Olivia
Online
Andre Pawlowski
@sqall01
IT-security enthusiast. Maker. Member of @FluxFingers. Author of
Somewhere around my laptop.
Joined January 2010
70 Following
653 Followers
1.3K Posts
Mission Impossible: Elite xz SSH backdoor used to access your network.
Mission Reality: Your org still has default accounts with easily guessed passwords all over.
Never used it. But the idea for this "diff detection" between Linux hosts is amazing.
Here I use @SandflySecurity agentless drift detection on Linux to rapidly find a compromised host. It works like the diff command, but against any Linux host to show you what is different in seconds. It's like magic for IR teams.
https://t.co/X54ES43WZM seems to be a good starting point to find reports. However, choosing which Linux malware is still "at random"
Does anyone know a good resource to get detailed Linux malware reports (the behavior of the Linux malware on the host)? Any source I know focuses on Windows and just "googling" it gives me a lot of superficial (news) reports
TIL: if you are searching for suspicious processes on a Linux host by looking if the /proc/<pid>/exe points to a deleted file, it can point to "/ (deleted)". Apperently the Linux kernel also spawns processes: https://t.co/tyPOavGVZs
Here is a quick way to find tainted Linux kernel modules that are not maliciously hiding:
cat /proc/modules | grep \(.*\)
Sample "malicious_module" is both out-of-tree and unsigned which would warrant a closer look.
@CraigHRowland A generalized "firewall" device for sure. However, if the manufacturer of the medical device would adopt this infrastructure setting and build the "firewall" themselves and place them in front of their medical devices as the infrastructure setup, it would be easier.
@CraigHRowland I have heard of research in the field that tried to place some kind of gateway before the network connection of the medical device as a "firewall" kind of thing. So you can still upgrade the "firewall" without breaking your FDA certification. But this was years ago...
What are linux process environment variables you should take a closer look into if you find them for processes on your system?
I currently have in mind:
- HISTFILE (=/dev/null)
- HISTSIZE/HISTFILESIZE (=0)
- LD_PRELOAD
- SOCAT_*
- SSH_C* (if ppid=1 => left-over process)
Dcsync without triggering traditional alerts?
https://t.co/9H97diYbjB
Kunai is an open source sysmon "clone" developed in rust and based on eBPF (cc @alexei_ast) that has just been presented at #hacklu https://t.co/ASRDqHNrIL
It is back. Contribute if you can to this nice project. And good to see that @gynvael's health is up for doing side projects again :)
Come contribute an article to @pagedout_zine Issue #3 is in the making.
Stumbled upon something cool during your cybersecurity adventure? Nice! write a 1 pager about it.
Any questions -- reply below 👇
More information regarding article submission: https://t.co/v77SYCAjtF
@LiveOverflow Can you paste the link to the video with these comments? I am curious what kind of video it is.
Pitfalls of relying on eBPF for security monitoring (and some solutions) from @trailofbits
Very nice overview and production problem you could encountered creating a security solution based on ebpf. And even some bypass 😁 https://t.co/kW432PoHYd
@SandflySecurity I found it actually quite hard to do so without console commands. I wrote something in C# and got the file size directly (FileInfo) and read the whole file and counted bytes (File.ReadAllText). Result was: C# could read the file with the data hidden by reptile 🤷♀️
Here's how to use simple Linux command line tools to investigate and de-cloak Reptile stealth rootkit and others like it.
grep . /etc/modules
dd count=10000 bs=1 if=/etc/modules 2>/dev/null
cat /etc/modules | wc -c
Finally, check that the kernel and filesystem byte counts match. Feeding the file through a simple "wc -c" command will count the bytes the filesystem thinks is present. If these values don't match, something is hiding.
cat /etc/modules | wc -c
Hey, infosec brains trust! 🧠 Ever felt like you're juggling digital chainsaws? 🪚💻 I've been in the trenches with:
🔹#LOLBAS 🛠️: Your multi-tool for Windows. A treasure trove of Binaries, Scripts, and Libraries that adversaries may use to live off your land.
🔹#GTFOBINS ⚙️: Your field guide to Unix binaries, masterfully navigating through airtight local security restrictions.
🔹#LOLDRIVERS 🚀: A rogues' gallery of Windows drivers, exploited by adversaries to bypass security controls and wreak havoc.
These projects are more than just a catalog for abuses of the OS; they're a rich wellspring of intel and detection enrichment. 📚🔍 I'm curious, have you spun these into threat detection tools (sigma rules) or defenses? How did you automate the data collection process from these projects?
The million-dollar question 💰: Have you rolled up your sleeves and used all the LOL resources in https://t.co/u6tdIrcq8n by @br0k3ns0und, or just cherry-picked a few?
🔄🔒 #DefenseDIY #InfoSecJugglers #LOLBinLife
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers