability to be able to understand that more right we can work with Partners who have a little bit more jurisdiction uh to be able to to go against that and persecute it right or because men has seen a number of cases all over the world constantly

um thread actors typically don't you know make a new one right so we'll see people reuse stuff like this and while this is not an exact email I have worked a case where money was being taken and literally the username was just business I won't tell you what domain it was against but um that just tells you these folks do not care right in their mind it's just business and that's the way we should understand it uh so when SCP um two big things here we can have our configuration stored in the registry we can also have an inii file um depending on how that's configured we're going to get two different sets of artifacts that we could use uh we see

those things before us uh both of those are really really great for us because they're really really great for us um thread actors who are not necessarily in the no um would use this as an option predominantly last this is pro predominantly not a first go too if you will uh Mega tools my gosh yes uh so Mega tools contains a number of things that we would be interested in um so there's an inii file that we can dump as part of a cache and that's what we're doing in this bottom image you see it circled so we're calling upon Mega LS is the actual item and then we are dumping the cash in this cash we're going to get

the other two screen shots that are shown up above right and what we're going to see is we're going to see the credentials but then we're also going to see what's contained in that instance of of of Mega right associated with those credentials so the first Circle in that middle image we see that there was Q4 2023 projections that's what's contained in there right now that second Circle type zero that's going to be indication that it's an act a file if it was one it would be a directory and then right below that we're going to be able to get the size so all of this is an artifact kind of left over when we know things

have been exfilled up to Mega so you know I can really talk about this all day in stories on top of Stories on top of stories unfortunately I don't have that time and at some point you're going to want to go home so how do we really get to a great place here there's a couple of things that a entity could do um I wouldn't say any of these are going to be 100% you're never going to have to deal with it but these are things that are super helpful some of them may seem seem very cliche in the sense that yeah yeah I know we should be doing that but I would tell you more

often than not um entities are not doing it or if they have implemented it they have no measure in place to know when those measures are no longer in place right on top of that uh there's a number of resources that are out there so mandant we have a uh containment and uh protection strategy guide if you will that talks about some of the things I just shown but other things in more in depth if you will some of it actually tells you where you would need to make those changes and things of the like uh and then our friends at siza they also have some great documentation up there and um of course the uh FBI as well so

uh with that I'll pause here for any questions and then I have a question for you all where I'm giving away something

yes

yeah so the the question is Long As I understood it from here was in cases that you worked with arone you've noted that the threat actor has deleted the config file uh the real question is do we have any recommendations in terms of being able to capture the config file before it gets deleted or when that action is invoked and I do not right but I will say there's other things that we can do that could potentially help us and from a Consulting perspective every environment we go into is different we know it's there's a chance that it's going to get deleted there's going to be some great artifacts in memory if we can get to the system soon

enough once it gets deleted the pointer is removed but we have a good chance of being able to carve it back that's where a lot of My Success has come from if we're called in months later well then those chances start to start to die down yeah great question though

sir yeah yeah so I mean from from the screenshot of uh their playbook earlier it was Cobalt strike right so it's like oh they're using Cobalt strike well that could be every actor in the world and the watermark is probably the same because it's a pirated version so a lot of those start to to to bleed over in some respect um where the true you know who is this comes into play is their actual Ransom wear that's running on the system in their in their note right so that that's where it really starts the the point but a great question

sir the the question is have I seen a proliferation of brute retel lately um I've seen it used yes it is being used more and more yes great question if you're not familiar with that platform you probably want to do a little research associated with it brute retel uh b r u t e r a t e l yeah and then put the word C2 behind it okay uh well let me ask my question then and then uh I'll step away here so I have a packet squirrel nuts for Networks for anybody who can tell me please raise your hand who can tell me the Playbook that I had what group was that leaked from Sir this is yours you are the new

owner of a hack five P packet squirrel congratulations y all right so with that I sincerely appreciate you taking the time to listen to me rant about kind of what I'm seeing uh I'm going to go ahead and conclude I'll step off to the side if anybody else wants to talk that's cool but thank you for for stepping in