Hal Pomeranz @hal_pomeranz

I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

 Orlando, FL
deer-run.com/~hal/
Joined November 2008
  • Tweets 19,311
  • Following 237
  • Followers 13,672
228 Photos and videos
Load newest
This was a fun and worthwhile project. Can’t believe it was 20 years ago!
Randy Marchany @randymarchany
20 Nov 2020
20th Anniversary of the Center for Internet Security. So glad to have been a part of that with my buddies @hal_pomeranz @jaybeale cisecurity.wistia.com/medias… @SANSInstitute @CISecurity @educause
1
1
Replying to @bettersafetynet
Far too many Linux incidents I investigate would not have happened had the site been using SELINUX in enforcing mode.
2
1
1
Replying to @bettersafetynet
Feign narcolepsy
2
Replying to @k8em0
“The Good Place” — trust me
1
3
Replying to @ElleArmageddon
More than agree with them, they are them in many cases.
2
Hal Pomeranz retweeted
Jake Williams @MalwareJake
9 Nov 2020
Good morning infosec. Here's some free consulting advice. Remember that list of indicators CISA released for ransomware? Go through that list and detail what you have logs for and how far back you can search them. Document your capability gaps and share those with leaders. 1/2
5
109
8
586
Replying to @johnabbe @IdentityWoman @judell @artbrock @AureliaAugusta @lizbarry @finnern
The problem is that while you control the entire data store, you have to give access to small pieces of info. Those pieces will be aggregated outside of your control, just as they are today.
2
Replying to @davidseidl @mzyw @randymarchany @SANSInstitute @educause
Which means your password was not stored as a hash on at least some systems.
1
How Ryuk Ransomware operators made $34 million from one victim - @Ionut_Ilascu bleepingcomputer.com/news/se…

How Ryuk Ransomware operators made $34 million from one victim

One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.

bleepingcomputer.com
3
93
12
205
Replying to @v3rtig0
istat is just returning inode data, nothing else AFAIK
1
Replying to @v3rtig0
Also not clear on the context for your request. You could track file access in excessive detail using auditd on Linux, but it would have to be configured beforehand. Won’t help if you’re investigating activity that has already happened.
1
2
Replying to @v3rtig0
See extundelete and ext4magic. The source code here is probably the best documentation you are going to find on this. There is no USN equivalent for Linux file systems.
1
shamelessly stolen from imgur. because relevant.
88
2,412
269
6,371
0
For the morning crowd...
Hal Pomeranz @hal_pomeranz
21 Oct 2020
Your most indispensable Windows app(s) and why? GO!
Your most indispensable Windows app(s) and why? GO!
30
1
3
15
Hal Pomeranz retweeted
Andrew Case @attrc
16 Oct 2020
For those that missed it, this loader performs process hollowing with full PE loading - without creating any RWX regions in the victim process @hasherezade also does other awesome work like: - github.com/hasherezade/pe-si… - github.com/hasherezade/hollo…

GitHub - hasherezade/hollows_hunter: Scans all running processes. Recognizes and dumps a variety of...

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). - GitHub - hasherezade/hollows_hunter: ...

github.com
hasherezade @hasherezade
15 Oct 2020
Replying to @attrc @volatility
not exactly RunPE, but I have a loader with manual PE mapping that does it: github.com/hasherezade/chime…
2
17
61
Replying to @jtsylve
Not that I'm seeing.
Replying to @mykill
Good idea, not the execution mechanism in this case
2
Replying to @jtsylve
Good thought, but I'm not finding any
Replying to @phillmoore
Yeah, that's basically what I'm down to at this point
Load more