Backdoors aren't very interesting. Anyone can write a backdoor to run as root/admin on any OS. How they get installed is much more interesting. If you use SELinux or fapolicyd then this backdoor (or any other) can't run.

Thanks Craig.

A question regarding how sandfly works. Are all the individual modules (the sandflies) that are ran on the target system, individual binaries? because, if so, they have to be transferred and executed on the target system. Are they just placed in the tmp dir and then executed and send the results back over SSH via JSON? I am curious. Otherwise, seems like a very interesting product.

With lynis or emba I can detect misconfiguration perfectly

Wow! You're obviously excellent at what you do and I like the way you explain this issue. Though I am not in the security field I understood everything you said. Kudos!

this channel should have so many more subs you guys make great vids i need to try your products i havent yet

Very well explained, any Linux admin could detect this backdoor after the video. Much appreciated

Nice ... but you still need an exploit from which you can run root commands or escalate to root to replace the shell in the shadow passwd file (chsh) and change the non password to something legible (passwd). Do you have alerts of possible RCE's on vulnerable systems ... do you do continuous nessus like or nmap/NSE or ... other types of vulnerability scanning ? Anyway ... quite interesting product for an enterprise with a Linux environment.

Awesome! Is the $1$ the same for every md5 password?

So glad the algorithm suggested this video, awesome!

Forgot how useful peekfd is!

You only hear the noisy, the low and slow go undetected for years. If our power goes out so will theirs. They should have had a dedicated jumpbox for the aquarium guys. The security team for the company can get into any box .....if they get the ok. We should force hardware keys everywhere.

Thanks. So this scans but doesn't protect or clean/stop any future attack?

eh, I wrote a stealth malware called gorgon, absolutely no impact on the system, no slowing down, no bugging the system, nothing, mainly due to some design elements I came up with, it's also compatible with pretty much every kernel version since 2.something point is, if someone is skilled enough, and puts the time and effort into a rootkit, they can design something truly invisible

I feel like hashes could still be useful, but not the way presented here, not to detect malware, but to guarantee integrity of known good software. Hash all the known binaries and libraries on the system, record sizes and then monitor changes. There are some files of course that need to be blacklisted from this such as log files and some runtime files, tempfiles so it's not perfect, but it's additional thing to bundle with other security. Take hashes before backup, bundle them with the backup and then take hashes immediately after the backup to make sure nothing went wrong while at it. Check hashes again immediately after updates and record changes. Monitor file integrity over time actively and report changes into whatever monitoring system is being used. This is basically what people did with open source version of Tripwire early 2000's. Hash everything and record hashes on floppy disk which is then removed until next checkup. Also I did something similar with CFEngine some 10-15 years ago, though I only monitored integrity of some files, not all files so that kinda defeats the point, but at least I'd know if important configs or content of directories changed for reason or another.

Who the fuck uses sha1 in 2024 😂

??? The legitimate software provider should provide the check hash. Then you changed the original code so it hashes differently. That's expected behaviour, and is what you look for to check whether or not the OG program has been compromised. What am I missing?

Pretty fire channel!

That's a great demo and very powerful tool for host IR. I was wondering how / whether this product is suitable for cloud native deployments. For example, running it on a Kubernetes node will be much harder because capturing a profile or well known good behavior of such ephemeral containerised workloads running on a given node is probably much harder.

Promo`SM 👀

Best video I’ve seen on BPFDoor. Please take my money for a Linux forensics course!

this is cool, it's like something I did years ago. Nice.

How do you deal with hosts that have been in prod for some time and have deviated from a master image, such that, prod changes are now "drifted"?

How can we ensure the security of the SSH secrets on a cloud based panel hosted offsite/in-cloud? Is there an option to self-host, is this open source code for auditing?

How can this be done without an agent?

This was exceptionally good, especially the sniffer detection tips.

Your screen is very difficult to read.

Thank you very much, very very instructive.

Great video, thanks for taking the time to record and share it.

www.fbi.gov/wanted/cyber/apt-41-group

Great video!! This is gold!! Thank you.

if the user has a virustotal API key, could they feed it to sandfly to automate the hash lookups?

Sounds Cool UI, I have been using ansible to do the same stuff on cli. Would love to see more features !

Useful information here !!!

Very cool. Thanks for sharing.

Great video! I do wish you paused a little for some of the commands towards the end so I could get a good look at them.

That's a very interesting tool you got there, the main issue I have with it is www.sandflysecurity.com/pricing/ You should really put a price where your mouth is. A basic price with * can really help consumers choose the product. I love the idea though: Now that I've looked at the website and videos, and got time to think about, this is more of a passive protection, you are basically digging through logs and looking at anomalies, meaning that once you detect an intrusion you'll flag it (with very impressive amount of details saving loads of hours of looking at logs). Yet at the end of the day the system is already compromised, if this even happened 1 minutes or 30 days ago is kinda irrelevant, that system should be taken offline and preferably wiped. It's still a very ingenious solution, I like the fact that you basically just use ssh to get a foot hold into any ssh capable system and passively look at what's going on that's clever! I think this could be done with a anti malware/anti virus using ssh/sshfs and capping the scan speed by either limiting the affinity of the AV/AM possess or limiting the bandwidth and also focusing on "vulnerable" locations. it would still work as a "passive" protection, but more automated. I still like the idea, and I'm very impressed with the data being very accessible, the real issue is no visible price points... I could be saving $50k per cluster or be looking at a $50k bill for what amounts to a $20 job because you're billing structure isn't obvious. Maybe I'm totally misunderstanding the technology, so correct me if I'm wrong, but when I hear when you say "agentless" and "ssh", "key", "we see root here that's normal (video id: lQizoBHmF6Q time 7:54)" implies that you allow Sandfly to login via ssh as root but only with a ssh key, so that you can then use that software to scan the system using logs and commands like "lsof -i -P -n | grep LISTEN" So basically Sandfly get's a shell into any system and collects the data, but doesn't actually do anything with it. (implementing AV with ssh root access would help here) Still I'm impressed with the data it's showing, most data/graph servers tend to just show kinda usless things like "cpu temp" "network speed"... cpu and network are the kind of stuff that we take care off before the host is online it should already be capable of not over heating or max out the network. Now who launched not.a.virus.jpg as neo.matrix.bat... that's the kind of stuff I'm looking for! Looking at logs where it spams me 1000 lines of "dhcp default renewed ip to 127.0.0.1" per 1 "btw neo tried to login" is very useful. because some times you can't just grep "who dun did it"

This was awesome. As a new Linux user, I'll be sure to save this video for reference.

Hey Craig, outstanding videos. I've learned so much regarding Linux forensics! Please keep the videos coming!

I'm a computer nerd thinking about switching careers to cyber security... Growing hemp has lots of down time so im going to study up. this channel is going to be my new college, thanks for uploading this stuff; not many will watch this but a few people like me will really appreciate it.

Can you show us the books you've read or are reading on that bookcase behind you?

Can you suggest a good Antivirus product?

Curious. Where can I read your paper?

What language did you write the stealth scan prog.......python?