Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 23, 2022 · 10:34 AM UTC

Hal Pomeranz · Sep 23, 2022 · 10:34 AM UTC

Hal Pomeranz @hal_pomeranz

23 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Daily Linux Forensics Trivia #18 - During an IR you find a script used by the attackers that is gathering known_hosts and id_* files from user $HOME/.ssh directories. What would the attacker use these files for?

Sep 23, 2022 · 10:34 AM UTC

Hal Pomeranz · Sep 24, 2022 · 4:26 PM UTC

Hal Pomeranz @hal_pomeranz

24 Sep 2022

Trivia Answer #18 - @MalwareJake points out that determining attacker intent is always difficult, but known_hosts files plus SSH keys (id_* files) are useful for attempts at lateral movement. Enabling the HashKnownHosts option and using strong pass phrases on keys slows attackers

blackBoxRE@infosec.exchange · Sep 24, 2022 · 3:55 PM UTC

blackBoxRE@infosec.exchange @Xtemporality

24 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Lateral movement using SSH key pairs?

Jake Williams · Sep 23, 2022 · 11:08 AM UTC

Jake Williams @MalwareJake

23 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Could be anything, like making a collage for mom. Threat actor intent is hard to pin down. But in this case, I'd be using them for lateral movement, hoping the known_hosts files aren't hashed and that one or more the id_* files are valid ssh private keys to get me access.

GIF