I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
Thank you for the kind words. That content is still very relevant. The major change since then has been the arrival of Sysmon to add more detailed information to your log stream.
Hal Pomeranz retweeted
NOW ACCEPTING APPLICATIONS | Deadline 7/15
Ken Johnson Scholarship at the #DFIRSummit will provide:
- Two SANS #DFIR classes
- Mentoring from @_bromiley & @DAVNADS
- Consideration for an internship
- One DFIR Summit seat
Learn more & apply here👉sans.org/u/1kYm
2
3
Hal Pomeranz retweeted
Ooh, this is sexy.
Want a quick & dirty (but supported by Microsot) way to avoid #follina Office know payloads?
Just disable "Troubleshooting wizards" by GPO
> admx.help/?Category=Windows_…
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics - EnableDiagnostics - 0
By CERT @banquedefrance
11
47
In 1990 I was doing network operations for a NASA project aiming for terascale computing. Nice to see exascale computing arriving right on time according to Moore’s Law.
1
Hal Pomeranz retweeted
This only works because of the handler in HKCR\ms-msdt. If you delete this key, users will see the following if they open a payload document. Note that I haven't tested this to know other impacts but it absolutely prevents exploitation with known #msdt samples. 8/
2
7
45
Hal Pomeranz retweeted
Dear infosec: Sorry to barge in on your Memorial Day weekend, but if you're not following the msdt 0-day in MS Office you probably should be.
I've validated it's working on my test systems and is trivial to exploit. First report here:
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.
virustotal.com/gui/file/4a24…
16
225
13
584
Right there with you, brother. I became a step-parent at age 45 and have been trying to measure up since then. Sometimes all you can do is try to be better tomorrow.
1
4
Whenever you feel like you are failing at parenting, remember this day. This day was a wonderful day for both your daughter and for you. Kudos!
1
6
Hal Pomeranz retweeted
If you're interested in Memory Forensics, and want to practice, check out this CTF-style memory forensics lab:
github.com/stuxnet999/MemLab…
7
104
3
332
Hal Pomeranz retweeted
HOW DID I MISS THIS?
The way most folks tell me to look for timestomps isn't just wrong it's dead wrong and easy to see why. (0'ed out milliseconds is only done by SOME tools running w/ defaults)
Here's an *awesome* post that shows better methods of timestomp indicators!
1\ How to detect file timestomping 👀
APT28, APT29, APT32, APT38 have all used this defence evasion technique to modify malicious file creation times. 😈
Did you also know it's possible to timestomp $FN time?
👇👇 BLOG & TL;DR BELOW 👇👇
bit.ly/3KsX1ua
7
17
Hal Pomeranz retweeted
1\ #DFIR: How to detect malicious clipboard use?
TAs abuse clipboards to steal data / paste commands.
Three artefacts you can analyse:
> ActivitiesCache.db
> Memory forensics
> Clipboard history folder
I break down how to do this in my blog👇
inversecos.com/2022/05/how-t…
9
229
5
626
Hal Pomeranz retweeted
This is so true. You may even come up with a better way to do things.
Also don't let others keep you from trying. I've seen some people try to keep others from discovering new solutions. Ignore them and keep trying.
Things it took me too long to realize:
Just because someone can do it better or faster, doesn’t mean I shouldn’t try.
1
4
7
Much easier to hide in the registry (or even a LNK file) than an ADS. Too many forensic tools now key in on ADS.
1
Our family uses ⛄️ as the hug emoji— the arms are open like giving a hug, and Olaf the snowman likes warm hugs
1
3
8
Hal Pomeranz retweeted
I painted this literally dozens of school shootings ago.
Hundreds of senseless deaths later
3
53
3
155
Hal Pomeranz retweeted
florida high school class president zander moricz was told by his school that they would cut his microphone if he said “gay” in his grad speech, so he replaced gay with “having curly hair.” i am in awe
2,383
64,777
7,549
380,084
0
How exactly is the one time code you are sending me via SMS a security control if you ask me to give you the number to send it to and don’t do any verification that the number belongs to me?
3
11