@SBSDiva Yes, I understand. You see, he uses PS2EXE for his tool, which is very often used for malicious purposes. I simply highlight that. Nothing more.
I consider disabling my free tools on systems with certain language and time zone settings
e.g. "Russian" language + timezone somewhere within "Russia" > "sorry, I can't run here"
Opinions?
To be fair, the Russian aggression against Ukraine would only be the trigger and not the cause.
We are not allowed to & refrain from selling to certain countries but we give away "Lite" versions for free.
RU's invasion is just the trigger that reminded me of that idea.
I would obviously include China, North Korea and Iran in these filters to treat them equally
# Block Rules / Log-Based Detection
There's no effective or rather gapless way to detect attacks that use log4shell due to the many ways to obfuscate the strings.
Don't put too much trust in any filter/detection pattern. All can be bypassed.
..
2/ # Behaviour Based Detection
We thought about network based detection, but it could be any remote port and any remote system. Java can have many legitimate outgoing connections & often has suspicious sub processes.
3/ # Vulnerability Detection
It's difficult to find vulnerable software. It could be the web app, the ticket mgmt that receives contact form content or the backup software. Vuln scanners won't give a complete picture.
Discovery could take months.
Try to use the Canary Tokens.
I’d like to clarify my position on #Microsoft in general
Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.
I criticize Microsoft’s response to recent ..
vulnerabilities (or design flaws) because I care about these things and believe that customers do care too.
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.
There are still few but good reasons ..
.. not to opt for the cloud.
I strongly believe that weaknesses in default configs that allow an attacker to escalate privs to Domain Admin should be addressed with a KB patch and not just a pointer to an advisory.
Many won’t read it.