Posts

Less is More

By
Image
I found  /usr/bin/lesspipe.sh  and  ~/.lessfilter . ⚠️ This post is in no way detailing a vulnerability or exploit . I am sharing a novel persistence mechanism that I was not aware of until recently. I am writing this post because I do not believe many defenders — SOC, DFIR and system administrators alike — know about this. Not MITRE ATT&CK nor GTFOBins.com include this level of detail in their respective repositories, either. Re-Introducing the less Command The less program, normally located at /usr/bin/less , is a well-known pager that comes prebaked in *nix operating systems. The less program allows a user to view a file via mouse scroll, to regex search, and even list the contents of compressed archives. We’ll talk more about that last part later. Recently I was perusing my environment variables (envar) on my Linux-based system and found this “.sh” file that was just screaming for me to investigate further. env ...skipping LESSOPEN=||/usr/bin/lesspipe.sh %s PAG...
Read more

Unlocking Fleetspeak Large Scale and Reliability with Cloud Spanner

By
Unlocking Fleetspeak Large Scale and Reliability with Cloud Spanner Authored by Frank Tobia, Ike Okoro, Matt Pfeiffer and Dan Aschwanden If GRR and Fleetspeak are foundational tools to do Digital Forensics and Incident Response (DFIR), you likely have experienced its database becoming a key challenge as you scale towards tens of thousands of endpoints. The database handles the constant flow of messages, tracks client states, and manages operational data, and under heavy load, performance and stability can become significant concerns. In this article we introduce a fundamental update that elevates Fleetspeak's datastore infrastructure, making it ready for the most demanding, large-scale deployments with the addition of Google Cloud Spanner as a new datastore option . Fleetspeak is GRR’s communication layer. The Fleetspeak frontend (server) exchanges Protocol Buffer based messages with Fleetspeak agents (clients) on behalf of GRR, providing GRR with a communication conduit. It ...
Post a Comment
Read more