I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
Daily Linux Forensics Trivia #19 - What data can you find in $HOME/.lesshst?
2
Trivia Answer #18 - @MalwareJake points out that determining attacker intent is always difficult, but known_hosts files plus SSH keys (id_* files) are useful for attempts at lateral movement. Enabling the HashKnownHosts option and using strong pass phrases on keys slows attackers
3
I find it interesting that after a period which has seen widespread labor activism, US monetary policy seems to be driving recession and unemployment. Almost as if somebody were trying to scare labor into submission.
3
1
Hal Pomeranz retweeted
Don't try to boil the ocean when it comes to cybersecurity. Nothing will ever get 100% implementation, you'll be missing coverage even if it does, and there's always work left to do.
Just ask: did I move the ball forward today? Every little bit helps.
22
86
10
584
Daily Linux Forensics Trivia #18 - During an IR you find a script used by the attackers that is gathering known_hosts and id_* files from user $HOME/.ssh directories. What would the attacker use these files for?
3
2
Trivia Answer #18 - “Members of group ‘wheel’ may, on any system, as any user, run any command.” In other words, unlimited Sudo access to all members of group wheel. Group membership may be via a user’s default group in /etc/password or via the “wheel” entry in /etc/group.
I’m just going to put this out to the universe. I would love to find a training partner that would help me bring my Linux Forensics training to Japan.
5
6
1
20
Easy choice. Good cause.
Thank you to @hal_pomeranz for choosing @RuralTechFund for his donation from his "Linux Forensics" and "SELinux – Necessary and Not Evil!" classes!
1
6
What scripting language have I used most in my career (counting number of different projects, rather than lines of code)? It’s SQL by a mile.
2
1
7
Daily Linux Forensics Trivia #17 - Explain this configuration from /etc/sudoers: "%wheel ALL : (ALL) ALL" [and don't forget to sign up for my 2-day Linux Forensics training at wildwesthackinfest.com/deadw…]
1
2
3
Trivia Answer #16 - EXT4 uses 48-bit block addresses. Apparently the developers were concerned that 64-bit addresses would result in file systems that were so large that they could potentially not be fsck-ed in a reasonable amount of time.
1
1
4
Trivia Answer #15 - The typical Syslog log timestamp is “Mon dd hh:mm:ss”, e.g. “Sep 21 7:49:34”. The regex “[A-Z][a-z]{2} +[0-9]+ +[0-9]+:[0-9]{2}:[0-9]{2} “ matches this pattern and is effective at finding old/deleted log entries in unallocated.
1
5
Hal Pomeranz retweeted
How to Detect and Prevent impacket's Wmiexec crowdstrike.com/blog/how-to-… >> Great set of forensic artifacts detailed for tracking Impacket attack tools
3
101
2
214
Daily Linux Forensics Trivia #15 - Write a regular expression to match traditional Syslog-style logs in unallocated blocks.
1
5