Linux EDR nologin Shell Rename Backdoor Attack Detection and Forensics

Поділитися
Вставка
  • Опубліковано 6 гру 2024

КОМЕНТАРІ • 8

  • @comosaycomosah
    @comosaycomosah День тому +1

    this channel should have so many more subs you guys make great vids i need to try your products i havent yet

    • @SandflySecurity
      @SandflySecurity  День тому +1

      Thanks. We will be posting many more videos. Please share and tell your friends. We have a free trial on the website if you want to use it.

    • @comosaycomosah
      @comosaycomosah 23 години тому +1

      @SandflySecurity for sure! And yea I was looking lastnight I may have too

  • @juergenm6107
    @juergenm6107 20 годин тому

    With lynis or emba I can detect misconfiguration perfectly

  • @kevinpaulus4483
    @kevinpaulus4483 3 дні тому +1

    Nice ... but you still need an exploit from which you can run root commands or escalate to root to replace the shell in the shadow passwd file (chsh) and change the non password to something legible (passwd). Do you have alerts of possible RCE's on vulnerable systems ... do you do continuous nessus like or nmap/NSE or ... other types of vulnerability scanning ?
    Anyway ... quite interesting product for an enterprise with a Linux environment.

    • @SandflySecurity
      @SandflySecurity  3 дні тому +1

      We assume anyone that gets on a Linux box is going to get root is our philosophy. There are many ways it can happen with bugs, mis-configurations, etc. We scan systems on random basis for signs of attack but are not a vulnerability scanner. We specifically focus on compromise detection and agentless threat hunting. Many systems remain unpatched or open to attack and admins need an automated way to search out and identify hosts that have been compromised. Hope that helps.

  • @dominikheinz2297
    @dominikheinz2297 18 годин тому

    A question regarding how sandfly works. Are all the individual modules (the sandflies) that are ran on the target system, individual binaries? because, if so, they have to be transferred and executed on the target system. Are they just placed in the tmp dir and then executed and send the results back over SSH via JSON? I am curious. Otherwise, seems like a very interesting product.

    • @SandflySecurity
      @SandflySecurity  16 годин тому

      We use a purpose built binary and instructions are sent to it once on the host on what to analyze and collect. The binary is built specifically to investigate Linux with capabilities to de-cloak rootkits, parse data, etc. The execution is done in a secured home user directory and not out of /tmp. Results in the server are JSON and can be exported to any compatible source such as Splunk, Elastic, Postgres, Syslog, and so on. If it takes JSON, we can send to it also with our REST API. Hope that helps and thanks for watching.