Florian Roth
@cyb3rops
Followers
180,223
Following
2,386
Media
5,245
Statuses
32,433
Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner , Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇
Frankfurt, Germany
Joined June 2013
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 147269 Tweets
Boeing
• 126570 Tweets
Madonna
• 126523 Tweets
Nathan
• 115745 Tweets
Irak
• 66029 Tweets
Bhuvi
• 32793 Tweets
Marselino
• 24548 Tweets
Bruno Mars
• 23199 Tweets
#CHETOT
• 22128 Tweets
#الاهلي_ضمك
• 19339 Tweets
Guinea
• 18448 Tweets
زياد
• 18049 Tweets
Ange
• 16392 Tweets
Ernando
• 15728 Tweets
Canna
• 15469 Tweets
ALGS
• 13427 Tweets
Guillaume Meurice
• 12856 Tweets
Brasília
• 12345 Tweets
Sundowns
• 11032 Tweets
Pinned Tweet
I've decided to put a screenshot showing the hex editor view of a Turla Kazuar sample behind acrylic glass on my desk to always remind me, why I am doing all this ...
because I 💛 to be a pain in the neck of the bad guys
It seems that I have some fans over in Russia 🐻
#TurlaLicksAss
thx to the FireEye analyst who brought this to my attention
25
78
542
63
228
2K
If you choose a password that is too long, the base64-encrypted version of the password will not fit into the database field
69
191
5K
I have summarized the Apache path normalization clusterfuck for you
24
1K
4K
How to test your apps for
#log4shell
vulnerability
1. Generate a DNS token
2. Wrap that token in
Prefix: ${jndi:ldap://
Suffix: /a}
3. Use that value in search forms, profile data, settings etc. of your apps
4. Get notified when you triggered a reaction
42
1K
3K
Can we get a Kitchen Nightmares but with IT departments and a cyber Gordon Ramsey that shouts at people for not having an asset inventory, log or vulnerability management?
I would love that 🖤
146
481
3K
I always preferred an indentation based on spaces and then someone said :
75
451
3K
First security application I install on ...
macOS: LittleSnitch
Linux Server: Fail2ban
Linux Workstation: etckeeper
Windows Workstation: GlassWire
Windows Server: Sysmon
---
What are yours?
115
441
3K
BREAKING: Microsoft just announced that they're gonna rebrand M365 as M364
67
252
2K
Tools I recommend to Windows users - reply with your secret tip / tool
Setup:
Ninite
Personal FW:
GlassWire
@GlassWire
Anti-Spy:
ShutUp 10
@OOSoftware
61
621
2K
OH: LinkedIn is like Tinder, just the other way around.
Young women contact IT guys and get ignored.
43
409
2K
27
405
2K
People use "grep" after "cat" as it allows for a quicker alteration of the searched keyword, enhancing their workflow.
By simply pressing the arrow up, they can easily edit the last command and quickly change the search keyword, which is a lot more efficient than navigating
98
155
2K
InfoSec professional life cycle
20y-30y
Uh, someone found a vuln!
30y-40y
I've found a vuln!
40y-50y
I can detect / protect you from vulns!
50y-60y
Chinese threat actor has found vuln faster than you!
60y+
I breed chicken and cultivate orange trees
46
422
2K
If you're an attacker with local admin privs, consider storing your malicious files in
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection
MS tends to store noisy and shady scripts there, leading many security vendors to eventually exclude that folder
26
365
2K
A DFIR friend told me that one of his customers, which spent a full week finding & remediating log4j vulnerabilities got ransomed through an unpatched Confluence vulnerability that was published in August
#Log4j
#Log4Shell
28
438
2K
The problem in IT security is that fascinating things are often unnecessary while boring things are usually essential.
We focus too much on the fancy stuff and can't get the fundamental things right.
44
419
2K
Going through old pictures, found this one and had to laugh once again
10
319
2K
No1 reason why people don't publish their code
Me: Ah, that's a useful tool. Do you plan to publish this?
Him: No, why should I?
Me: Others face the same problems.
Him: They would only laugh at my shitty code - I'll refactor it.
And that never happens.
49
543
2K
TIL whenever you see an SSL certificate error and the browser doesn't let you continue - even on your own risk, you can just type 'thisisunsafe' to bypass the protection
33
343
2K
Pro Defense tip: I started to place confidential files into folders that Chinese attackers are unable to recognize
39
209
2K
After years in security monitoring, detection engineering, training ML models and writing detections, you'll learn one thing:
The problem isn't that malware tries to look like legitimate software, it's that software does a lot of things that you'd only expect from malware
43
280
2K
Imagine you'd get access to an unknown SIEM of a new customer & would be given 10min to find malicious activity by using keyword searches on raw data, what would you search for?
I'll start
'.dmp full'
'whoami'
'delete shadows'
'FromBase64String'
'save HKLM\SAM'
' -w hidden '
84
334
2K
It's not always possible to scan every device in your network for crypt mining malware (Linux boxes, IOT, App containers)
But you could check your DNS & firewall logs for connections to the limited number of mining pools
I've compiled a list for you
24
456
1K
There is Base64 encoded malicious stuff that one sees very frequently
I made a cheat sheet for us so that we can learn and spot malicious stuff faster ⚡️
30
628
1K
The sad truth about work is that 97% of the victims don’t have a blue team, no SIEM, no SOC and don’t monitor Twitter for new threats
They have an admin or IT service provider that manages users, mail boxes, installs printers & once in a while a new AV
67
305
1K
If I were evil, I wouldn’t attack 20-30 target companies in expensive campaigns but instead the developers of Ublock, Notepad++ and Putty to own the whole world
83
288
1K
Welcome to the cloud era, where one factor grants access to your corporate data
22
295
1K
How a single character can make such a big difference - a happy new year to all of you! 🎆
12
180
1K
Linus is the Gordon Ramsay of the Linux Kernel. I‘d love to watch a show called „Kernel Nightmares“ in which he yells at developers „What is this? Look at this crap!“ „The socket is raw!“ „Close it down!“ „that was an idiot branch switch“
i am happy to report that linus torvals remains a cranky old bastard
59
193
3K
19
178
1K
Give me a list of well known tools used by adversaries
Novice:
nmap, Cain, hydra, tcpdump, arpspoof
Intermediate:
Htran, Mimikatz, smbexec, Lazagne, PwDump
Expert:
PowerShell, VBA macros, JavaScript, WMI, certutil, legitimate signed executables
68
352
1K
Nephew asks: How did you get the source code from these old magazines, when there were no link under the article to download it? Github isn't that old, is it?
Me: We read it and typed it.
He: *big eyes*
Me: Yes, all of it.
79
221
1K
What people seem to miss:
The
#Log4Shell
vulnerability isn't just a RCE 0day.
It's a vulnerability that causes hundreds and thousands of 0days in all kinds of software products.
It's a 0day cluster bomb.
20
359
1K
@stillgray
What always baffles me is that everyone "deserves" to live a certain way or get something, but what about the people who have earned their salary but don't get it because they were forced to pay for the things that others "deserve"?
18
36
1K
Log4Shell Detector v0.1
Python based scanner that tries to detect even the most obfuscated versions of the exploit code
- first version: I did a few tests, not more
- please provide pull requests with improvements
10
495
1K
HardenTools
a collection of simple utilities designed to disable a number of "features" exposed by Microsoft Windows
> I've just had a chat with s/o who hasn't heard of it and thought, now that Win11 is out, I should share it again
9
439
1K
Someone claims to have breached
@vxunderground
and is selling their password in underground forums
84
113
1K
If you really want people to click on your phishing link, make it a small „unsubscribe“ button at the end of an subtly annoying newsletter
43
165
1K
If I'd write malware, I'd drop it into
\AppData\Local\Microsoft\TeamsMeetingAddin\
- user has write access
- probably excluded from some detections
- SOC analyst: 'ah, just another MS Teams quirk. we've seen so many.'
- availability has top priority ;)
26
276
1K
Just got asked for a list of cybersecurity certifications
I always point people to this specific website for that, and typically, their response is a solid "wtf"
28
224
1K
The common corporate security landscape in a single picture
24
262
1K
When a vendor tells you that they're not affected because they still use log4j 1.2 in their products
18
186
1K
Find evidence of log4j usage on Linux servers with these 3 commands
ps aux | egrep '[l]og4j'
find / -iname "log4j*"
lsof | grep log4j
Find places to which your applications write logs
lsof | grep '\.log'
#log4shell
#log4j
19
378
1K
Elevate your cmd.exe to LOCAL_SYSTEM?
\\\tools\PsExec.exe -s -c cmd.exe
Have you ever seen this being used by an adversary? I haven't but I like it.
36
359
1K
Log Sources
- ordered by priority
- with ratings in different categories
- personal and highly subjective assessment
- from my most recent slide deck on low hanging fruits in security monitoring
#SIEM
#SecurityMonitoring
#ThreatHunting
30
424
1K
Log Sources Top 5
(ordered by cost-benefit ratio / volume > detectable threats)
1. Antivirus
2. Windows Eventlog (+Sysmon)
3. Proxy
4. Firewall
5. DNS
47
389
1K
Idea: Microsoft should reactivate clippy to help sysadmins with the newest threats that won't be fixed with a KB patch but require admins to find, read, understand and apply advisories
Clippy could ask questions like these:
20
216
1K
What would a time traveller from the year 2005 think if he heard that the software used in 95% of todays attacks is sold by a legal company registered in the US?
What would you think of it if it were registered in Russia?
38
229
1K
APT Simulator
A toolset to make a system look as if it was the victim of an APT attack
> quick & dirty & batch, but a better adversary simulation than Nmap+Cain+EICAR
17
613
1K
That's a very nice cheat sheet repository by
@packetlife
including Wireshark, scapy and tcpdump
8
545
1K
Haha .. I did it .. Raccine - a simple Ransomware Vaccine
- uses debugger registration to intercept vssadmin.exe invocations
- collects process tree pids for kills
- PoC as weekend project
- my C code sucks, but it works
23
351
1K
CVE-2021-31166
it's not just systems running IIS on Win10 but also WinRM that's affected
> brace for impact
PoC
YARA (shot in the dark)
17
438
1K
The best way to learn how real threat actors operate is to read the many published threat reports on their activity
DFIR Report
APT Groups and Operations
ORKL
I’ll add more links in the replies 🧵
21
347
1K
My Signature Creation Mind Map
Input: Sample
> the things that I check to create YARA signatures, Sigma rules or IOCs
> or pivot to related samples in order to improve the signatures / rules
11
358
1K
I have a special Christmas present for you guys 🎁
I took the time this morning & completely reworked my 'God Mode YARA Rule'
It's a PoC aimed at crafting a single rule that covers a vast array of threats with minimal FPs
Merry Christmas to you all 🎄
19
277
1K
