Head of R&D @nextronsystems #DFIR #YARA #Sigma | Detection Engineer | Creator of @thor_scanner, Aurora, Sigma, LOKI, yarGen, Raccine

Frankfurt, Germany
Joined June 2013
Florian Roth ⚡ retweeted
Just figured out the @Horizon3Attack vRealize Log Insight exploit lol Incoming guided threat hunt + signatures before the exploit PoC is dropped this week. Sign up on aceresponder.com to be notified. #threathunting #DFIR #RCE #cybersecurity
1
12
1
18
Show this thread
🥹
15
79
5
693
Florian Roth ⚡ retweeted
"bypass.ps1": 4a67a7525e956bf4b47fb34af353fbeb43a6d16d4ad6fa2cba9a39beabf480ec service-8oeyubeo-1304571952.gz.apigw.tencentcs[.]com AVs: 0 detection / @thor_scanner: 2 comments. Again 👏 to @cyb3rops.
2
11
1
34
Show this thread
You can run, but you can't hide virustotal.com/gui/file/6eb0…
2
20
87
Florian Roth ⚡ retweeted
Keep in mind when scraping usernames from a #Cisco #CUCM server with @n00py1’s cucme[.]sh or @TrustedSec’s SeeYouCM-Thief: the names can be not only within the <userName> tag but also within the <firstName> and <lastName> tags. Worth checking! ppn.snovvcrash.rocks/pentest…
1
33
1
149
Since I'm a fan of efficient forensic analysis, I've created a YARA rule that detects downloads blocked by security solutions - uses external var (works in LOKI & THOR) @malmoeb's tweet tweeter.jakobs.systems/malmoeb/status/1… @virustotal query virustotal.com/gui/search/fi… github.com/Neo23x0/signature…
Replying to @malmoeb
2/ But the best part was: the file was not an executable at all! The proxy prevented the download due to the "Malicious Websites" category. Within the error message from the proxy, the malicious domain was visible. Another easy gained IOC to hunt for 🤠
Show this thread
2
25
95
The single most important feature offered by Laurel, the auditd plugin, is that it can join the absolutely impractical args array to a string which we can use for matching a0=“ndog” a1=“-l” a2=“-p” a3=“4444” cmd=“ndog -l -p 4444” It’s not the default and hidden in the manual
Just released v0.5.1 of Laurel, the #linux #auditd plugin event post-processing plugin that generates useful, enriched JSON-based audit logs suitable for modern security monitoring setups. github.com/threathunters-io/…
2
12
33
Florian Roth ⚡ retweeted
YES!! The #UpdatePolicy CSP page is now updated to show which policies should be used for what and which are legacy policies we don't recommend! Check out the changes! (#ThankYou to those who have been providing feedback / making requests on docs! 🙃) learn.microsoft.com/en-us/wi…
4
64
1
167
Just released v0.5.1 of Laurel, the #linux #auditd plugin event post-processing plugin that generates useful, enriched JSON-based audit logs suitable for modern security monitoring setups. github.com/threathunters-io/…
1
33
2
97
Florian Roth ⚡ retweeted
#BREAKING On January 25th #ESETResearch discovered a new cyberattack in 🇺🇦 Ukraine. Attackers deployed a new wiper we named #SwiftSlicer using Active Directory Group Policy. The #SwiftSlicer wiper is written in Go programing language. We attribute this attack to #Sandworm. 1/3
2
247
13
452
Show this thread
😐 reminds me of DEVICE=C:\Windows\himem.sys
If you know what this is: SET BLASTER=A220 I7 D1 H5 T6 ... it might be a good time to start taking daily supplements and consider a check-up at the doctor.
4
3
1
29
Florian Roth ⚡ retweeted
Microsoft Defender for Office, Horror Story. A thread. (1/5) On Wednesday at 6:00 PM CST, Customer’s primary domain name is suddenly marked as a phishing URL by MDO. Outbound emails are blocked because the email signature has their URL… it gets worse…
25
86
15
448
Show this thread