I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
I’d like to see more work around turning audit events into actionable intel. Translate a stream of raw audit logs into “pane of glass” alerts like “webshell executed” or “unexpected/unauthorized privilege escalation” etc.
1
All of these suggestions will need to be tested and tuned, but I think it’s an interesting starting point.
1
Interesting question: will auditd log the leading spaces if the attacker tries to put space at the beginning of a command-line to avoid history?
2
10
chsh, usermod
export HIST<anything>
running commands from non-standard bin dirs (e.g. /tmp, /dev/shm)
6
Yep, it's a lousy solution. But I'm happy to report that we now have github.com/tigerphoenixdrago…
1
Hey this is cool. I mentioned in last week's webcast that a generic lastlog parser would be a good thing, and @stefanrjohnson wrote one in Python! github.com/tigerphoenixdrago…
1
1
12
And so the zombie apocalypse begins...
BREAKING: AstraZeneca's #Covid19 vaccine trials have been paused as the company investigates a serious adverse event the occurred in the UK. Not clear if the unexplained illness is linked to the vaccine, or what it was. statnews.com/2020/09/08/astr…
1
2
My class uses the forensic images @binaryz0ne created for the OSDFcon workshop. Thanks again for letting me use them!
Wanna learn Linux #forensics?: osdfcon.org/events_2019/perf… & archive.org/download/HalLinu… are two great resources (kudos to both @binaryz0ne and @hal_pomeranz for such a fine work)
1
4
15
The exam covers everything from static analysis to malicious document analysis to malicious web sites to memory analysis. Make sure you have a broad base of knowledge and good luck to you!
1
It’s more than one dude being a total douche, Shack. It’s a pervasive structure of harassment and misogyny throughout tech. And it needs to be called out and stopped.
2
9
PMs on LinkedIn alert me via email to my main acct. I’ve gotten business in the last quarter through LinkedIn PMs and a surprising number of non-spam questions.
2
In all seriousness the person you’re asking either doesn’t know or doesn’t like the actual answer. So they’re shifting the blame onto you. Typical tactic of bad managers and shirkers in the business world today.
2
It’s gaslighting or you’re in a Karate Kid movie. But I don’t see Mr Miyagi anywhere, so probably gaslighting.