Florian Roth Profile picture
Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇
7 subscribers
Feb 24, 2022 5 tweets 1 min read
I consider disabling my free tools on systems with certain language and time zone settings

e.g. "Russian" language + timezone somewhere within "Russia" > "sorry, I can't run here"

Opinions? To be fair, the Russian aggression against Ukraine would only be the trigger and not the cause.
We are not allowed to & refrain from selling to certain countries but we give away "Lite" versions for free.
RU's invasion is just the trigger that reminded me of that idea.
Dec 11, 2021 6 tweets 1 min read
1/ #Log4Shell Status determination

# Block Rules / Log-Based Detection
There's no effective or rather gapless way to detect attacks that use log4shell due to the many ways to obfuscate the strings.
Don't put too much trust in any filter/detection pattern. All can be bypassed.
.. 2/ # Behaviour Based Detection

We thought about network based detection, but it could be any remote port and any remote system. Java can have many legitimate outgoing connections & often has suspicious sub processes.
Dec 10, 2021 4 tweets 1 min read
Quick check in /var/log folder or where your apps store their logs

sudo grep -r '${jndi:ldap://' /var/log

#log4j #log4jrce If you find something, please send me a redacted version of it - I'd like to see log lines of real world exploitation attempts
Oct 13, 2021 5 tweets 2 min read
Elevate your cmd.exe to LOCAL_SYSTEM?

\\live.sysinternals.com\tools\PsExec.exe -s -c cmd.exe

Have you ever seen this being used by an adversary? I haven't but I like it. Image If you can't use the SMB protocol to hosts on the Internet, try WebDav over HTTPS

net use z: hxxps://live.sysinternals.com/tools && z:\PsExec.exe -s -c cmd.exe

(had to change the URL scheme because twitter would otherwise transform it - see screenshot) Image
Aug 1, 2021 4 tweets 2 min read
I’d like to clarify my position on #Microsoft in general

Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.

I criticize Microsoft’s response to recent .. vulnerabilities (or design flaws) because I care about these things and believe that customers do care too.
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.

There are still few but good reasons ..
Oct 26, 2020 5 tweets 3 min read
1/ Since we go through the #Githubification of InfoSec, knowing git has become an essential skill

My recommendations:

Read a tutorial to get to know the basic terminology
rogerdudler.github.io/git-guide/

Do an interactive training but I'd consider it optional
katacoda.com/courses/git 2/
For newcomers or occasional users I'd recommend a GUI

- Github Desktop (Windows, Linux, macOS)
desktop.github.com
github.com/shiftkey/deskt…
- SourceTree (macOS, Windows)
sourcetreeapp.com
- GitKraken (Windows, Linux, macOS)
gitkraken.com

...
Mar 15, 2020 7 tweets 4 min read
1/x A #COVID19 #OffTopic thread for my followers in countries that still enjoy the quiet before the storm.

It is serious. Don't listen to the voices that play it down.
But also don't panic.

The problem with SARS-CoV-2 is that the treatment of severe cases (~5-10%) require .. 2/x .. intensive care beds with respirators.

Here in Germany, we have 29k intensive care beds, most of them occupied long before COVID19.
If only 1% of the citizens get sick, that would be 830k citizens, 83k of them with the severe clinical course of the disease.
Nov 9, 2019 11 tweets 3 min read
Log Sources Top 5
(ordered by cost-benefit ratio / volume > detectable threats)

1. Antivirus
2. Windows Eventlog (+Sysmon)
3. Proxy
4. Firewall
5. DNS 1/ I‘ll give some short comments to help you understand the order

In general: I included only those logs that can already be collected in most organizations, when you start a SecMon project.
Bro/Zeek, Suricata, Netflow, etc. would be somewhere between 2 and 4 if available. ..