Discover and read the best of Twitter Threads about #sandflysecurity

Most recents (3)

Profile picture
Craig H. Rowland
@CraigHRowland
You see a weird openssl command running on one of your Linux systems. Here's how to investigate whether it's a bindshell backdoor operating on the box and hiding traffic inside an encrypted tunnel. Thread. #DFIR
The server and client to run the attack. The reverse bindshell causes openssl to connect back to us and is encrypted so network monitoring is blind to what is going on. Need to look at the host to figure it out.
We log into the host after seeing the weird outbound connection and need to investigate. Run ps -aux and lsof -p <PID> to see the process. Throw in netstat for good measure. We see openssl and /bin/sh -i running that look strange.
Read 12 tweets
Profile picture
Craig H. Rowland
@CraigHRowland
@SandflySecurity was able to spot this malware very quickly and with multiple serious alerts. Let's have a walk-through about what it was up to and de-cloak it. #DFIR #sandflysecurity
Virus total shows very few results. But we saw many serious compromise tactics in use on this Linux system hit with the malware.
The top and ps commands show some odd things. Top is showing 100% of the CPU in use, but no process claiming responsibility. The ps listing shows nothing unusual. Something is hiding. Let's de-cloak it. #DFIR
Read 16 tweets
Profile picture
Craig H. Rowland
@CraigHRowland
Here's how to recover a #Linux binary from a malicious process that has deleted itself from the disk.

cp /proc/<PID>/exe /tmp/recovered_bin

Let's see how this works. #DFIR #threathunting #forensics
Often, malware deletes itself after it starts so file scanners and integrity checks won't find it. It can make analysis harder if you can't get to the binary easily.

But if you remember /proc/<PID>/exe you can recover any deleted binary.

#DFIR #threathunting #forensics
Use the sleep command to simulate a deleted process:

cd /tmp
cp /bin/sleep x
./x 3600 &
[1] 32031
rm x

This copies the sleep command as "x" under /tmp and runs for 3600 seconds. Then, delete "x" so the binary appears removed. Practice on it.

#DFIR #threathunting #forensics
Read 7 tweets

Related hashtags

#sandflysecurity #infosec #DFIR #Linux #threathunting #forensics

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!