Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 23, 2022 · 10:34 AM UTC

Hal Pomeranz @hal_pomeranz

23 Sep 2022

Daily Linux Forensics Trivia #18 - During an IR you find a script used by the attackers that is gathering known_hosts and id_* files from user $HOME/.ssh directories. What would the attacker use these files for?

Hal Pomeranz · Sep 24, 2022 · 4:26 PM UTC

Hal Pomeranz · Sep 24, 2022 · 4:26 PM UTC

Hal Pomeranz @hal_pomeranz

24 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Trivia Answer #18 - @MalwareJake points out that determining attacker intent is always difficult, but known_hosts files plus SSH keys (id_* files) are useful for attempts at lateral movement. Enabling the HashKnownHosts option and using strong pass phrases on keys slows attackers

Sep 24, 2022 · 4:26 PM UTC