Chris Walker

I want to get to 4,000 followers. Anyone out there that likes reading about Linux forensics, intrusion detection and incident response want to follow, re-tweet and help me out?

THC RELEASE: 🔐SSH public keys can be infected 💉and backdoored.🚪 blog.thc.org/infecting-ssh-… #lulz #ssh #hacking

Persistence || Backdoor Techniques (Beginner to Advanced) in Linux infosecwriteups.com/persistence-ba…

Here is an experimental Linux anti-ransomware kernel module project below.

Testing the auditd config & auditd parser. The sample isn't holding back, a lot to unpack here - should be a good test! An image of the process tree - 1666 process events alone.

I do this by never recording anything with a3 set to 0. This seems to be the majority of cases for file reads. Whereas most other interesting activity has some kind of mode set in a3. I need to do more testing, add some defeats and probably look at some a2 masks for reliability.

I took a few weeks break from this. I'd noticed that recording syscalls such as "creat" resulted in most actual file creates being ignored. I've come up with an initial way to record open/openat syscalls that hoppefully won't overload a system & be reliable.

Today, me and @ateixei are releasing the EDR Telemetry project. This project aims to compare and evaluate the telemetry of various EDR products. ✅Introductory blog post: t.ly/9Ia3 ✅GitHub Repo: github.com/tsale/EDR-Tele… ✅Comparison Table: t.ly/HMht

#Linux Directory Structure and Important Files Paths Explained tecmint.com/linux-director…

I've got the current, but early version of my auditd log parser library published into Pypi. Currently it can parse process (execve) and network connect events. It also attempts to add edges (GUIDs) to the events. github.com/exeronn/auditd… "pip install auditd-python-parser"

Now there's (a more detailed) blog post on this all! Just posted: "Ironing out (the macOS details) of a Smooth Operator" objective-see.org/blog/blog_0x73…

Network events are now being parsed, mapped to the parent process GUID where possible and the parent comamndline added when the GUID is sucessful. This should make mapping connections back to processes easier and the commandline should make investigating / detection easier.

I'll look to open source my Python on my GitHub once it's no longer just janky Python in Jupyter.

I've used this auditd config from github.com/Neo23x0/auditd… that @cyb3rops put together. To fully replicate the same data as SysmonForLinux I'll need to add a couple of lines to record all process events. This has a data volume impact, but allows for better process ancestry.

Working on parsing auditd logs to both generate similar data to SysmonForLinux & anything additional it may record. I've intially focused on process events & will mvoe to other data types shortly.

An unknown 🐼APT discovered by ExaTrack🔥Our team identified an implant and a rootkit targeting Linux systems 🔎We traced the infrastructure used by the attackers and analyzed their backdoors to share a blog post and 70 indicators (including 3 Yara rules)! blog.exatrack.com/melofee/

(1/2) Very cool series by @__pberba__ about persistence in Linux environments Persistence map: pberba.github.io/assets/posts/c… Auditd, Sysmon, Osquery: pberba.github.io/security/2021/… Account Creation and Manipulation: pberba.github.io/security/2021/… #Linux #kernel #malware #cybersecurity

Quick Linux tip 💡 Easily find your gateway IP using the ping command! $ ping _gateway It's one of the hidden ping options and not many people know about it. Follow us @LinuxHandbook for more such Linux tips daily 🐧🙏

I should probably take a look at auditd logs that are available and compare the telemetry to Sysmon, seeing if it's better at filling in the missing info in Sysmon. #Sysmonforlinux #Wine #Linux

Most worthy of note is the Process Access event has some records in. It appears that unlike on Windows, you can have it enabled fairly widely - at least for a fairly vanilla install.

For the fun of it I thought I'd try out Wine & see what the telemetry looked like (plus any blind spots for windows malware to run in) The process create data shows the Wine server being created, but fails to link the process ancestry like htop does.