Andre Pawlowski

Mission Impossible: Elite xz SSH backdoor used to access your network. Mission Reality: Your org still has default accounts with easily guessed passwords all over.

Never used it. But the idea for this "diff detection" between Linux hosts is amazing.

malpedia.caad.fkie.fraunhofer.de seems to be a good starting point to find reports. However, choosing which Linux malware is still "at random"

Does anyone know a good resource to get detailed Linux malware reports (the behavior of the Linux malware on the host)? Any source I know focuses on Windows and just "googling" it gives me a lot of superficial (news) reports

@curi0usJack @threadreaderapp unroll

I enjoy giving and watching presentations, and I pay close attention to the attributes of the ones I think are really good talks. My personal acronym for what makes a great technical talk is SPEED. If you want to improve your presentation game, this is for you. 🧵

TIL: if you are searching for suspicious processes on a Linux host by looking if the /proc/<pid>/exe points to a deleted file, it can point to "/ (deleted)". Apperently the Linux kernel also spawns processes: uninformativ.de/blog/postings/…

Here is a quick way to find tainted Linux kernel modules that are not maliciously hiding: cat /proc/modules | grep \(.*\) Sample "malicious_module" is both out-of-tree and unsigned which would warrant a closer look.

@CraigHRowland A generalized "firewall" device for sure. However, if the manufacturer of the medical device would adopt this infrastructure setting and build the "firewall" themselves and place them in front of their medical devices as the infrastructure setup, it would be easier.

@sqall01 Plausible to do patching this way, but with so many devices from different manufacturers I bet it would be a nightmare to implement!

I have joked for years that in my nightmares I wake after an auto accident and look over to see my morphine drip has a Wifi enabled sticker on it. Reality is that medical devices can often not get updated or face FDA certification issues. There is a chicken and egg scenario.

@CraigHRowland I have heard of research in the field that tried to place some kind of gateway before the network connection of the medical device as a "firewall" kind of thing. So you can still upgrade the "firewall" without breaking your FDA certification. But this was years ago...

You get medical gear FDA certified to perform as expected. They want that software version to be the same because that's how it was tested. And really I get it. I don't want hotfixes being tossed onto the X-ray gear willy nilly. How to thread the needle?

What are linux process environment variables you should take a closer look into if you find them for processes on your system? I currently have in mind: - HISTFILE (=/dev/null) - HISTSIZE/HISTFILESIZE (=0) - LD_PRELOAD - SOCAT_* - SSH_C* (if ppid=1 => left-over process)

Dcsync without triggering traditional alerts? nullg0re.com/2023/09/hijack…

Kunai: Your New Threat Hunting Tool For Linux - Quentin Jerome youtu.be/p8eUzcpG1JE #hacklu @hack_lu

Kunai is an open source sysmon "clone" developed in rust and based on eBPF (cc @alexei_ast) that has just been presented at #hacklu github.com/0xrawsec/kunai

It is back. Contribute if you can to this nice project. And good to see that @gynvael's health is up for doing side projects again :)

@LiveOverflow Can you paste the link to the video with these comments? I am curious what kind of video it is.

I very very rarely receive negative comments. But release one German video, and get the love of my neighbors 💏

Pitfalls of relying on eBPF for security monitoring (and some solutions) from ⁦@trailofbits⁩ Very nice overview and production problem you could encountered creating a security solution based on ebpf. And even some bypass 😁 blog.trailofbits.com/2023/09/25/pit…

@SandflySecurity I found it actually quite hard to do so without console commands. I wrote something in C# and got the file size directly (FileInfo) and read the whole file and counted bytes (File.ReadAllText). Result was: C# could read the file with the data hidden by reptile 🤷‍♀️

Sandfly easily de-cloaks Reptile and other stealth rootkits on Linux. Our free version will find these problems instantly without loading endpoint agents on your Linux fleet. Get a free license today at our website.

Here's how to use simple Linux command line tools to investigate and de-cloak Reptile stealth rootkit and others like it. grep . /etc/modules dd count=10000 bs=1 if=/etc/modules 2>/dev/null cat /etc/modules | wc -c

Finally, check that the kernel and filesystem byte counts match. Feeding the file through a simple "wc -c" command will count the bytes the filesystem thinks is present. If these values don't match, something is hiding. cat /etc/modules | wc -c

Hey, infosec brains trust! 🧠 Ever felt like you're juggling digital chainsaws? 🪚💻 I've been in the trenches with: 🔹#LOLBAS 🛠️: Your multi-tool for Windows. A treasure trove of Binaries, Scripts, and Libraries that adversaries may use to live off your land. 🔹#GTFOBINS ⚙️: Your field guide to Unix binaries, masterfully navigating through airtight local security restrictions. 🔹#LOLDRIVERS 🚀: A rogues' gallery of Windows drivers, exploited by adversaries to bypass security controls and wreak havoc. These projects are more than just a catalog for abuses of the OS; they're a rich wellspring of intel and detection enrichment. 📚🔍 I'm curious, have you spun these into threat detection tools (sigma rules) or defenses? How did you automate the data collection process from these projects? The million-dollar question 💰: Have you rolled up your sleeves and used all the LOL resources in lolol.farm by @br0k3ns0und, or just cherry-picked a few? 🔄🔒 #DefenseDIY #InfoSecJugglers #LOLBinLife