Hal Pomeranz @hal_pomeranz

I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

 Orlando, FL
deer-run.com/~hal/
Joined November 2008
  • Tweets 19,311
  • Following 237
  • Followers 13,672
228 Photos and videos
Load newest
Hal Pomeranz retweeted
Moose @LitMoose
16 Dec 2021
You have learned the lesson twice now (I hope) how it feels to patch whatever is vuln to this nightmarish hellscape. Here's just a little voice to remind you to be documenting your process so it hurts less when you have to do it again later. There will always be a later...
4
21
3
104
Hal Pomeranz retweeted
Andrew Case @attrc
16 Dec 2021
The 2022 @DFRWS USA CFP is now open. This is a great venue to publish a peer-reviewed paper in an academic setting that understands the value of memory forensics and malware analysis. Please see the full details here: dfrws.org/dfrws-usa-2022-cal… #DFIR #infosec

DFRWS USA 2022 Call for Papers is Open - DFRWS

The DFRWS USA 2022 Call for Papers is open through February 10, 2022. Prepare and submit your digital forensics research papers now!

dfrws.org
10
1
7
Perhaps we'd do well to consider that discomfort as a human response to the moral weight of actions with consequences. Few important decisions in life are clear cut, devoid of weight or nuance. And we'd do well to face it head on rather than paper over it for 'business-as-usual'.
1
12
I am being bombarded with requests to join online expert witness directories (for the low, low monthly price of...). Are any of these useful for driving business? I am skeptical.
1
Hal Pomeranz retweeted
Wendy Nather @wendynather
15 Dec 2021
Rest in power, bell hooks.
1
3
14
Anyone looking for a SOC manager role? My company is hiring. Comp package is best I’ve seen anywhere and the team is awesome. Some excellent talent to work with. DM me for details #infosecjobs #cybersecurityjobs
5
8
We have another session of @hal_pomeranz's course, "Linux Forensics," from Feb. 1-4, 2022! 10% of this course will be donated to @RuralTechFund! Check out what they do here: ruraltechfund.org/ Register for Hal's course here! : antisyphontraining.com/linux… @Antisy_Training
1
13
35
PSA - The people who are actually working the problem don't give a crap how you pronounce #log4j
5
12
2
109
Hal Pomeranz retweeted
Adrien B @Int2e_
15 Dec 2021
Don't know what an Azure Run Command is? Neither did I when we first stumbled on an attacker abusing this during a recent IR case. We wrote a short blog on these and what to look for if you're writing detections for your Azure VMs. mandiant.com/resources/azure…

Azure Run Command for Dummies | Mandiant

We highlight Azure Run Commands and provide guidance for mitigations, hunting, and detection mainly from the perspective of the virtual machines.

mandiant.com
2
76
5
194
Hal Pomeranz retweeted
Jake Williams @MalwareJake
14 Dec 2021
This is fantastic research and gives some good insight into what's going on in the phishing ecosystem.
Steve Ragan ⚠️ @SteveD3
14 Dec 2021
I promised I would write a report covering my phishing research in 2021. That report is now live: steved3.io/data/Phishing-202… Shout out to @AmandaFGoedde for helping me edit, as well as @ninoseki for making Miteru, and @urlscanio for creating an awesome tool to help defenders.
15
32
Kinsing cryptomining Linux malware has adopted #log4j to exploit new hosts. It is also bringing along a stealth rootkit to hide. In this article we go over what it is doing and how you can decloak it for incident response: sandflysecurity.com/blog/log…

Log4j Kinsing Linux Stealth Malware in the Wild

The new Log4j exploit has given cryptominer Kinsing on Linux new life. We'll show you how to detect it easily.

sandflysecurity.com
7
9
You can also use these pipelines for other data sources. The ""cat access.log | sed 's/.*"\([^"]*\)"$/\1/'" is how I'm extracting the user agent strings from the Apache log format. Everything after that is shell idioms you can apply to any data.
1
1
Encoded #log4j user agents are longer than normal user agent strings: "cat access.log | sed 's/.*"\([^"]*\)"$/\1/' | sort -u | while read str; do len=$(echo $str | wc -c); echo -e $len\\t$str; done | sort -n" Sort unique user agent strings by length, ascending
1
1
2
Looking for #log4j encoded user agents in Apache "combined" access log format: "cat access.log | sed 's/.*"\([^"]*\)"$/\1/' | sort | uniq -c | sort -rn" Histogram of all user agents in descending order (unique encoded user agents right above your shell prompt)
1
5
5
Hal Pomeranz retweeted
Márcio Almeida @marcioalm
13 Dec 2021
Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. This attack path works in *ANY* java version as long the classes used in the Serialized payload are in the application classpath. Do not rely on your java version being up-to-date and update your log4j ASAP!
25
658
77
1,678
Hal Pomeranz retweeted
d4 @d4rckh
13 Dec 2021
Someone is angry #log4j
83
687
198
4,250
Hal Pomeranz retweeted
Paul Vixie @paulvixie
13 Dec 2021
"as long as people write parsers and connect them to the internet, i'll have work." --anon
Tom Anthony @TomAnthonySEO
13 Dec 2021
Interesting Log4j payload I discovered, simply omit the closing brace }, and now you will potentially get a bunch of data exfiltrated to your server until the next } appears in that data. Had it work on a FANG target...
2
19
62
#log4j has resulted in many Linux system breaches. The Linux forensics cheatsheet below can find many of the artifacts post-compromise. If you want to automate all of this, you can get a free license of @SandflySecurity on our website.
Craig Rowland - Agentless Linux Security
 @CraigHRowland
6 Feb 2019
Image version of the Linux Compromise Detection Cheatsheet for the PDF averse. #sandflysecurity #DFIR #threathunting
40
92
You want to see what LD_PRELOAD is set to? "grep -l LD_PRELOAD /proc/[0-9]*/environ | while read file; do echo $file:; cat $file | tr \\000 \\n | grep LD_PRELOAD; echo; done"
1
7
Haven't yet been seeing this with #log4j but be aware that LD_PRELOAD rootkits are circulating in the wild. Use of LD_PRELOAD is uncommon, so spot suspicious processes with "grep -l LD_PRELOAD /proc/[0-9]*/environ"
gwillem @gwillem
13 Dec 2021
Replying to @hal_pomeranz @CraigHRowland
FYI recent malware uses LD_PRELOAD to hide behind legit exe paths. sansec.io/research/nginrat
1
2
9
Load more