Here is a quick way to find tainted Linux kernel modules that are not maliciously hiding: cat /proc/modules | grep \(.*\) Sample "malicious_module" is both out-of-tree and unsigned which would warrant a closer look.

This is an almost identical technique used by BPFDoor malware from last year. They used iptables on Linux to re-route traffic when a magic packet was seen. This will allow C2 to the malware through firewalls allowing legitimate inbound traffic to the server.

The best way to learn how real threat actors operate is to read the many published threat reports on their activity DFIR Report thedfirreport.com APT Groups and Operations docs.google.com/spreadsheets/d… ORKL orkl.eu/sources I’ll add more links in the replies 🧵

If you run an open source project and need to protect your infrastructure, Sandfly Security will give you a free full license. Reach out at our website or here with a DM and we'll get you sorted. We do this for other projects and want to protect the integrity of your hard work.

LSMS - Linux Security And Monitoring Scripts kitploit.com/2023/06/lsms-l…

Hey, infosec brains trust! 🧠 Ever felt like you're juggling digital chainsaws? 🪚💻 I've been in the trenches with: 🔹#LOLBAS 🛠️: Your multi-tool for Windows. A treasure trove of Binaries, Scripts, and Libraries that adversaries may use to live off your land. 🔹#GTFOBINS ⚙️:

Here's how to use simple Linux command line tools to investigate and de-cloak Reptile stealth rootkit and others like it. grep . /etc/modules dd count=10000 bs=1 if=/etc/modules 2>/dev/null cat /etc/modules | wc -c

Finally, check that the kernel and filesystem byte counts match. Feeding the file through a simple "wc -c" command will count the bytes the filesystem thinks is present. If these values don't match, something is hiding. cat /etc/modules | wc -c

Lmao. why Linux is safer than other oses?

Pitfalls of relying on eBPF for security monitoring (and some solutions) from ⁦Trail of Bits⁩ Very nice overview and production problem you could encountered creating a security solution based on ebpf. And even some bypass 😁 blog.trailofbits.com/2023/09/25/pit…

It is back. Contribute if you can to this nice project. And good to see that Gynvael Coldwind's health is up for doing side projects again :)

Kunai is an open source sysmon "clone" developed in rust and based on eBPF (cc Alexei Starovoitov) that has just been presented at #hacklu github.com/0xrawsec/kunai

Kunai: Your New Threat Hunting Tool For Linux - Quentin Jerome youtu.be/p8eUzcpG1JE #hacklu hack_lu

Dcsync without triggering traditional alerts? nullg0re.com/2023/09/hijack…

What are linux process environment variables you should take a closer look into if you find them for processes on your system? I currently have in mind: - HISTFILE (=/dev/null) - HISTSIZE/HISTFILESIZE (=0) - LD_PRELOAD - SOCAT_* - SSH_C* (if ppid=1 => left-over process)

TIL: if you are searching for suspicious processes on a Linux host by looking if the /proc/<pid>/exe points to a deleted file, it can point to "/ (deleted)". Apperently the Linux kernel also spawns processes: uninformativ.de/blog/postings/…

Never used it. But the idea for this "diff detection" between Linux hosts is amazing.

Mission Impossible: Elite xz SSH backdoor used to access your network. Mission Reality: Your org still has default accounts with easily guessed passwords all over.