I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
Hal Pomeranz retweeted
I was able to work with @hal_pomeranz in the past during an investigation and he knows his #dfir! This #infosec course will be well worth it! #hacking #CyberSecurity #cyber
I'm teaching Linux Forensics online in two weeks-- hope to see you there! web.cvent.com/event/a61be179…
1
3
I'm teaching Linux Forensics online in two weeks-- hope to see you there! web.cvent.com/event/a61be179…
10
1
29
Hal Pomeranz retweeted
Fantastic article and pretty much spot on. As I went down the list, I chuckled about how similar my experience has been focusing on working with startups and smaller companies. kenkantzer.com/learnings-fro…
4
3
Hal Pomeranz retweeted
Volatility 3 Linux ISF Server isf-server.techanarchy.net/ >> Over 1000 Linux kernel symbol files for use with Volatility 3 memory analysis. Maintained by @KevTheHermit
1
13
33
Hal Pomeranz retweeted
NOW ACCEPTING APPLICATIONS | Deadline 7/15
Ken Johnson Scholarship at the #DFIRSummit will provide:
- Two SANS #DFIR classes
- Mentoring from @_bromiley & @DAVNADS
- Consideration for an internship
- One DFIR Summit seat
Learn more & apply here👉sans.org/u/1kYm
2
3
Hal Pomeranz retweeted
Ooh, this is sexy.
Want a quick & dirty (but supported by Microsot) way to avoid #follina Office know payloads?
Just disable "Troubleshooting wizards" by GPO
> admx.help/?Category=Windows_…
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics - EnableDiagnostics - 0
By CERT @banquedefrance
11
47
Hal Pomeranz retweeted
This only works because of the handler in HKCR\ms-msdt. If you delete this key, users will see the following if they open a payload document. Note that I haven't tested this to know other impacts but it absolutely prevents exploitation with known #msdt samples. 8/
2
7
45
Hal Pomeranz retweeted
Dear infosec: Sorry to barge in on your Memorial Day weekend, but if you're not following the msdt 0-day in MS Office you probably should be.
I've validated it's working on my test systems and is trivial to exploit. First report here:
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.
virustotal.com/gui/file/4a24…
16
225
13
584
Hal Pomeranz retweeted
If you're interested in Memory Forensics, and want to practice, check out this CTF-style memory forensics lab:
github.com/stuxnet999/MemLab…
7
104
3
332
Hal Pomeranz retweeted
HOW DID I MISS THIS?
The way most folks tell me to look for timestomps isn't just wrong it's dead wrong and easy to see why. (0'ed out milliseconds is only done by SOME tools running w/ defaults)
Here's an *awesome* post that shows better methods of timestomp indicators!
1\ How to detect file timestomping 👀
APT28, APT29, APT32, APT38 have all used this defence evasion technique to modify malicious file creation times. 😈
Did you also know it's possible to timestomp $FN time?
👇👇 BLOG & TL;DR BELOW 👇👇
bit.ly/3KsX1ua
7
17
Hal Pomeranz retweeted
1\ #DFIR: How to detect malicious clipboard use?
TAs abuse clipboards to steal data / paste commands.
Three artefacts you can analyse:
> ActivitiesCache.db
> Memory forensics
> Clipboard history folder
I break down how to do this in my blog👇
inversecos.com/2022/05/how-t…
9
229
5
626
Hal Pomeranz retweeted
This is so true. You may even come up with a better way to do things.
Also don't let others keep you from trying. I've seen some people try to keep others from discovering new solutions. Ignore them and keep trying.
Things it took me too long to realize:
Just because someone can do it better or faster, doesn’t mean I shouldn’t try.
1
4
7
Hal Pomeranz retweeted
I painted this literally dozens of school shootings ago.
Hundreds of senseless deaths later
3
53
3
155
Hal Pomeranz retweeted
florida high school class president zander moricz was told by his school that they would cut his microphone if he said “gay” in his grad speech, so he replaced gay with “having curly hair.” i am in awe
2,383
64,777
7,549
380,084
0
How exactly is the one time code you are sending me via SMS a security control if you ask me to give you the number to send it to and don’t do any verification that the number belongs to me?
3
11
Linux Forensics training in June!
June's just around the corner & we have great trainings coming up! Check out June's lineup of training courses in the graphic below. ⬇️
@Chris_Brenton @joff_thyer @jhamcorp @OrOneEqualsOne @hal_pomeranz @c1ph0r @C_3PJoe @ralphte1 @ustayready @InfoSystir
antisyphontraining.com/train…
1
11
Hal Pomeranz retweeted
SMBeagle: Intro SMBeagle is an (SMB) fileshare auditing tool that hunts out all files it can see in the network and reports if the file can be read and/or written. All these findings are streamed out to either a CSV file or… dlvr.it/SQqDfZ #cyber #threathunting #infosec
6
90
3
272