I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
I summon the collective #DFIR wisdom of Twitter. User attempts to launch Windows Explorer and another program starts instead. I'm assuming a registry setting, but which one?
15
6
10
This content is evergreen volatility-labs.blogspot.com… -- Thanks again, @attrc!
7
10
Anybody know what happened to the FBI/NSA writeup on the the Drovorub Linux rootkit/malware that used to be at media.defense.gov/2020/Aug/1…
1
Hal Pomeranz retweeted
There is no talent shortage; people with the skills you're asking for don't want to work for you at the price you're paying with the processes you have.
42
683
63
2,871
I’d like to see more work around turning audit events into actionable intel. Translate a stream of raw audit logs into “pane of glass” alerts like “webshell executed” or “unexpected/unauthorized privilege escalation” etc.
1
All of these suggestions will need to be tested and tuned, but I think it’s an interesting starting point.
1
Hal Pomeranz retweeted
It's a busy day at the @WWHackinFest Headquarters! SWAG BAGS...lots of them just waiting to be mailed out to attendees.
General admission is sold out. However, you can still score a ticket to the conference with the purchase of training class. wildwesthackinfest.com/deadw…
#WWHF
1
3
21
Interesting question: will auditd log the leading spaces if the attacker tries to put space at the beginning of a command-line to avoid history?
2
10
chsh, usermod
export HIST<anything>
running commands from non-standard bin dirs (e.g. /tmp, /dev/shm)
6
Hal Pomeranz retweeted
Speaking of Windows and Linux - accessing ext4 filesystems from File Explorer anyone? 😁
WSL2 now enables you to mount physical disks - details here --> devblogs.microsoft.com/comma… #WindowsInsiders
19
63
6
214